Analysis
-
max time kernel
146s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 17:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0b2a302cb53046c519e5d4dece308ce0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0b2a302cb53046c519e5d4dece308ce0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0b2a302cb53046c519e5d4dece308ce0_NeikiAnalytics.exe
-
Size
136KB
-
MD5
0b2a302cb53046c519e5d4dece308ce0
-
SHA1
bb1ce3f39fd8e8aa92e9e70468154413f875a9f2
-
SHA256
5e0f48c325b167ef0746be68f877ae57edcb5a7a58aa65553dae523b6e81de9d
-
SHA512
62f57acb0dfacc01bec913c2ca7692b65ac62c777361e5bbcaab2e8b856f1bfb31bffd49fba47272f94f7e134ac2a4b3a4132759c023bd89b7b43c949881db8d
-
SSDEEP
3072:jTFIGuyW1zm9HsohLwdNbw+Y92xQuohLwdNbw5bxH0zVWccA:jTFIGuyAzKHsohxd2Quohdbd0zscj
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlkepi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piblek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdaoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbhmnkjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcbllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffnphf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fddmgjpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghjhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfoqmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emcbkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadloj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejobhppq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aljgfioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lefdpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alegac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpnbkeld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llnofpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmkmdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdadamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Comimg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hobcak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjjddchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfgmhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeempocb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhpfqama.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbfpik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qagcpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpcbqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miooigfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofmbnkhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgnke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbmmcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnjdhmdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhnmij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkpagq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enhacojl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inngcfid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggkllpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmolnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpbaebdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngnbgplj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmlgonbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcnpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfekcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cghggc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpiojfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahchbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anafhopc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bldcpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqpgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kblhgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlnbeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjijdadm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adpkee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bekkcljk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhhadmk.exe -
Executes dropped EXE 64 IoCs
