Analysis
-
max time kernel
148s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12/05/2024, 15:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
237d3c87ce43ff7f43b1e9f371e622d0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
237d3c87ce43ff7f43b1e9f371e622d0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
237d3c87ce43ff7f43b1e9f371e622d0_NeikiAnalytics.exe
-
Size
64KB
-
MD5
237d3c87ce43ff7f43b1e9f371e622d0
-
SHA1
828a51278184672857542af2d186d2d5a78392bf
-
SHA256
040814113755685caeb6aac3ee0e5fc608305c676f3b013637e8d1ce741918ea
-
SHA512
3b58b312bd0f9babf2d653678fc30c71d74ecc37789175abe2d7901f89ccb941433cbdb59988763a636a4b90482631d91398a71d9b9f8a329e6ee73e47741058
-
SSDEEP
1536:vNcBJ9Aq6MZCr8GxBcIcp5J335H02LIrDWBi:vWFAq78BBcXJH5tI2Bi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgaqgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekholjqg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkfjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cljcelan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgaqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pccfge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlkpjpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgknheej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peiljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfgaiaci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fddmgjpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bebkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcaomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdakgibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjhkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfinoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eflgccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdccfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahchbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efncicpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdlblj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhkpmjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pminkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeempocb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjpkihg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmkmecg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbhnaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oelmai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnbacbac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjpkjond.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckffgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gopkmhjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlfdkoin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bokphdld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcfdgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flabbihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgdddmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihoafpmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmnhfjmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plcdgfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cciemedf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfinoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgfjbgmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddokpmfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdlblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjmodopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpjiajeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahakmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdccfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpcbqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgdbhi32.exe -
Executes dropped EXE 64 IoCs
pid Process 2756 Onphoo32.exe 2920 Odjpkihg.exe 2628 Oghlgdgk.exe 2684 Onbddoog.exe 2572 Oelmai32.exe 2480 Ogjimd32.exe 2608 Ondajnme.exe 2408 Oenifh32.exe 2748 Ofpfnqjp.exe 400 Pminkk32.exe 1656 Pccfge32.exe 1564 Pjmodopf.exe 3056 Pmlkpjpj.exe 2064 Paggai32.exe 1740 Ppjglfon.exe 484 Pbiciana.exe 2992 Pfdpip32.exe 1240 Pjpkjond.exe 1792 Pmnhfjmg.exe 2936 Plahag32.exe 940 Pbkpna32.exe 3012 Peiljl32.exe 1044 Pmqdkj32.exe 560 Plcdgfbo.exe 572 Pnbacbac.exe 2672 Pbmmcq32.exe 2592 Pigeqkai.exe 2616 Plfamfpm.exe 2184 Ppamme32.exe 2444 Qlhnbf32.exe 2856 Qbbfopeg.exe 888 Qeqbkkej.exe 2524 Qdccfh32.exe 2344 Qljkhe32.exe 1932 Qnigda32.exe 276 Qmlgonbe.exe 2068 Qecoqk32.exe 1924 Ahakmf32.exe 1080 Afdlhchf.exe 1864 Ankdiqih.exe 2792 Amndem32.exe 828 Aajpelhl.exe 748 Adhlaggp.exe 1380 Ahchbf32.exe 2268 Ajbdna32.exe 552 Aiedjneg.exe 1128 Ampqjm32.exe 2872 Apomfh32.exe 2244 Adjigg32.exe 2440 Afiecb32.exe 2456 Ajdadamj.exe 2228 Ambmpmln.exe 2484 Alenki32.exe 2852 Apajlhka.exe 2740 Admemg32.exe 2040 Abpfhcje.exe 2044 Aenbdoii.exe 2700 Apcfahio.exe 1652 Aljgfioc.exe 2796 Bpfcgg32.exe 2316 Bebkpn32.exe 1092 Bokphdld.exe 1804 Bbflib32.exe 476 Baildokg.exe -
