Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
10/05/2024, 01:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3ba12695b51bee9665348748bb1911d0_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
3ba12695b51bee9665348748bb1911d0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
3ba12695b51bee9665348748bb1911d0_NeikiAnalytics.exe
-
Size
59KB
-
MD5
3ba12695b51bee9665348748bb1911d0
-
SHA1
6aaded0ae7e89e02ccb251e5fd403ef53a861ef1
-
SHA256
322ef4e96297df35ef848db82031246e80825f824d4b74a793ef93e8ba375556
-
SHA512
c3a38ce20ffd9869fffe7227ad744a2162fb8c6da0841e2db70d17ad9416a2539e182e7c244b63251a234176babd56d301ee97efd83eddf0b17ad7ef77d7dff5
-
SSDEEP
768:NkwgDKwxLDvZjgpdv0LzbW+vwn+FnDrX6rxwhZeTvVGMZ/1H5hs5nf1fZMEBFELE:GmuLLZQvyOG8+RruxvxJT4NCyVso
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njiijlbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmjejphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leonofpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaobdjof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjgbcoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nofabc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aemkjiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fblaii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpegmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbelgood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlgldibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoakolod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmiipi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccngld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcfkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adnopfoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqimgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Infdolgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmoipopd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqlafm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfeog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfkke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpeekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nohnhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idfbkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgbggnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndkmpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmhdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lihmjejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naajoinb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egjpkffe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djpmccqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eihfjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keoapb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiccofna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmmhjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lipjejgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doehqead.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejmebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbbcpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apomfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amkpegnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpknlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inngcfid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbpnanch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgpgce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbokmqie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppoqge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkdpanhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmfbogcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fififc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmlgonbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceodnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmgpkfab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Penfelgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdlhchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkkmdn32.exe -