pid Process 3040 Ncancbha.exe 2620 Nhnfkigh.exe 2692 Nccjhafn.exe 2440 Odegpj32.exe 2420 Okoomd32.exe 2836 Obigjnkf.exe 1872 Oicpfh32.exe 1180 Oomhcbjp.exe 2208 Onphoo32.exe 1692 Oiellh32.exe 332 Onbddoog.exe 2200 Oelmai32.exe 2032 Okfencna.exe 3056 Ondajnme.exe 2168 Oenifh32.exe 700 Ojkboo32.exe 1592 Paejki32.exe 1760 Pphjgfqq.exe 2932 Pgobhcac.exe 1100 Pipopl32.exe 1976 Paggai32.exe 1708 Pfdpip32.exe 2884 Piblek32.exe 972 Plahag32.exe 1980 Pchpbded.exe 1440 Pfflopdh.exe 1536 Plcdgfbo.exe 2976 Pbmmcq32.exe 2524 Phjelg32.exe 2616 Ppamme32.exe 2688 Pbpjiphi.exe 2464 Qhmbagfa.exe 1996 Qeqbkkej.exe 3024 Qhooggdn.exe 2000 Qmlgonbe.exe 328 Qagcpljo.exe 2160 Afdlhchf.exe 1516 Ankdiqih.exe 856 Ahchbf32.exe 2476 Affhncfc.exe 2508 Aalmklfi.exe 1120 Abmibdlh.exe 800 Ajdadamj.exe 2760 Ambmpmln.exe 776 Apajlhka.exe 1564 Aenbdoii.exe 1004 Aiinen32.exe 1556 Apcfahio.exe 2920 Aoffmd32.exe 960 Afmonbqk.exe 788 Aepojo32.exe 2820 Aljgfioc.exe 2660 Boiccdnf.exe 2872 Bbdocc32.exe 2588 Bhahlj32.exe 2832 Blmdlhmp.exe 2540 Bokphdld.exe 2144 Baildokg.exe 2392 Bdhhqk32.exe 1912 Bloqah32.exe 1464 Bommnc32.exe 2184 Bnpmipql.exe 2164 Begeknan.exe 2400 Bhfagipa.exe -
Loads dropped DLL 64 IoCs
pid Process 2856 0b2a302cb53046c519e5d4dece308ce0_NeikiAnalytics.exe 2856 0b2a302cb53046c519e5d4dece308ce0_NeikiAnalytics.exe 3040 Ncancbha.exe 3040 Ncancbha.exe 2620 Nhnfkigh.exe 2620 Nhnfkigh.exe 2692 Nccjhafn.exe 2692 Nccjhafn.exe 2440 Odegpj32.exe 2440 Odegpj32.exe 2420 Okoomd32.exe 2420 Okoomd32.exe 2836 Obigjnkf.exe 2836 Obigjnkf.exe 1872 Oicpfh32.exe 1872 Oicpfh32.exe 1180 Oomhcbjp.exe 1180 Oomhcbjp.exe 2208 Onphoo32.exe 2208 Onphoo32.exe 1692 Oiellh32.exe 1692 Oiellh32.exe 332 Onbddoog.exe 332 Onbddoog.exe 2200 Oelmai32.exe 2200 Oelmai32.exe 2032 Okfencna.exe 2032 Okfencna.exe 3056 Ondajnme.exe 3056 Ondajnme.exe 2168 Oenifh32.exe 2168 Oenifh32.exe 700 Ojkboo32.exe 700 Ojkboo32.exe 1592 Paejki32.exe 1592 Paejki32.exe 1760 Pphjgfqq.exe 1760 Pphjgfqq.exe 2932 Pgobhcac.exe 2932 Pgobhcac.exe 1100 Pipopl32.exe 1100 Pipopl32.exe 1976 Paggai32.exe 1976 Paggai32.exe 1708 Pfdpip32.exe 1708 Pfdpip32.exe 2884 Piblek32.exe 2884 Piblek32.exe 972 Plahag32.exe 972 Plahag32.exe 1980 Pchpbded.exe 1980 Pchpbded.exe 1440 Pfflopdh.exe 1440 Pfflopdh.exe 1536 Plcdgfbo.exe 1536 Plcdgfbo.exe 2976 Pbmmcq32.exe 2976 Pbmmcq32.exe 2524 Phjelg32.exe 2524 Phjelg32.exe 2616 Ppamme32.exe 2616 Ppamme32.exe 2688 Pbpjiphi.exe 2688 Pbpjiphi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ncjqhmkm.exe Nondgn32.exe File created C:\Windows\SysWOW64\Bkommo32.exe Bfcampgf.exe File created C:\Windows\SysWOW64\Bfcampgf.exe Bpiipf32.exe File created C:\Windows\SysWOW64\Dhbfdjdp.exe Ddgjdk32.exe File opened for modification C:\Windows\SysWOW64\Cphlljge.exe Cnippoha.exe File created C:\Windows\SysWOW64\Ddpkof32.dll Piphee32.exe File created C:\Windows\SysWOW64\Pcnbablo.exe Papfegmk.exe File created C:\Windows\SysWOW64\Bldcpf32.exe Bhigphio.exe File opened for modification C:\Windows\SysWOW64\Lflmci32.exe Lbqabkql.exe File created C:\Windows\SysWOW64\Oqideepg.exe Olmhdf32.exe File created C:\Windows\SysWOW64\Oimpgolj.dll Pnajilng.exe File created C:\Windows\SysWOW64\Cpkbdiqb.exe Cnmehnan.exe File created C:\Windows\SysWOW64\Mledlaqd.dll Dbkknojp.exe File opened for modification C:\Windows\SysWOW64\Oqideepg.exe Olmhdf32.exe File opened for modification C:\Windows\SysWOW64\Alegac32.exe Ahikqd32.exe File created C:\Windows\SysWOW64\Nnfbei32.dll Dhbfdjdp.exe File created C:\Windows\SysWOW64\Enhacojl.exe Efaibbij.exe File opened for modification C:\Windows\SysWOW64\Ppamme32.exe Phjelg32.exe File opened for modification C:\Windows\SysWOW64\Ckffgg32.exe Chhjkl32.exe File created C:\Windows\SysWOW64\Aimkgn32.dll Ghmiam32.exe File created C:\Windows\SysWOW64\Nclpan32.dll Kaaijdgn.exe File opened for modification C:\Windows\SysWOW64\Bmpfojmp.exe Bidjnkdg.exe File opened for modification C:\Windows\SysWOW64\Aepojo32.exe Afmonbqk.exe File created C:\Windows\SysWOW64\Dchali32.exe Dqjepm32.exe File opened for modification C:\Windows\SysWOW64\Epieghdk.exe Eiomkn32.exe File opened for modification C:\Windows\SysWOW64\Chbjffad.exe Cpkbdiqb.exe File created C:\Windows\SysWOW64\Dgnijonn.dll Ilknfn32.exe File opened for modification C:\Windows\SysWOW64\Jnclnihj.exe Joplbl32.exe File created C:\Windows\SysWOW64\Acjobj32.dll Lhbcfa32.exe File opened for modification C:\Windows\SysWOW64\Ooeggp32.exe Omfkke32.exe File created C:\Windows\SysWOW64\Bhigphio.exe Bekkcljk.exe File created C:\Windows\SysWOW64\Dpbheh32.exe Cdlgpgef.exe File created C:\Windows\SysWOW64\Kqgmkdbj.dll Kiccofna.exe File opened for modification C:\Windows\SysWOW64\Hicodd32.exe Hgdbhi32.exe File opened for modification C:\Windows\SysWOW64\Hkkalk32.exe Hlhaqogk.exe File created C:\Windows\SysWOW64\Loclnq32.dll Jkpgfn32.exe File created C:\Windows\SysWOW64\Ffnphf32.exe Fhkpmjln.exe File created C:\Windows\SysWOW64\Fioija32.exe Ffpmnf32.exe File opened for modification C:\Windows\SysWOW64\Ndbcpd32.exe Nacgdhlp.exe File created C:\Windows\SysWOW64\Blleofcd.dll Lecgje32.exe File created C:\Windows\SysWOW64\Plahag32.exe Piblek32.exe File opened for modification C:\Windows\SysWOW64\Oklkmnbp.exe Nceclqan.exe File created C:\Windows\SysWOW64\Nmlnnp32.dll Olmhdf32.exe