Loads dropped DLL 64 IoCs
pid Process 2096 237d3c87ce43ff7f43b1e9f371e622d0_NeikiAnalytics.exe 2096 237d3c87ce43ff7f43b1e9f371e622d0_NeikiAnalytics.exe 2756 Onphoo32.exe 2756 Onphoo32.exe 2920 Odjpkihg.exe 2920 Odjpkihg.exe 2628 Oghlgdgk.exe 2628 Oghlgdgk.exe 2684 Onbddoog.exe 2684 Onbddoog.exe 2572 Oelmai32.exe 2572 Oelmai32.exe 2480 Ogjimd32.exe 2480 Ogjimd32.exe 2608 Ondajnme.exe 2608 Ondajnme.exe 2408 Oenifh32.exe 2408 Oenifh32.exe 2748 Ofpfnqjp.exe 2748 Ofpfnqjp.exe 400 Pminkk32.exe 400 Pminkk32.exe 1656 Pccfge32.exe 1656 Pccfge32.exe 1564 Pjmodopf.exe 1564 Pjmodopf.exe 3056 Pmlkpjpj.exe 3056 Pmlkpjpj.exe 2064 Paggai32.exe 2064 Paggai32.exe 1740 Ppjglfon.exe 1740 Ppjglfon.exe 484 Pbiciana.exe 484 Pbiciana.exe 2992 Pfdpip32.exe 2992 Pfdpip32.exe 1240 Pjpkjond.exe 1240 Pjpkjond.exe 1792 Pmnhfjmg.exe 1792 Pmnhfjmg.exe 2936 Plahag32.exe 2936 Plahag32.exe 940 Pbkpna32.exe 940 Pbkpna32.exe 3012 Peiljl32.exe 3012 Peiljl32.exe 1044 Pmqdkj32.exe 1044 Pmqdkj32.exe 560 Plcdgfbo.exe 560 Plcdgfbo.exe 572 Pnbacbac.exe 572 Pnbacbac.exe 2672 Pbmmcq32.exe 2672 Pbmmcq32.exe 2592 Pigeqkai.exe 2592 Pigeqkai.exe 2616 Plfamfpm.exe 2616 Plfamfpm.exe 2184 Ppamme32.exe 2184 Ppamme32.exe 2444 Qlhnbf32.exe 2444 Qlhnbf32.exe 2856 Qbbfopeg.exe 2856 Qbbfopeg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Alenki32.exe Ambmpmln.exe File opened for modification C:\Windows\SysWOW64\Bommnc32.exe Bloqah32.exe File opened for modification C:\Windows\SysWOW64\Bnefdp32.exe Bjijdadm.exe File created C:\Windows\SysWOW64\Dgmglh32.exe Ddokpmfo.exe File opened for modification C:\Windows\SysWOW64\Eijcpoac.exe Eflgccbp.exe File opened for modification C:\Windows\SysWOW64\Gopkmhjk.exe Ghfbqn32.exe File created C:\Windows\SysWOW64\Pjmodopf.exe Pccfge32.exe File created C:\Windows\SysWOW64\Pmnhfjmg.exe Pjpkjond.exe File opened for modification C:\Windows\SysWOW64\Gangic32.exe Gopkmhjk.exe File created C:\Windows\SysWOW64\Ghmiam32.exe Geolea32.exe File created C:\Windows\SysWOW64\Imhjppim.dll Cgpgce32.exe File created C:\Windows\SysWOW64\Oadqjk32.dll Dhmcfkme.exe File opened for modification C:\Windows\SysWOW64\Epaogi32.exe Emcbkn32.exe File created C:\Windows\SysWOW64\Emhlfmgj.exe Eilpeooq.exe File created C:\Windows\SysWOW64\Lkoabpeg.dll Gangic32.exe File created C:\Windows\SysWOW64\Pbiciana.exe Ppjglfon.exe File created C:\Windows\SysWOW64\Cdcfgc32.dll Ampqjm32.exe File created C:\Windows\SysWOW64\Ahakmf32.exe Qecoqk32.exe File opened for modification C:\Windows\SysWOW64\Fiaeoang.exe Ffbicfoc.exe File opened for modification C:\Windows\SysWOW64\Gonnhhln.exe Fiaeoang.exe File opened for modification C:\Windows\SysWOW64\Gphmeo32.exe Gaemjbcg.exe File opened for modification C:\Windows\SysWOW64\Hkkalk32.exe Hhmepp32.exe File opened for modification C:\Windows\SysWOW64\Ofpfnqjp.exe Oenifh32.exe File created C:\Windows\SysWOW64\Moealbej.dll Qljkhe32.exe File opened for modification C:\Windows\SysWOW64\Idceea32.exe Iaeiieeb.exe File opened for modification C:\Windows\SysWOW64\Bdjefj32.exe Balijo32.exe File created C:\Windows\SysWOW64\Eilpeooq.exe Efncicpm.exe File created C:\Windows\SysWOW64\Ooahdmkl.dll Bnefdp32.exe File created C:\Windows\SysWOW64\Ckffgg32.exe Cdlnkmha.exe File created C:\Windows\SysWOW64\Dcfdgiid.exe Dnilobkm.exe File opened for modification C:\Windows\SysWOW64\Flabbihl.exe Fckjalhj.exe File opened for modification C:\Windows\SysWOW64\Oelmai32.exe Onbddoog.exe File opened for modification C:\Windows\SysWOW64\Pccfge32.exe Pminkk32.exe File opened for modification C:\Windows\SysWOW64\Qbbfopeg.exe Qlhnbf32.exe File created C:\Windows\SysWOW64\Fabnbook.dll Alenki32.exe File opened for modification C:\Windows\SysWOW64\Bdhhqk32.exe Baildokg.exe File created C:\Windows\SysWOW64\Hpenlb32.dll Ckffgg32.exe File opened for modification C:\Windows\SysWOW64\Dqelenlc.exe