Executes dropped EXE 64 IoCs
pid Process 2784 Eabbkbea.exe 2500 Ejjfdhlb.exe 2476 Emhbpcke.exe 2656 Ecbkmn32.exe 2464 Ejlcjhjo.exe 2472 Eafkfb32.exe 2288 Ecehbm32.exe 2528 Ejopog32.exe 1756 Emmlkc32.exe 304 Eplhgn32.exe 2120 Efeqdhnq.exe 2740 Eidmqdmd.exe 2044 Elbimplh.exe 2748 Fdianmmj.exe 2184 Fblaii32.exe 1748 Fififc32.exe 740 Focbnj32.exe 908 Ffjjoh32.exe 1764 Fiifkc32.exe 692 Fhlfgppj.exe 1668 Fpbohmpl.exe 2188 Fadkpe32.exe 1596 Fikcacgl.exe 1628 Fliomnfp.exe 1872 Fklpik32.exe 624 Febcfd32.exe 1636 Flllcndm.exe 2952 Fmmhjf32.exe 2508 Fdgqgqah.exe 2228 Ggemclpl.exe 2652 Gomedi32.exe 2348 Gmoepfhi.exe 2368 Gakaqd32.exe 544 Gkceijfb.exe 2592 Giffeg32.exe 2612 Gmabeeef.exe 1968 Gcojnmdn.exe 1912 Ggjfnk32.exe 2132 Gmdoke32.exe 2104 Glgofbjn.exe 2040 Gdnghpkq.exe 2140 Gglcdkjd.exe 1932 Geocph32.exe 684 Gliklahk.exe 1424 Gpegmq32.exe 2712 Gccdil32.exe 1252 Ggopijha.exe 2980 Gimlefge.exe 1548 Gllhaa32.exe 1480 Gpgdbpob.exe 600 Gojdnm32.exe 328 Hahqjh32.exe 1532 Hedmkgmi.exe 2460 Hjpike32.exe 2504 Hhbigblm.exe 2964 Hlnega32.exe 2468 Hkqecnkq.exe 2100 Holacm32.exe 2884 Hchmdklc.exe 852 Hefipfkg.exe 2600 Hefipfkg.exe 2180 Hheelbjj.exe 2260 Hlpamq32.exe 2328 Hkcbhn32.exe -
Loads dropped DLL 64 IoCs
pid Process 2908 3ba12695b51bee9665348748bb1911d0_NeikiAnalytics.exe 2908 3ba12695b51bee9665348748bb1911d0_NeikiAnalytics.exe 2784 Eabbkbea.exe 2784 Eabbkbea.exe 2500 Ejjfdhlb.exe 2500 Ejjfdhlb.exe 2476 Emhbpcke.exe 2476 Emhbpcke.exe 2656 Ecbkmn32.exe 2656 Ecbkmn32.exe 2464 Ejlcjhjo.exe 2464 Ejlcjhjo.exe 2472 Eafkfb32.exe 2472 Eafkfb32.exe 2288 Ecehbm32.exe 2288 Ecehbm32.exe 2528 Ejopog32.exe 2528 Ejopog32.exe 1756 Emmlkc32.exe 1756 Emmlkc32.exe 304 Eplhgn32.exe 304 Eplhgn32.exe 2120 Efeqdhnq.exe 2120 Efeqdhnq.exe 2740 Eidmqdmd.exe 2740 Eidmqdmd.exe 2044 Elbimplh.exe 2044 Elbimplh.exe 2748 Fdianmmj.exe 2748 Fdianmmj.exe 2184 Fblaii32.exe 2184 Fblaii32.exe 1748 Fififc32.exe 1748 Fififc32.exe 740 Focbnj32.exe 740 Focbnj32.exe 908 Ffjjoh32.exe 908 Ffjjoh32.exe 1764 Fiifkc32.exe 1764 Fiifkc32.exe 692 Fhlfgppj.exe 692 Fhlfgppj.exe 1668 Fpbohmpl.exe 1668 Fpbohmpl.exe 2188 Fadkpe32.exe 2188 Fadkpe32.exe 1596 Fikcacgl.exe 1596 Fikcacgl.exe 1628 Fliomnfp.exe 1628 Fliomnfp.exe 1872 Fklpik32.exe 1872 Fklpik32.exe 624 Febcfd32.exe 624 Febcfd32.exe 1636 Flllcndm.exe 1636 Flllcndm.exe 2952 Fmmhjf32.exe 2952 Fmmhjf32.exe 2508 Fdgqgqah.exe 2508 Fdgqgqah.exe 2228 Ggemclpl.exe 2228 Ggemclpl.exe 2652 Gomedi32.exe 2652 Gomedi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Iffeoj32.exe Igcecmfg.exe File created C:\Windows\SysWOW64\Glfhll32.exe Ghkllmoi.exe File created C:\Windows\SysWOW64\Hjacko32.dll Kiccofna.exe File created C:\Windows\SysWOW64\Clilkfnb.exe Cdbdjhmp.exe File created C:\Windows\SysWOW64\Fadkpe32.exe Fpbohmpl.exe File opened for modification C:\Windows\SysWOW64\Gdnghpkq.exe Glgofbjn.exe File created C:\Windows\SysWOW64\Anpajc32.dll Gimlefge.exe File opened for modification C:\Windows\SysWOW64\Jegble32.exe Jakfkfpc.exe File opened for modification C:\Windows\SysWOW64\Llnofpcg.exe Lhbcfa32.exe File created C:\Windows\SysWOW64\Pbpjiphi.exe Pndniaop.exe File created C:\Windows\SysWOW64\Febhomkh.dll Gkihhhnm.exe File