Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 14:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d67756ae7117814c62015ed79b79f840_NeikiAnalytics.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
d67756ae7117814c62015ed79b79f840_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
d67756ae7117814c62015ed79b79f840_NeikiAnalytics.exe
-
Size
96KB
-
MD5
d67756ae7117814c62015ed79b79f840
-
SHA1
45cc7eb520f59748f6158bdb43d69357017a7610
-
SHA256
a6f3dd283916d164d66f2f58f76d9cdc95c7289cba05da965da6fb6668e72fd1
-
SHA512
3eb74c61e6678c4e4769aea458a237f33d22be185f59cb305c6895335865bd1f5c376ea0543fd2ebb7ab101d2fed67b6dbd21422fb4f1bd41f34b2894d490546
-
SSDEEP
1536:thaznYZ2dlyRgMfQceE/s1UQvyFhSb9y+UzBue9MbinV39+ChnSdFFn7Elz45zF+:wdlyiDE/U5vyFW9yNuAMbqV39ThSdn7M
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoepcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlqhoba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjbaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apomfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndkmpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anafhopc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlbeqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojolhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpgljfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiccofna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbqecg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimkpfeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnagjbdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcnngnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkdpanhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfgpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdneebf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djmicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbnccfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inljnfkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkbhgojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqhpdhcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amhpnkch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpkofpgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lecgje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbjgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejiih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjdhmdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmmfkafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpphap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okgnab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aemkjiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcaomf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miooigfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkclhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppbfpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbbfopeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inngcfid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdnao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpjiajeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfoqmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjijdadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgioaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afcenm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfcikek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqgnokip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihankokm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceclqan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmjjea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pphjgfqq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihdkao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbicfoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efcfga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmepp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhbcfa32.exe -
Executes dropped EXE 64 IoCs
pid Process 2064 Ojkboo32.exe 1732 Pphjgfqq.exe 2652 Pgobhcac.exe 2748 Pjmodopf.exe 3040 Paggai32.exe 2420 Pbiciana.exe 3012 Pjpkjond.exe 2768 Plahag32.exe 2980 Pchpbded.exe 2752 Peiljl32.exe 2520 Pmqdkj32.exe 1664 Ppoqge32.exe 2812 Pfiidobe.exe 1420 Pigeqkai.exe 2120 Ppamme32.exe 2612 Penfelgm.exe 544 Qhmbagfa.exe 1492 Qjknnbed.exe 1068 Qbbfopeg.exe 1560 Qeqbkkej.exe 2392 Qhooggdn.exe 1540 Qjmkcbcb.exe 1568 Qnigda32.exe 1224 Qmlgonbe.exe 1924 Adeplhib.exe 872 Afdlhchf.exe 3016 Ankdiqih.exe 3056 Amndem32.exe 2636 Ahchbf32.exe 2660 Apomfh32.exe 1712 Adjigg32.exe 2476 Ambmpmln.exe 2540 Alenki32.exe 1808 Admemg32.exe 2800 Abpfhcje.exe 2996 Amejeljk.exe 2080 Amejeljk.exe 1580 Alhjai32.exe 2408 Afmonbqk.exe 2672 Aljgfioc.exe 1524 Bpfcgg32.exe 2252 Bagpopmj.exe 1912 Bingpmnl.exe 540 Bokphdld.exe 776 Baildokg.exe 580 Bhcdaibd.exe 2976 Bkaqmeah.exe 3048 Bnpmipql.exe 568 Begeknan.exe 1100 Bdjefj32.exe 1316 Bhfagipa.exe 3020 Bghabf32.exe 2088 Bkdmcdoe.exe 2608 Bopicc32.exe 2552 Bnbjopoi.exe 2656 Bpafkknm.exe 2416 Bdlblj32.exe 3004 Bhhnli32.exe 2844 Bjijdadm.exe 1680 Baqbenep.exe 2684 Bcaomf32.exe 2764 Cgmkmecg.exe 2516 Cjlgiqbk.exe 876 Cljcelan.exe -