Dodonf32.exe File created C:\Windows\SysWOW64\Dqlafm32.exe Dnneja32.exe File created C:\Windows\SysWOW64\Oelmai32.exe Onbddoog.exe File created C:\Windows\SysWOW64\Fmnhkk32.dll Pmlkpjpj.exe File created C:\Windows\SysWOW64\Cgqjffca.dll Eflgccbp.exe File created C:\Windows\SysWOW64\Hcnpbi32.exe Hpocfncj.exe File opened for modification C:\Windows\SysWOW64\Cjlgiqbk.exe Ckignd32.exe File opened for modification C:\Windows\SysWOW64\Ghoegl32.exe Gphmeo32.exe File opened for modification C:\Windows\SysWOW64\Hogmmjfo.exe Hkkalk32.exe File created C:\Windows\SysWOW64\Gfegkapd.dll Plahag32.exe File created C:\Windows\SysWOW64\Ajdadamj.exe Afiecb32.exe File created C:\Windows\SysWOW64\Bdjefj32.exe Balijo32.exe File opened for modification C:\Windows\SysWOW64\Cfinoq32.exe Cckace32.exe File created C:\Windows\SysWOW64\Djnpnc32.exe Dhmcfkme.exe File created C:\Windows\SysWOW64\Aljgfioc.exe Apcfahio.exe File created C:\Windows\SysWOW64\Bommnc32.exe Bloqah32.exe File created C:\Windows\SysWOW64\Bokphdld.exe Bebkpn32.exe File created C:\Windows\SysWOW64\Bghabf32.exe Bdjefj32.exe File created C:\Windows\SysWOW64\Bkdmcdoe.exe Bghabf32.exe File created C:\Windows\SysWOW64\Ikeogmlj.dll Bghabf32.exe File opened for modification C:\Windows\SysWOW64\Cdakgibq.exe Cpeofk32.exe File created C:\Windows\SysWOW64\Omeope32.dll Cdlnkmha.exe File created C:\Windows\SysWOW64\Njdfjjia.dll Oelmai32.exe File opened for modification C:\Windows\SysWOW64\Apcfahio.exe Aenbdoii.exe File created C:\Windows\SysWOW64\Hkkalk32.exe Hhmepp32.exe File created C:\Windows\SysWOW64\Lnnhje32.dll Gonnhhln.exe File created C:\Windows\SysWOW64\Fndldonj.dll Gobgcg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4048 4024 WerFault.exe 235 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aenbdoii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bommnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhkqaj.dll" Bkdmcdoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpicol32.dll" Cljcelan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll" Ffpmnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkgkbipp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbiciana.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpefbknb.dll" Bpcbqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chemfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgmglh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffpmnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chcqpmep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gobgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll" Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofpfnqjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bopicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accikb32.dll" Bcaomf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjlgiqbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpmgqnfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkkalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jadhjcfk.dll" Plfamfpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdhhqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgmglh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhmcfkme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elmigj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eloemi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilknfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbbfopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll" Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppamme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bokphdld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmqgncdn.dll" Dgfjbgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiiegafd.dll" Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmloladn.dll" Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gopkmhjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 