created C:\Windows\SysWOW64\Aagancdj.dll Llfifq32.exe File opened for modification C:\Windows\SysWOW64\Llkbap32.exe Limfed32.exe File created C:\Windows\SysWOW64\Fififc32.exe Fblaii32.exe File created C:\Windows\SysWOW64\Dmgdhd32.dll Khcnad32.exe File created C:\Windows\SysWOW64\Cdjgej32.dll Piehkkcl.exe File created C:\Windows\SysWOW64\Dfffnn32.exe Dnoomqbg.exe File created C:\Windows\SysWOW64\Gpgdbpob.exe Gllhaa32.exe File created C:\Windows\SysWOW64\Lbfahp32.exe Lpgele32.exe File opened for modification C:\Windows\SysWOW64\Fdoclk32.exe Faagpp32.exe File created C:\Windows\SysWOW64\Hlakpp32.exe Hicodd32.exe File created C:\Windows\SysWOW64\Jddnncch.dll Meccii32.exe File created C:\Windows\SysWOW64\Fanjadqp.dll Qpgpkcpp.exe File created C:\Windows\SysWOW64\Eeoliecf.dll Jbjochdi.exe File created C:\Windows\SysWOW64\Llkbap32.exe Limfed32.exe File created C:\Windows\SysWOW64\Okjnpflh.dll Gmoepfhi.exe File created C:\Windows\SysWOW64\Aodnnc32.dll Mekdekin.exe File opened for modification C:\Windows\SysWOW64\Boiccdnf.exe Aljgfioc.exe File created C:\Windows\SysWOW64\Gopkmhjk.exe Ghfbqn32.exe File created C:\Windows\SysWOW64\Geolea32.exe Gacpdbej.exe File created C:\Windows\SysWOW64\Gogangdc.exe Gkkemh32.exe File created C:\Windows\SysWOW64\Gmoepfhi.exe Gomedi32.exe File created C:\Windows\SysWOW64\Mjccnjpk.dll Aplpai32.exe File opened for modification C:\Windows\SysWOW64\Hmlnoc32.exe Hknach32.exe File opened for modification C:\Windows\SysWOW64\Iqopea32.exe Iblpjdpk.exe File opened for modification C:\Windows\SysWOW64\Efeqdhnq.exe Eplhgn32.exe File created C:\Windows\SysWOW64\Pogjpc32.dll Kmjfdejp.exe File created C:\Windows\SysWOW64\Lckdanld.exe Lldlqakb.exe File created C:\Windows\SysWOW64\Pkpagq32.exe Pciifc32.exe File created C:\Windows\SysWOW64\Alpmfdcb.exe Ahdaee32.exe File created C:\Windows\SysWOW64\Cnkajfop.dll Hcifgjgc.exe File created C:\Windows\SysWOW64\Gbaoqk32.dll Iqopea32.exe File created C:\Windows\SysWOW64\Geofbffe.dll Kahojc32.exe File opened for modification C:\Windows\SysWOW64\Nocnbmoo.exe Nglfapnl.exe File opened for modification C:\Windows\SysWOW64\Onmdoioa.exe Ofelmloo.exe File created C:\Windows\SysWOW64\Bdeeqehb.exe Bpiipf32.exe File created C:\Windows\SysWOW64\Inkaippf.dll Ofhick32.exe File created C:\Windows\SysWOW64\Dkqbaecc.exe Dhbfdjdp.exe File opened for modification C:\Windows\SysWOW64\Djnpnc32.exe Dkkpbgli.exe File created C:\Windows\SysWOW64\Ljenlcfa.dll Eihfjo32.exe File created C:\Windows\SysWOW64\Mcfidhng.dll Dglpbbbg.exe File opened for modification C:\Windows\SysWOW64\Fpbohmpl.exe Fhlfgppj.exe File created C:\Windows\SysWOW64\Ddbkoipg.dll Ofpfnqjp.exe File opened for modification C:\Windows\SysWOW64\Pminkk32.exe Ongnonkb.exe File opened for modification C:\Windows\SysWOW64\Cgmkmecg.exe Baqbenep.exe File opened for modification C:\Windows\SysWOW64\Ckignd32.exe Cgmkmecg.exe File created C:\Windows\SysWOW64\Abqjpn32.dll Jcgogk32.exe File created C:\Windows\SysWOW64\Iqimgc32.exe Imnafd32.exe File created C:\Windows\SysWOW64\Gdcbnc32.dll Ogmfbd32.exe File opened for modification C:\Windows\SysWOW64\Qljkhe32.exe Qhooggdn.exe File opened for modification C:\Windows\SysWOW64\Hknach32.exe Hgbebiao.exe File opened for modification C:\Windows\SysWOW64\Lflmci32.exe Lbqabkql.exe File opened for modification C:\Windows\SysWOW64\Qbcpbo32.exe Qcpofbjl.exe File created C:\Windows\SysWOW64\Bbnhbg32.dll Ndmjedoi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9140 9116 WerFault.exe 878 