File created C:\Windows\SysWOW64\Egahmk32.dll Ooeggp32.exe File created C:\Windows\SysWOW64\Clnlnhop.dll Epieghdk.exe File created C:\Windows\SysWOW64\Egafleqm.exe Eojnkg32.exe File opened for modification C:\Windows\SysWOW64\Kcfkfo32.exe Kpkofpgq.exe File created C:\Windows\SysWOW64\Eakjok32.dll Nhnfkigh.exe File opened for modification C:\Windows\SysWOW64\Begeknan.exe Bnpmipql.exe File created C:\Windows\SysWOW64\Hnagjbdf.exe Hejoiedd.exe File created C:\Windows\SysWOW64\Kkijmm32.exe Kcbakpdo.exe File created C:\Windows\SysWOW64\Cjfccn32.exe Cghggc32.exe File opened for modification C:\Windows\SysWOW64\Ncjqhmkm.exe Nondgn32.exe File created C:\Windows\SysWOW64\Oghmhi32.dll Nehmdhja.exe File opened for modification C:\Windows\SysWOW64\Ohfeog32.exe Ojcecjee.exe File created C:\Windows\SysWOW64\Pacebaej.dll Begeknan.exe File created C:\Windows\SysWOW64\Dqhhknjp.exe Dbehoa32.exe File created C:\Windows\SysWOW64\Nmngmj32.dll Jnclnihj.exe File created C:\Windows\SysWOW64\Lnmfog32.dll Mamddf32.exe File created C:\Windows\SysWOW64\Mbpnanch.exe Mdmmfa32.exe File opened for modification C:\Windows\SysWOW64\Doehqead.exe Dpbheh32.exe File created C:\Windows\SysWOW64\Eqpgol32.exe Dookgcij.exe File created C:\Windows\SysWOW64\Minceo32.dll Lahkigca.exe File created C:\Windows\SysWOW64\Ceodnl32.exe Cadhnmnm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5216 5160 WerFault.exe 548 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghiae32.dll" Ddgjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeonk32.dll" Cdakgibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fddmgjpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofjfhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfoocjfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aibajhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lliflp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfokbnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcaomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll" Hlhaqogk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkgmgmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daoiajfm.dll" Lflmci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geolea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfflopdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bleago32.dll" Iggkllpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnefdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdcbfq32.dll" Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loolpo32.dll" Mbpnanch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doehqead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcbom32.dll" 0b2a302cb53046c519e5d4dece308ce0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjcidbb.dll" Gfefiemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqphdm32.dll" Kemejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qeqbkkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqpjbf32.dll" Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmjhbal.dll" Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjnfniii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckggkg32.dll" Qhooggdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmpcjge.dll" Bjijdadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cndbcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpdgnh32.dll" Lmolnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pggbla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhbfdjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpghahi.dll" Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dolnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaceodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdchio32.dll" Mpbaebdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paejki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqlafm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpmnhglp.dll" Bghjhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bokphdld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgoboqcm.dll" Oklkmnbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bocolb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceodnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnkicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khknah32.dll" Effcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oicpfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpdbloof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkphdmd.dll" Edkcojga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdidec32.dll" Cnmehnan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phjelg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpfdalii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll" Hnojdcfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbjbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kblhgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpnbkeld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pphjgfqq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfijnd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2856 