237d3c87ce43ff7f43b1e9f371e622d0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oenifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfegkapd.dll" Plahag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Andkhh32.dll" Ajdadamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmekj32.dll" Hmlnoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahakmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aiedjneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdeced32.dll" Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmnhkk32.dll" Pmlkpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lilchoah.dll" Bloqah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqlckoi.dll" Cnippoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnippoha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogjimd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abpfhcje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpfcgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cljcelan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjpqdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnoillim.dll" Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmnhfjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpfcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahch32.dll" Fnbkddem.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2756 2096 237d3c87ce43ff7f43b1e9f371e622d0_NeikiAnalytics.exe 28 PID 2096 wrote to memory of 2756 2096 237d3c87ce43ff7f43b1e9f371e622d0_NeikiAnalytics.exe 28 PID 2096 wrote to memory of 2756 2096 237d3c87ce43ff7f43b1e9f371e622d0_NeikiAnalytics.exe 28 PID 2096 wrote to memory of 2756 2096 237d3c87ce43ff7f43b1e9f371e622d0_NeikiAnalytics.exe 28 PID 2756 wrote to memory of 2920 2756 Onphoo32.exe 29 PID 2756 wrote to memory of 2920 2756 Onphoo32.exe 29 PID 2756 wrote to memory of 2920 2756 Onphoo32.exe 29 PID 2756 wrote to memory of 2920 2756 Onphoo32.exe 29 PID 2920 wrote to memory of 2628 2920 Odjpkihg.exe 30 PID 2920 wrote to memory of 2628 2920 Odjpkihg.exe 30 PID 2920 wrote to memory of 2628 2920 Odjpkihg.exe 30 PID 2920 wrote to memory of 2628 2920 Odjpkihg.exe 30 PID 2628 wrote to memory of 2684 2628 Oghlgdgk.exe 31 PID 2628 wrote to memory of 2684 2628 Oghlgdgk.exe 31 PID 2628 wrote to memory of 2684 2628 Oghlgdgk.exe 31 PID 2628 wrote to memory of 2684 2628 Oghlgdgk.exe 31 PID 2684 wrote to memory of 2572 2684 Onbddoog.exe 32 PID 2684 wrote to memory of 2572 2684 Onbddoog.exe 32 PID 2684 wrote to memory of 2572 2684 Onbddoog.exe 32 PID 2684 wrote to memory of 2572 2684 Onbddoog.exe 32 PID 2572 wrote to memory of 2480 2572 Oelmai32.exe 33 PID 2572 wrote to memory of 2480 2572 Oelmai32.exe 33 PID 2572 wrote to memory of 2480 2572 Oelmai32.exe 33 PID 2572 wrote to memory of 2480 2572 Oelmai32.exe 33 PID 2480 wrote to memory of 2608 2480 Ogjimd32.exe 34 PID 2480 wrote to memory of 2608 2480 Ogjimd32.exe 34 PID 2480 wrote to memory of 2608 2480 Ogjimd32.exe 34 PID 2480 wrote to memory of 2608 2480 Ogjimd32.exe 34 PID 2608 wrote to memory of 2408 2608 Ondajnme.exe 35 PID 2608 wrote to memory of 2408 2608 Ondajnme.exe 35 PID 2608 wrote to memory of 2408 2608 Ondajnme.exe 35 PID 2608 wrote to memory of 2408 2608 Ondajnme.exe 35 PID 2408 wrote to memory of 2748 2408 Oenifh32.exe 36 PID 2408 wrote to memory of 2748 2408 Oenifh32.exe 36 PID 2408 wrote to memory of 2748 2408 Oenifh32.exe 36 PID 2408 wrote to memory of 2748 2408 Oenifh32.exe 36 PID 2748 wrote to memory of 400 2748 Ofpfnqjp.exe 37 PID 2748 wrote to memory of 400 2748 Ofpfnqjp.exe 37 PID 2748 wrote to memory of 400 2748 Ofpfnqjp.exe 37 PID 2748 wrote to memory of 400 2748 Ofpfnqjp.exe 37 PID 400 wrote to memory of 1656 400 Pminkk32.exe 38 PID 400 wrote to memory of 1656 400 Pminkk32.exe 38 PID 400 wrote to memory of 1656 400 Pminkk32.exe 38 PID 400 wrote to memory of 1656 400 Pminkk32.exe 38 PID 1656 wrote to memory of 1564 1656 Pccfge32.exe 39 PID 1656 wrote to memory of 1564 1656 Pccfge32.exe 39 PID 1656 wrote to memory of 1564 1656 Pccfge32.exe 39 PID 1656 wrote to memory of 1564 1656 Pccfge32.exe 39 PID 1564 wrote to memory of 3056 1564 Pjmodopf.exe 40 PID 1564 wrote to memory of 3056 1564 Pjmodopf.exe 40 PID 1564 wrote to memory of 3056 1564 Pjmodopf.exe 40 PID 1564 wrote to memory of 3056 1564 Pjmodopf.exe 40 PID 3056 wrote to memory of 2064 3056 Pmlkpjpj.exe 41 PID 3056 wrote to memory of 2064 3056 Pmlkpjpj.exe 41 PID 3056 wrote to memory of 2064 3056 Pmlkpjpj.exe 41 PID 3056 wrote to memory of 2064 3056 Pmlkpjpj.exe 41 PID 2064 wrote to memory of 1740 2064 Paggai32.exe 42 PID 2064 wrote to memory of 1740 2064 Paggai32.exe 42 PID 2064 wrote to memory of 1740 2064 Paggai32.exe 42 PID 2064 wrote to memory of 1740 2064 Paggai32.exe 42 PID 1740 wrote to memory of 484 1740 Ppjglfon.exe 43 PID 1740 wrote to memory of 484 1740 Ppjglfon.exe 43 PID 1740 wrote to memory of 484 1740 Ppjglfon.exe 43 PID 1740 wrote to memory of 484 1740 Ppjglfon.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\237d3c87ce43ff7f43b1e9f371e622d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\237d3c87ce43ff7f43b1e9f371e622d0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:484 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:940 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1044 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:560 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe33⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe36⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe40⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe42⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe43⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe44⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe46⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:552 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1128 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe49⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe50⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe55⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe56⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe60⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe64⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:476 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe66⤵
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe67⤵PID:1028
-
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe69⤵
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe70⤵PID:3020
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe71⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe72⤵
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe73⤵
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe74⤵
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe75⤵
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe76⤵PID:1568
-
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe77⤵PID:2208
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1632 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe79⤵PID:2556
-
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1636 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1840 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe82⤵
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe83⤵
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe84⤵PID:2844
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe86⤵PID:2356
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe89⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe90⤵
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe92⤵
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1232 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe94⤵PID:2736
-
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe95⤵
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2196 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe97⤵
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe98⤵PID:1144
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe99⤵
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe101⤵PID:2968
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2380 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1800 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1308 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe105⤵
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1984 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe107⤵
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2848 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1432 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe111⤵PID:2784
-
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe112⤵PID:2492
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe114⤵
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe115⤵
- Drops file in System32 directory
PID:1848 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe116⤵PID:2832
-
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe118⤵
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe119⤵
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2420 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2216
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-