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Menakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onphoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pminkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddagfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eidmqdmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bplpldoa.dll" Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbehoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blgpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhokkp32.dll" Ccahbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlpamq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chemfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibckiab.dll" Eajaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll" Hiekid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihdkao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhhognbb.dll" Lflmci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogblbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jilhldfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illjbiak.dll" Egoife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpnbkeld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dialipcb.dll" Piblek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miikgeea.dll" Ngnbgplj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgbhabjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alqkcl32.dll" Njgldmdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhhcgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbcpgjj.dll" Cphlljge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahdaee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bppoqeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgohm32.dll" Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcfkhh32.dll" Onphoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okalbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbpjiphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfqqcc32.dll" Lmgmjjdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhkpmjln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmceigep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbkkjih.dll" Mimbdhhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nejeco32.dll" Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kllmmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakeiib.dll" Cjlgiqbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcmiimi.dll" Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll" Hlcgeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkijmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anccmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icemmopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adeplhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkkemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll" Hcnpbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikddbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgqcmlgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkidgdji.dll" Fdianmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobdlg32.dll" Ddeaalpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfahhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpiajnca.dll" Gmdoke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlgigdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghiae32.dll" Ddgjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgnia32.dll" Ejobhppq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgfgdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngnbgplj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2908 wrote to memory of 2784 2908 3ba12695b51bee9665348748bb1911d0_NeikiAnalytics.exe 28 PID 2908 wrote to memory of 2784 2908 3ba12695b51bee9665348748bb1911d0_NeikiAnalytics.exe 