wrote to memory of 3040 2856 0b2a302cb53046c519e5d4dece308ce0_NeikiAnalytics.exe 28 PID 2856 wrote to memory of 3040 2856 0b2a302cb53046c519e5d4dece308ce0_NeikiAnalytics.exe 28 PID 2856 wrote to memory of 3040 2856 0b2a302cb53046c519e5d4dece308ce0_NeikiAnalytics.exe 28 PID 2856 wrote to memory of 3040 2856 0b2a302cb53046c519e5d4dece308ce0_NeikiAnalytics.exe 28 PID 3040 wrote to memory of 2620 3040 Ncancbha.exe 29 PID 3040 wrote to memory of 2620 3040 Ncancbha.exe 29 PID 3040 wrote to memory of 2620 3040 Ncancbha.exe 29 PID 3040 wrote to memory of 2620 3040 Ncancbha.exe 29 PID 2620 wrote to memory of 2692 2620 Nhnfkigh.exe 30 PID 2620 wrote to memory of 2692 2620 Nhnfkigh.exe 30 PID 2620 wrote to memory of 2692 2620 Nhnfkigh.exe 30 PID 2620 wrote to memory of 2692 2620 Nhnfkigh.exe 30 PID 2692 wrote to memory of 2440 2692 Nccjhafn.exe 31 PID 2692 wrote to memory of 2440 2692 Nccjhafn.exe 31 PID 2692 wrote to memory of 2440 2692 Nccjhafn.exe 31 PID 2692 wrote to memory of 2440 2692 Nccjhafn.exe 31 PID 2440 wrote to memory of 2420 2440 Odegpj32.exe 32 PID 2440 wrote to memory of 2420 2440 Odegpj32.exe 32 PID 2440 wrote to memory of 2420 2440 Odegpj32.exe 32 PID 2440 wrote to memory of 2420 2440 Odegpj32.exe 32 PID 2420 wrote to memory of 2836 2420 Okoomd32.exe 33 PID 2420 wrote to memory of 2836 2420 Okoomd32.exe 33 PID 2420 wrote to memory of 2836 2420 Okoomd32.exe 33 PID 2420 wrote to memory of 2836 2420 Okoomd32.exe 33 PID 2836 wrote to memory of 1872 2836 Obigjnkf.exe 34 PID 2836 wrote to memory of 1872 2836 Obigjnkf.exe 34 PID 2836 wrote to memory of 1872 2836 Obigjnkf.exe 34 PID 2836 wrote to memory of 1872 2836 Obigjnkf.exe 34 PID 1872 wrote to memory of 1180 1872 Oicpfh32.exe 35 PID 1872 wrote to memory of 1180 1872 Oicpfh32.exe 35 PID 1872 wrote to memory of 1180 1872 Oicpfh32.exe 35 PID 1872 wrote to memory of 1180 1872 Oicpfh32.exe 35 PID 1180 wrote to memory of 2208 1180 Oomhcbjp.exe 36 PID 1180 wrote to memory of 2208 1180 Oomhcbjp.exe 36 PID 1180 wrote to memory of 2208 1180 Oomhcbjp.exe 36 PID 1180 wrote to memory of 2208 1180 Oomhcbjp.exe 36 PID 2208 wrote to memory of 1692 2208 Onphoo32.exe 37 PID 2208 wrote to memory of 1692 2208 Onphoo32.exe 37 PID 2208 wrote to memory of 1692 2208 Onphoo32.exe 37 PID 2208 wrote to memory of 1692 2208 Onphoo32.exe 37 PID 1692 wrote to memory of 332 1692 Oiellh32.exe 38 PID 1692 wrote to memory of 332 1692 Oiellh32.exe 38 PID 1692 wrote to memory of 332 1692 Oiellh32.exe 38 PID 1692 wrote to memory of 332 1692 Oiellh32.exe 38 PID 332 wrote to memory of 2200 332 Onbddoog.exe 39 PID 332 wrote to memory of 2200 332 Onbddoog.exe 39 PID 332 wrote to memory of 2200 332 Onbddoog.exe 39 PID 332 wrote to memory of 2200 332 Onbddoog.exe 39 PID 2200 wrote to memory of 2032 2200 Oelmai32.exe 40 PID 2200 wrote to memory of 2032 2200 Oelmai32.exe 40 PID 2200 wrote to memory of 2032 2200 Oelmai32.exe 40 PID 2200 wrote to memory of 2032 2200 Oelmai32.exe 40 PID 2032 wrote to memory of 3056 2032 Okfencna.exe 41 PID 2032 wrote to memory of 3056 2032 Okfencna.exe 41 PID 2032 wrote to memory of 3056 2032 Okfencna.exe 41 PID 2032 wrote to memory of 3056 2032 Okfencna.exe 41 PID 3056 wrote to memory of 2168 3056 Ondajnme.exe 42 PID 3056 wrote to memory of 2168 3056 Ondajnme.exe 42 PID 3056 wrote to memory of 2168 3056 Ondajnme.exe 42 PID 3056 wrote to memory of 2168 3056 Ondajnme.exe 42 PID 2168 wrote to memory of 700 2168 Oenifh32.exe 43 PID 2168 wrote to memory of 700 2168 Oenifh32.exe 43 PID 2168 wrote to memory of 700 2168 Oenifh32.exe 43 PID 2168 wrote to memory of 700 2168 Oenifh32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b2a302cb53046c519e5d4dece308ce0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0b2a302cb53046c519e5d4dece308ce0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:700 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1100 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1440 