Loads dropped DLL 64 IoCs
pid Process 2920 d67756ae7117814c62015ed79b79f840_NeikiAnalytics.exe 2920 d67756ae7117814c62015ed79b79f840_NeikiAnalytics.exe 2064 Ojkboo32.exe 2064 Ojkboo32.exe 1732 Pphjgfqq.exe 1732 Pphjgfqq.exe 2652 Pgobhcac.exe 2652 Pgobhcac.exe 2748 Pjmodopf.exe 2748 Pjmodopf.exe 3040 Paggai32.exe 3040 Paggai32.exe 2420 Pbiciana.exe 2420 Pbiciana.exe 3012 Pjpkjond.exe 3012 Pjpkjond.exe 2768 Plahag32.exe 2768 Plahag32.exe 2980 Pchpbded.exe 2980 Pchpbded.exe 2752 Peiljl32.exe 2752 Peiljl32.exe 2520 Pmqdkj32.exe 2520 Pmqdkj32.exe 1664 Ppoqge32.exe 1664 Ppoqge32.exe 2812 Pfiidobe.exe 2812 Pfiidobe.exe 1420 Pigeqkai.exe 1420 Pigeqkai.exe 2120 Ppamme32.exe 2120 Ppamme32.exe 2612 Penfelgm.exe 2612 Penfelgm.exe 544 Qhmbagfa.exe 544 Qhmbagfa.exe 1492 Qjknnbed.exe 1492 Qjknnbed.exe 1068 Qbbfopeg.exe 1068 Qbbfopeg.exe 1560 Qeqbkkej.exe 1560 Qeqbkkej.exe 2392 Qhooggdn.exe 2392 Qhooggdn.exe 1540 Qjmkcbcb.exe 1540 Qjmkcbcb.exe 1568 Qnigda32.exe 1568 Qnigda32.exe 1224 Qmlgonbe.exe 1224 Qmlgonbe.exe 1924 Adeplhib.exe 1924 Adeplhib.exe 872 Afdlhchf.exe 872 Afdlhchf.exe 3016 Ankdiqih.exe 3016 Ankdiqih.exe 3056 Amndem32.exe 3056 Amndem32.exe 2636 Ahchbf32.exe 2636 Ahchbf32.exe 2660 Apomfh32.exe 2660 Apomfh32.exe 1712 Adjigg32.exe 1712 Adjigg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Onmddnil.dll Nefpnhlc.exe File created C:\Windows\SysWOW64\Dpajdp32.dll Ofmbnkhg.exe File created C:\Windows\SysWOW64\Gfedefbi.dll Dgdmmgpj.exe File created C:\Windows\SysWOW64\Hknach32.exe Hgbebiao.exe File opened for modification C:\Windows\SysWOW64\Icpigm32.exe Iqalka32.exe File created C:\Windows\SysWOW64\Oikojfgk.exe Ofmbnkhg.exe File created C:\Windows\SysWOW64\Gogcek32.dll Ebmgcohn.exe File opened for modification C:\Windows\SysWOW64\Qhmbagfa.exe Penfelgm.exe File created C:\Windows\SysWOW64\Fddmgjpo.exe Fphafl32.exe File opened for modification C:\Windows\SysWOW64\Aidnohbk.exe Aehboi32.exe File created C:\Windows\SysWOW64\Jfcnngnd.exe Jbgbni32.exe File created C:\Windows\SysWOW64\Gjlegpjp.dll Ncgdbmmp.exe File created C:\Windows\SysWOW64\Leonofpp.exe Lflmci32.exe File opened for modification C:\Windows\SysWOW64\Henidd32.exe Hcplhi32.exe File created C:\Windows\SysWOW64\Anojbobe.exe Alpmfdcb.exe File created C:\Windows\SysWOW64\Emmcaafi.dll Mgnfhlin.exe File created C:\Windows\SysWOW64\Oegjkb32.dll Bfadgq32.exe File created C:\Windows\SysWOW64\Cojema32.exe Ckoilb32.exe File created C:\Windows\SysWOW64\Oecbjjic.dll Gpknlk32.exe File created C:\Windows\SysWOW64\Mcbjgn32.exe Mpdnkb32.exe File created C:\Windows\SysWOW64\Aphdelhp.dll Ejkima32.exe File created C:\Windows\SysWOW64\Cgejac32.exe Chbjffad.exe File created C:\Windows\SysWOW64\Djmicm32.exe Dfamcogo.exe File created C:\Windows\SysWOW64\Mocaac32.dll Bopicc32.exe File opened for modification C:\Windows\SysWOW64\Eqgnokip.exe Emkaol32.exe File opened for modification C:\Windows\SysWOW64\Jjjacf32.exe Ifnechbj.exe File created C:\Windows\SysWOW64\Leajdfnm.exe Lafndg32.exe File created C:\Windows\SysWOW64\Dqehhb32.dll Mppepcfg.exe File created C:\Windows\SysWOW64\Fjhlioai.dll Bidjnkdg.exe File created C:\Windows\SysWOW64\Fileil32.dll Djklnnaj.exe File opened for modification C:\Windows\SysWOW64\Coklgg32.exe Cllpkl32.exe File opened for modification C:\Windows\SysWOW64\Fphafl32.exe Fmjejphb.exe File created C:\Windows\SysWOW64\Aadloj32.exe Amhpnkch.exe File created C:\Windows\SysWOW64\Glqllcbf.dll Hhjhkq32.exe File created C:\Windows\SysWOW64\Fjkhohik.dll Pfoocjfd.exe File opened for modification C:\Windows\SysWOW64\Jonplmcb.exe Jmocpado.exe File created C:\Windows\SysWOW64\Mijfnh32.exe Mijfnh32.exe File opened for modification C:\Windows\SysWOW64\Nkiogn32.exe Ngnbgplj.exe File created C:\Windows\SysWOW64\Ojkboo32.exe d67756ae7117814c62015ed79b79f840_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Hpapln32.exe Hhjhkq32.exe File opened for modification C:\Windows\SysWOW64\Pgplkb32.exe Pimkpfeh.exe File opened for modification C:\Windows\SysWOW64\Aekodi32.exe Aaobdjof.exe File created C:\Windows\SysWOW64\Obilnl32.dll Cklmgb32.exe File created C:\Windows\SysWOW64\Kjcidhml.dll Pchpbded.exe File created C:\Windows\SysWOW64\Naeqjnho.dll Dnlidb32.exe File created C:\Windows\SysWOW64\Mpbaebdd.exe