28 PID 2908 wrote to memory of 2784 2908 3ba12695b51bee9665348748bb1911d0_NeikiAnalytics.exe 28 PID 2908 wrote to memory of 2784 2908 3ba12695b51bee9665348748bb1911d0_NeikiAnalytics.exe 28 PID 2784 wrote to memory of 2500 2784 Eabbkbea.exe 29 PID 2784 wrote to memory of 2500 2784 Eabbkbea.exe 29 PID 2784 wrote to memory of 2500 2784 Eabbkbea.exe 29 PID 2784 wrote to memory of 2500 2784 Eabbkbea.exe 29 PID 2500 wrote to memory of 2476 2500 Ejjfdhlb.exe 30 PID 2500 wrote to memory of 2476 2500 Ejjfdhlb.exe 30 PID 2500 wrote to memory of 2476 2500 Ejjfdhlb.exe 30 PID 2500 wrote to memory of 2476 2500 Ejjfdhlb.exe 30 PID 2476 wrote to memory of 2656 2476 Emhbpcke.exe 31 PID 2476 wrote to memory of 2656 2476 Emhbpcke.exe 31 PID 2476 wrote to memory of 2656 2476 Emhbpcke.exe 31 PID 2476 wrote to memory of 2656 2476 Emhbpcke.exe 31 PID 2656 wrote to memory of 2464 2656 Ecbkmn32.exe 32 PID 2656 wrote to memory of 2464 2656 Ecbkmn32.exe 32 PID 2656 wrote to memory of 2464 2656 Ecbkmn32.exe 32 PID 2656 wrote to memory of 2464 2656 Ecbkmn32.exe 32 PID 2464 wrote to memory of 2472 2464 Ejlcjhjo.exe 33 PID 2464 wrote to memory of 2472 2464 Ejlcjhjo.exe 33 PID 2464 wrote to memory of 2472 2464 Ejlcjhjo.exe 33 PID 2464 wrote to memory of 2472 2464 Ejlcjhjo.exe 33 PID 2472 wrote to memory of 2288 2472 Eafkfb32.exe 34 PID 2472 wrote to memory of 2288 2472 Eafkfb32.exe 34 PID 2472 wrote to memory of 2288 2472 Eafkfb32.exe 34 PID 2472 wrote to memory of 2288 2472 Eafkfb32.exe 34 PID 2288 wrote to memory of 2528 2288 Ecehbm32.exe 35 PID 2288 wrote to memory of 2528 2288 Ecehbm32.exe 35 PID 2288 wrote to memory of 2528 2288 Ecehbm32.exe 35 PID 2288 wrote to memory of 2528 2288 Ecehbm32.exe 35 PID 2528 wrote to memory of 1756 2528 Ejopog32.exe 36 PID 2528 wrote to memory of 1756 2528 Ejopog32.exe 36 PID 2528 wrote to memory of 1756 2528 Ejopog32.exe 36 PID 2528 wrote to memory of 1756 2528 Ejopog32.exe 36 PID 1756 wrote to memory of 304 1756 Emmlkc32.exe 37 PID 1756 wrote to memory of 304 1756 Emmlkc32.exe 37 PID 1756 wrote to memory of 304 1756 Emmlkc32.exe 37 PID 1756 wrote to memory of 304 1756 Emmlkc32.exe 37 PID 304 wrote to memory of 2120 304 Eplhgn32.exe 38 PID 304 wrote to memory of 2120 304 Eplhgn32.exe 38 PID 304 wrote to memory of 2120 304 Eplhgn32.exe 38 PID 304 wrote to memory of 2120 304 Eplhgn32.exe 38 PID 2120 wrote to memory of 2740 2120 Efeqdhnq.exe 39 PID 2120 wrote to memory of 2740 2120 Efeqdhnq.exe 39 PID 2120 wrote to memory of 2740 2120 Efeqdhnq.exe 39 PID 2120 wrote to memory of 2740 2120 Efeqdhnq.exe 39 PID 2740 wrote to memory of 2044 2740 Eidmqdmd.exe 40 PID 2740 wrote to memory of 2044 2740 Eidmqdmd.exe 40 PID 2740 wrote to memory of 2044 2740 Eidmqdmd.exe 40 PID 2740 wrote to memory of 2044 2740 Eidmqdmd.exe 40 PID 2044 wrote to memory of 2748 2044 Elbimplh.exe 41 PID 2044 wrote to memory of 2748 2044 Elbimplh.exe 41 PID 2044 wrote to memory of 2748 2044 Elbimplh.exe 41 PID 2044 wrote to memory of 2748 2044 Elbimplh.exe 41 PID 2748 wrote to memory of 2184 2748 Fdianmmj.exe 42 PID 2748 wrote to memory of 2184 2748 Fdianmmj.exe 42 PID 2748 wrote to memory of 2184 2748 Fdianmmj.exe 42 PID 2748 wrote to memory of 2184 2748 Fdianmmj.exe 42 PID 2184 wrote to memory of 1748 2184 Fblaii32.exe 43 PID 2184 wrote to memory of 1748 2184 Fblaii32.exe 43 PID 2184 wrote to memory of 1748 2184 Fblaii32.exe 43 PID 2184 wrote to memory of 1748 2184 Fblaii32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ba12695b51bee9665348748bb1911d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3ba12695b51bee9665348748bb1911d0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Eabbkbea.exeC:\Windows\system32\Eabbkbea.