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe33⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe38⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe39⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe41⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe42⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe43⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe45⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe46⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe47⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe48⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe49⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe50⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:960 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe52⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe54⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe55⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe56⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe57⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe59⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe60⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe61⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe62⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe65⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe66⤵PID:1856
-
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe67⤵PID:2120
-
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe68⤵PID:1488
-
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe69⤵PID:808
-
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe70⤵PID:3004
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe72⤵
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2036 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe74⤵
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe75⤵PID:2444
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe76⤵PID:2496
-
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe77⤵
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe78⤵PID:1552
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe79⤵
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe80⤵
- Drops file in System32 directory
PID:1212 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe81⤵PID:2028
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe82⤵PID:2720
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe83⤵PID:3000
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe84⤵PID:2904
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2992 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1284 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe87⤵PID:1680
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe88⤵PID:2728
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe89⤵PID:2676
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe90⤵PID:2536
-
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe91⤵
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe92⤵PID:1768
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe93⤵
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe94⤵
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe95⤵PID:2404
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe96⤵PID:2040
-
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe97⤵PID:3048
-
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1944 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe99⤵PID:1048
-
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe100⤵PID:2916
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe101⤵
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe102⤵PID:948
-
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe103⤵PID:1508
-
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe104⤵PID:2564
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe105⤵
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe106⤵
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe107⤵PID:3028
-
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1376 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe109⤵PID:1572
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe110⤵PID:1056
-
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe111⤵
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe112⤵PID:1700
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe113⤵
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe114⤵PID:992
-
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe115⤵PID:1908
-
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:716 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe117⤵PID:2852
-
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe118⤵PID:2652
-
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe119⤵PID:1972
-
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe120⤵PID:2492
-
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe121⤵PID:1660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-