Mmceigep.exe File created C:\Windows\SysWOW64\Heldepab.dll Ofjfhk32.exe File created C:\Windows\SysWOW64\Ongbcmlc.dll Fjgoce32.exe File created C:\Windows\SysWOW64\Fbgmbg32.exe Fddmgjpo.exe File created C:\Windows\SysWOW64\Ljdjcj32.dll Jnemdecl.exe File created C:\Windows\SysWOW64\Oakomajq.dll Dfdjhndl.exe File opened for modification C:\Windows\SysWOW64\Ednpej32.exe Eqbddk32.exe File created C:\Windows\SysWOW64\Coklgg32.exe Cllpkl32.exe File created C:\Windows\SysWOW64\Emeopn32.exe Eijcpoac.exe File opened for modification C:\Windows\SysWOW64\Bjijdadm.exe Bhhnli32.exe File created C:\Windows\SysWOW64\Nhfipcid.exe Ndkmpe32.exe File created C:\Windows\SysWOW64\Lkppbl32.exe Llnofpcg.exe File opened for modification C:\Windows\SysWOW64\Dfdjhndl.exe Dcenlceh.exe File created C:\Windows\SysWOW64\Hbbhkqaj.dll Bkdmcdoe.exe File created C:\Windows\SysWOW64\Mdeced32.dll Dkkpbgli.exe File created C:\Windows\SysWOW64\Kjnifgah.dll Hnagjbdf.exe File created C:\Windows\SysWOW64\Idklfpon.exe Iqopea32.exe File opened for modification C:\Windows\SysWOW64\Mimbdhhb.exe Meagci32.exe File opened for modification C:\Windows\SysWOW64\Pdaoog32.exe Pfoocjfd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5184 5680 WerFault.exe 596 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkdmcdoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfjqnjkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inngcfid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adjigg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijgdngmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ollfnfje.dll" Jmjjea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joifam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leonofpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lemaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Higdqfol.dll" Ppamme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpfcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll" Hlcgeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfqahgpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pigeqkai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfjnod32.dll" Chpmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdnbg32.dll" Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfekcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pimkpfeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbelgood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahikqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Echfaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhdlkdkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clphjpmh.dll" Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjbkk32.dll" Lkppbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqelenlc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idklfpon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmaled32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgeefbhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfiidobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gphmeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mamddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbjbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll" Fmpkjkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejmmiihp.dll" Cojema32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll" Gdopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nncahjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhiffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmmiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okphjd32.dll" Bifgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbolehjh.dll" Ebedndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igdogl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmolnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchafg32.dll" Dpeekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bllbijej.dll" Aipddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffihah32.dll" Chhjkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icmlam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Limfed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pclfkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfdjhndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnpanefm.dll" Kbqecg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnmfog32.dll" Mamddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpdnkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohfeog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okikfagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnhijl32.dll" Ahlgfdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkafj32.dll" Cadhnmnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cciemedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpfdalii.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2920 wrote to memory of 2064 2920 d67756ae7117814c62015ed79b79f840_NeikiAnalytics.exe 28 PID 2920 wrote to memory of 2064 2920 d67756ae7117814c62015ed79b79f840_NeikiAnalytics.exe 28 PID 2920 wrote to memory of 2064 2920 d67756ae7117814c62015ed79b79f840_NeikiAnalytics.exe 28 PID 2920 wrote to memory of 2064 2920 d67756ae7117814c62015ed79b79f840_NeikiAnalytics.exe 28 PID 2064 wrote to memory of 1732 2064 Ojkboo32.exe 29 PID 2064 wrote to memory of 1732 2064 Ojkboo32.exe 29 PID 2064 wrote to memory of 1732 2064 Ojkboo32.exe 29 PID 2064 wrote to memory of 1732 2064 Ojkboo32.exe 29 PID 1732 wrote to memory of 2652 1732 Pphjgfqq.exe 30 PID 1732 wrote to memory of 2652 1732 Pphjgfqq.exe 30 PID 1732 wrote to memory of 2652 1732 Pphjgfqq.exe 30 PID 1732 wrote to memory of 2652 1732 Pphjgfqq.exe 30 PID 2652 wrote to memory of 2748 2652 Pgobhcac.exe 31 PID 2652 wrote to memory of 2748 2652 Pgobhcac.exe 31 PID 2652 wrote to memory of 2748 2652 Pgobhcac.exe 31 PID 2652 wrote to memory of 2748 2652 Pgobhcac.exe 31 PID 2748 wrote to memory of 3040 2748 Pjmodopf.exe 32 PID 2748 wrote to memory of 3040 2748 Pjmodopf.exe 32 PID 2748 wrote to memory of 3040 2748 Pjmodopf.exe 32 PID 2748 wrote to memory of 3040 2748 Pjmodopf.exe 32 PID 3040 wrote to memory of 2420 3040 Paggai32.exe 33 PID 3040 wrote to memory of 2420 3040 Paggai32.exe 33 PID 3040 wrote to memory of 2420 3040 Paggai32.exe 33 PID 3040 wrote to memory of 2420 3040 Paggai32.exe 33 PID 2420 wrote to memory of 3012 2420 Pbiciana.exe 34 PID 2420 wrote to memory of 3012 2420 Pbiciana.exe 34 PID 2420 wrote to memory of 3012 2420 Pbiciana.exe 34 PID 2420 wrote to memory of 3012 2420 Pbiciana.exe 34 PID 3012 wrote to memory of 2768 3012 Pjpkjond.exe 35 PID 3012 wrote to memory of 2768 3012 Pjpkjond.exe 35 PID 3012 wrote to memory of 2768 3012 Pjpkjond.exe 35 PID 3012 wrote to memory of 2768 3012 Pjpkjond.exe 35 PID 2768 wrote to memory of 2980 2768 Plahag32.exe 36 PID 2768 wrote to memory of 2980 2768 Plahag32.exe 36 PID 2768 wrote to memory of 2980 2768 Plahag32.exe 36 PID 2768 wrote to memory of 2980 2768 Plahag32.exe 36 PID 2980 wrote to memory of 2752 2980 Pchpbded.exe 37 PID 2980 wrote to memory of 2752 2980 Pchpbded.exe 37 PID 2980 wrote to memory of 2752 2980 Pchpbded.exe 37 PID 2980 wrote to memory of 2752 2980 Pchpbded.exe 37 PID 2752 wrote to memory of 2520 2752 Peiljl32.exe 38 PID 2752 wrote to memory of 2520 2752 Peiljl32.exe 38 PID 2752 wrote to memory of 2520 2752 Peiljl32.exe 38 PID 2752 wrote to memory of 2520 2752 Peiljl32.exe 38 PID 2520 wrote to memory of 1664 2520 Pmqdkj32.exe 39 PID 2520 wrote to memory of 1664 2520 Pmqdkj32.exe 39 PID 2520 wrote to memory of 1664 2520 Pmqdkj32.exe 39 PID 2520 wrote to memory of 1664 2520 Pmqdkj32.exe 39 PID 1664 wrote to memory of 2812 1664 Ppoqge32.exe 40 PID 1664 wrote to memory of 2812 1664 Ppoqge32.exe 40 PID 1664 wrote to memory of 2812 1664 Ppoqge32.exe 40 PID 1664 wrote to memory of 2812 1664 Ppoqge32.exe 40 PID 2812 wrote to memory of 1420 2812 Pfiidobe.exe 41 PID 2812 wrote to memory of 1420 2812 Pfiidobe.exe 41 PID 2812 wrote to memory of 1420 2812 Pfiidobe.exe 41 PID 2812 wrote to memory of 1420 2812 Pfiidobe.exe 41 PID 1420 wrote to memory of 2120 1420 Pigeqkai.exe 42 PID 1420 wrote to memory of 2120 1420 Pigeqkai.exe 42 PID 1420 wrote to memory of 2120 1420 Pigeqkai.exe 42 PID 1420 wrote to memory of 2120 1420 Pigeqkai.exe 42 PID 2120 wrote to memory of 2612 2120 Ppamme32.exe 43 PID 2120 wrote to memory of 2612 2120 Ppamme32.exe 43 PID 2120 wrote to memory of 2612 2120 Ppamme32.exe 43 PID 2120 wrote to memory of 2612 2120 Ppamme32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\d67756ae7117814c62015ed79b79f840_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d67756ae7117814c62015ed79b79f840_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:544 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1068 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1224 