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Ejjfdhlb.exeC:\Windows\system32\Ejjfdhlb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Emhbpcke.exeC:\Windows\system32\Emhbpcke.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Ecbkmn32.exeC:\Windows\system32\Ecbkmn32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Ejlcjhjo.exeC:\Windows\system32\Ejlcjhjo.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Eafkfb32.exeC:\Windows\system32\Eafkfb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Ecehbm32.exeC:\Windows\system32\Ecehbm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Ejopog32.exeC:\Windows\system32\Ejopog32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Emmlkc32.exeC:\Windows\system32\Emmlkc32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Eplhgn32.exeC:\Windows\system32\Eplhgn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\SysWOW64\Efeqdhnq.exeC:\Windows\system32\Efeqdhnq.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Eidmqdmd.exeC:\Windows\system32\Eidmqdmd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Elbimplh.exeC:\Windows\system32\Elbimplh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Fdianmmj.exeC:\Windows\system32\Fdianmmj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Fblaii32.exeC:\Windows\system32\Fblaii32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Fififc32.exeC:\Windows\system32\Fififc32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Focbnj32.exeC:\Windows\system32\Focbnj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:740 -
C:\Windows\SysWOW64\Ffjjoh32.exeC:\Windows\system32\Ffjjoh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Fiifkc32.exeC:\Windows\system32\Fiifkc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Fhlfgppj.exeC:\Windows\system32\Fhlfgppj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:692 -
C:\Windows\SysWOW64\Fpbohmpl.exeC:\Windows\system32\Fpbohmpl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Fadkpe32.exeC:\Windows\system32\Fadkpe32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Fikcacgl.exeC:\Windows\system32\Fikcacgl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Fliomnfp.exeC:\Windows\system32\Fliomnfp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Fklpik32.exeC:\Windows\system32\Fklpik32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Febcfd32.exeC:\Windows\system32\Febcfd32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:624 -
C:\Windows\SysWOW64\Flllcndm.exeC:\Windows\system32\Flllcndm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Windows\SysWOW64\Fmmhjf32.exeC:\Windows\system32\Fmmhjf32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2952 -
C:\Windows\SysWOW64\Fdgqgqah.exeC:\Windows\system32\Fdgqgqah.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Ggemclpl.exeC:\Windows\system32\Ggemclpl.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Gomedi32.exeC:\Windows\system32\Gomedi32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Gmoepfhi.exeC:\Windows\system32\Gmoepfhi.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Gakaqd32.exeC:\Windows\system32\Gakaqd32.exe34⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Gkceijfb.exeC:\Windows\system32\Gkceijfb.exe35⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Giffeg32.exeC:\Windows\system32\Giffeg32.exe36⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Gmabeeef.exeC:\Windows\system32\Gmabeeef.exe37⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Gcojnmdn.exeC:\Windows\system32\Gcojnmdn.exe38⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Ggjfnk32.exeC:\Windows\system32\Ggjfnk32.exe39⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Gmdoke32.exeC:\Windows\system32\Gmdoke32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Glgofbjn.exeC:\Windows\system32\Glgofbjn.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Gdnghpkq.exeC:\Windows\system32\Gdnghpkq.exe42⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Gglcdkjd.exeC:\Windows\system32\Gglcdkjd.exe43⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Geocph32.exeC:\Windows\system32\Geocph32.exe44⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Gliklahk.exeC:\Windows\system32\Gliklahk.exe45⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Gpegmq32.exeC:\Windows\system32\Gpegmq32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Gccdil32.exeC:\Windows\system32\Gccdil32.exe47⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Ggopijha.exeC:\Windows\system32\Ggopijha.exe48⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Gimlefge.exeC:\Windows\system32\Gimlefge.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Gllhaa32.exeC:\Windows\system32\Gllhaa32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Gpgdbpob.exeC:\Windows\system32\Gpgdbpob.exe51⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Gojdnm32.exeC:\Windows\system32\Gojdnm32.exe52⤵
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Hahqjh32.exeC:\Windows\system32\Hahqjh32.exe53⤵
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Hedmkgmi.exeC:\Windows\system32\Hedmkgmi.exe54⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Hjpike32.exeC:\Windows\system32\Hjpike32.exe55⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Hhbigblm.exeC:\Windows\system32\Hhbigblm.exe56⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Hlnega32.exeC:\Windows\system32\Hlnega32.exe57⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Hkqecnkq.exeC:\Windows\system32\Hkqecnkq.exe58⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Holacm32.exeC:\Windows\system32\Holacm32.exe59⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Hchmdklc.exeC:\Windows\system32\Hchmdklc.exe60⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Hefipfkg.exeC:\Windows\system32\Hefipfkg.exe61⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Hefipfkg.exeC:\Windows\system32\Hefipfkg.exe62⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Hheelbjj.exeC:\Windows\system32\Hheelbjj.exe63⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Hlpamq32.exeC:\Windows\system32\Hlpamq32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Hkcbhn32.exeC:\Windows\system32\Hkcbhn32.exe65⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Hoonilag.exeC:\Windows\system32\Hoonilag.exe66⤵PID:292
-
C:\Windows\SysWOW64\Hamjehqk.exeC:\Windows\system32\Hamjehqk.exe67⤵PID:2004
-
C:\Windows\SysWOW64\Hdkfacpo.exeC:\Windows\system32\Hdkfacpo.exe68⤵PID:2012
-
C:\Windows\SysWOW64\Hgjbmoob.exeC:\Windows\system32\Hgjbmoob.exe69⤵PID:1680
-
C:\Windows\SysWOW64\Hoakolod.exeC:\Windows\system32\Hoakolod.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3052 -
C:\Windows\SysWOW64\Hdncgbnl.exeC:\Windows\system32\Hdncgbnl.exe71⤵PID:1064
-
C:\Windows\SysWOW64\Hglocnmp.exeC:\Windows\system32\Hglocnmp.exe72⤵PID:1812
-
C:\Windows\SysWOW64\Hjkkojlc.exeC:\Windows\system32\Hjkkojlc.exe73⤵PID:2444
-
C:\Windows\SysWOW64\Hnfgphdl.exeC:\Windows\system32\Hnfgphdl.exe74⤵PID:2276
-
C:\Windows\SysWOW64\Hbbcpg32.exeC:\Windows\system32\Hbbcpg32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2756 -
C:\Windows\SysWOW64\Hqddldcp.exeC:\Windows\system32\Hqddldcp.exe76⤵PID:2436
-
C:\Windows\SysWOW64\Hdpplb32.exeC:\Windows\system32\Hdpplb32.exe77⤵PID:2412
-