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe33⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe34⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe35⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe36⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe37⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe38⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe39⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe40⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe41⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe43⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe44⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe45⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe46⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe47⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe48⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe49⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe50⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe51⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe52⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe53⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe56⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe57⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe58⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe61⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe63⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe64⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe65⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe66⤵PID:1320
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe67⤵
- Modifies registry class
PID:488 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe68⤵PID:1040
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe69⤵PID:1140
-
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe70⤵
- Drops file in System32 directory
PID:1008 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe71⤵PID:1616
-
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe72⤵PID:2908
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe73⤵PID:900
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe74⤵PID:2380
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2564 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe76⤵
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe77⤵
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe78⤵PID:1424
-
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe79⤵PID:2836
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe80⤵PID:2480
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe81⤵PID:2668
-
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe82⤵PID:1252
-
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe83⤵
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe84⤵PID:2892
-
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe85⤵PID:1092
-
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe86⤵PID:960
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe87⤵PID:1416
-
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe88⤵PID:2500
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe89⤵PID:2720
-
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe90⤵
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe91⤵PID:2140
-
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe92⤵
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe93⤵
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe94⤵PID:1628
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1436 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe96⤵PID:2404
-
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe97⤵PID:384
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe98⤵
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe99⤵PID:2192
-
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe100⤵PID:700
-
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe101⤵
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe102⤵PID:2112
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe103⤵PID:1604
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe104⤵PID:2632
-
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe105⤵PID:2436
-
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe106⤵PID:832
-
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe107⤵PID:2616
-
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe108⤵PID:1792
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe109⤵PID:2396
-
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe110⤵PID:2604
-
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe111⤵PID:2756
-
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe113⤵PID:1928
-
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe114⤵PID:1368
-
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe115⤵PID:1060
-
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe116⤵PID:1232
-
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe117⤵PID:2620
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe118⤵PID:2584
-
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe119⤵PID:2496
-
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe120⤵
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe121⤵PID:1528
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-