C:\Windows\SysWOW64\Hgolhn32.exeC:\Windows\system32\Hgolhn32.exe78⤵PID:2700
-
C:\Windows\SysWOW64\Hkjhimcf.exeC:\Windows\system32\Hkjhimcf.exe79⤵PID:2340
-
C:\Windows\SysWOW64\Hjmhdi32.exeC:\Windows\system32\Hjmhdi32.exe80⤵PID:2588
-
C:\Windows\SysWOW64\Imkdqe32.exeC:\Windows\system32\Imkdqe32.exe81⤵PID:496
-
C:\Windows\SysWOW64\Iqgqacam.exeC:\Windows\system32\Iqgqacam.exe82⤵PID:1204
-
C:\Windows\SysWOW64\Icemmopa.exeC:\Windows\system32\Icemmopa.exe83⤵
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Igainn32.exeC:\Windows\system32\Igainn32.exe84⤵PID:1808
-
C:\Windows\SysWOW64\Ifdiijpe.exeC:\Windows\system32\Ifdiijpe.exe85⤵PID:1080
-
C:\Windows\SysWOW64\Inkakhpg.exeC:\Windows\system32\Inkakhpg.exe86⤵PID:2556
-
C:\Windows\SysWOW64\Imnafd32.exeC:\Windows\system32\Imnafd32.exe87⤵
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Iqimgc32.exeC:\Windows\system32\Iqimgc32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1688 -
C:\Windows\SysWOW64\Iolmbpfe.exeC:\Windows\system32\Iolmbpfe.exe89⤵PID:412
-
C:\Windows\SysWOW64\Ichico32.exeC:\Windows\system32\Ichico32.exe90⤵PID:2496
-
C:\Windows\SysWOW64\Igcecmfg.exeC:\Windows\system32\Igcecmfg.exe91⤵
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Iffeoj32.exeC:\Windows\system32\Iffeoj32.exe92⤵PID:2564
-
C:\Windows\SysWOW64\Iidbke32.exeC:\Windows\system32\Iidbke32.exe93⤵PID:2196
-
C:\Windows\SysWOW64\Impnldeo.exeC:\Windows\system32\Impnldeo.exe94⤵PID:2604
-
C:\Windows\SysWOW64\Iqljlb32.exeC:\Windows\system32\Iqljlb32.exe95⤵PID:1544
-
C:\Windows\SysWOW64\Icjfhn32.exeC:\Windows\system32\Icjfhn32.exe96⤵PID:1236
-
C:\Windows\SysWOW64\Ibmfdkcf.exeC:\Windows\system32\Ibmfdkcf.exe97⤵PID:2676
-
C:\Windows\SysWOW64\Ifhbdj32.exeC:\Windows\system32\Ifhbdj32.exe98⤵PID:2744
-
C:\Windows\SysWOW64\Imbkadcl.exeC:\Windows\system32\Imbkadcl.exe99⤵PID:2764
-
C:\Windows\SysWOW64\Ikekmq32.exeC:\Windows\system32\Ikekmq32.exe100⤵PID:2272
-
C:\Windows\SysWOW64\Ioagno32.exeC:\Windows\system32\Ioagno32.exe101⤵PID:1148
-
C:\Windows\SysWOW64\Iclcnnji.exeC:\Windows\system32\Iclcnnji.exe102⤵PID:1092
-
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe103⤵PID:1224
-
C:\Windows\SysWOW64\Ienoff32.exeC:\Windows\system32\Ienoff32.exe104⤵PID:932
-
C:\Windows\SysWOW64\Ikggbpgd.exeC:\Windows\system32\Ikggbpgd.exe105⤵PID:2684
-
C:\Windows\SysWOW64\Ioccco32.exeC:\Windows\system32\Ioccco32.exe106⤵PID:2968
-
C:\Windows\SysWOW64\Infdolgh.exeC:\Windows\system32\Infdolgh.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:956 -
C:\Windows\SysWOW64\Ibapoj32.exeC:\Windows\system32\Ibapoj32.exe108⤵PID:2488
-
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe109⤵
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Jgnhga32.exeC:\Windows\system32\Jgnhga32.exe110⤵PID:1776
-
C:\Windows\SysWOW64\Jnhqdkde.exeC:\Windows\system32\Jnhqdkde.exe111⤵PID:1364
-
C:\Windows\SysWOW64\Jagmpg32.exeC:\Windows\system32\Jagmpg32.exe112⤵PID:2236
-
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe113⤵PID:1440
-
C:\Windows\SysWOW64\Jklanp32.exeC:\Windows\system32\Jklanp32.exe114⤵PID:2820
-
C:\Windows\SysWOW64\Jnkmjk32.exeC:\Windows\system32\Jnkmjk32.exe115⤵PID:2208
-
C:\Windows\SysWOW64\Jbfijjkl.exeC:\Windows\system32\Jbfijjkl.exe116⤵PID:2316
-
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe117⤵PID:2912
-
C:\Windows\SysWOW64\Jcgfbb32.exeC:\Windows\system32\Jcgfbb32.exe118⤵PID:2400
-
C:\Windows\SysWOW64\Jkonco32.exeC:\Windows\system32\Jkonco32.exe119⤵PID:2380
-
C:\Windows\SysWOW64\Jakfkfpc.exeC:\Windows\system32\Jakfkfpc.exe120⤵
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Jegble32.exeC:\Windows\system32\Jegble32.exe121⤵PID:2192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-