Analysis
-
max time kernel
142s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 13:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e92bd6c24dc6f0015de76c3b48cf8b80_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
e92bd6c24dc6f0015de76c3b48cf8b80_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
e92bd6c24dc6f0015de76c3b48cf8b80_NeikiAnalytics.exe
-
Size
319KB
-
MD5
e92bd6c24dc6f0015de76c3b48cf8b80
-
SHA1
123bd4a6e844674419a4a6b8ce0c842c3b7e8171
-
SHA256
b103ffd86e674ded31910db7fc5ce466f5e1fc7d3ee33f9be09aada5d511ff8a
-
SHA512
b5dd0991e742d694715ed3d6393b26a8cf542e06f2b34c9b82829a0bfeb1de78719613b42b7303b2b1e632385f93cb8a7b07705c7f7f8974afa8d6ebd64ccb5b
-
SSDEEP
6144:7e6jveLOHlp4PlXj4IyqrQ///NR5fLYG3eujPQ///NR5f:SSH7YxxC/NcZ7/N
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abmbhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmhodf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abjebn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlfdkoin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dogefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eibbcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bafidiio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhknm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojolhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhigphio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coelaaoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlgpgef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fehjeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcnpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omdneebf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blpjegfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igihbknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmocpado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlkdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lahkigca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkiogn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jifdebic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbhnhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igihbknb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckoilb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjhknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkclhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgioaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahdaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bghjhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efncicpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaaijdgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadloj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjfccn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndlim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlbeqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgbebiao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbcpbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ombapedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okikfagn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbelgood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccahbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikpjgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lojomkdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldidkbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhbped32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfahhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpfojmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lldlqakb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loeebl32.exe -
Executes dropped EXE 64 IoCs
pid Process 1664 Doobajme.exe 2980 Epaogi32.exe 2636 Ecmkghcl.exe 2548 Eflgccbp.exe 2440 Ejgcdb32.exe 2412 Emeopn32.exe 2676 Epdkli32.exe 2404 Efncicpm.exe 2760 Eilpeooq.exe 2892 Ekklaj32.exe 1860 Eiomkn32.exe 1276 Elmigj32.exe 1800 Eeempocb.exe 1820 Egdilkbf.exe 324 Eloemi32.exe 2804 Fehjeo32.exe 1636 Fhffaj32.exe 636 Ffkcbgek.exe 1972 Fnbkddem.exe 3024 Faagpp32.exe 1576 Fdoclk32.exe 1872 Fjilieka.exe 1988 Fmhheqje.exe 2120 Facdeo32.exe 2948 Fdapak32.exe 2552 Ffpmnf32.exe 2944 Fioija32.exe 2380 Fphafl32.exe 2468 Globlmmj.exe 2476 Gpknlk32.exe 2312 Gfefiemq.exe 2688 Gicbeald.exe 1948 Ghfbqn32.exe 2608 Gpmjak32.exe 2472 Gbkgnfbd.exe 1992 Gangic32.exe 2648 Gieojq32.exe 1364 Gkgkbipp.exe 2212 Gelppaof.exe 2856 Ggpimica.exe 1080 Gmjaic32.exe 2728 Ghoegl32.exe 2260 Ghoegl32.exe 1300 Hgbebiao.exe 900 Hiqbndpb.exe 2052 Hmlnoc32.exe 2332 Hdfflm32.exe 1732 Hgdbhi32.exe 1108 Hicodd32.exe 2656 Hnojdcfi.exe 1768 Hpmgqnfl.exe 2164 Hdhbam32.exe 2060 Hggomh32.exe 804 Hiekid32.exe 1648 Hnagjbdf.exe 2788 Hpocfncj.exe 1952 Hcnpbi32.exe 2528 Hcnpbi32.exe 2952 Hgilchkf.exe 380 Hellne32.exe 2268 Hhjhkq32.exe 2744 Hlfdkoin.exe 288 Hodpgjha.exe 2216 Hcplhi32.exe -
Loads dropped DLL 64 IoCs
pid Process 1520 e92bd6c24dc6f0015de76c3b48cf8b80_NeikiAnalytics.exe 1520 e92bd6c24dc6f0015de76c3b48cf8b80_NeikiAnalytics.exe 1664 Doobajme.exe 1664 Doobajme.exe 2980 Epaogi32.exe 2980 Epaogi32.exe 2636 Ecmkghcl.exe 2636 Ecmkghcl.exe 2548 Eflgccbp.exe 2548 Eflgccbp.exe 2440 Ejgcdb32.exe 2440 Ejgcdb32.exe 2412 Emeopn32.exe 2412 Emeopn32.exe 2676 Epdkli32.exe 2676 Epdkli32.exe 2404 Efncicpm.exe 2404 Efncicpm.exe 2760 Eilpeooq.exe 2760 Eilpeooq.exe 2892 Ekklaj32.exe 2892 Ekklaj32.exe 1860 Eiomkn32.exe 1860 Eiomkn32.exe 1276 Elmigj32.exe 1276 Elmigj32.exe 1800 Eeempocb.exe 1800 Eeempocb.exe 1820 Egdilkbf.exe 1820 Egdilkbf.exe 324 Eloemi32.exe 324 Eloemi32.exe 2804 Fehjeo32.exe 2804 Fehjeo32.exe 1636 Fhffaj32.exe 1636 Fhffaj32.exe 636 Ffkcbgek.exe 636 Ffkcbgek.exe 1972 Fnbkddem.exe 1972 Fnbkddem.exe 3024 Faagpp32.exe 3024 Faagpp32.exe 1576 Fdoclk32.exe 1576 Fdoclk32.exe 1872 Fjilieka.exe 1872 Fjilieka.exe 1988 Fmhheqje.exe 1988 Fmhheqje.exe 2120 Facdeo32.exe 2120 Facdeo32.exe 2948 Fdapak32.exe 2948 Fdapak32.exe 2552 Ffpmnf32.exe 2552 Ffpmnf32.exe 2944 Fioija32.exe 2944 Fioija32.exe 2380 Fphafl32.exe 2380 Fphafl32.exe 2468 Globlmmj.exe 2468 Globlmmj.exe 2476 Gpknlk32.exe 2476 Gpknlk32.exe 2312 Gfefiemq.exe 2312 Gfefiemq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dliijipn.exe Dhnmij32.exe File created C:\Windows\SysWOW64\Bnpanefm.dll Kaceodek.exe File created C:\Windows\SysWOW64\Pdklej32.dll Lihmjejl.exe File opened for modification C:\Windows\SysWOW64\Mpdnkb32.exe Mlibjc32.exe File created C:\Windows\SysWOW64\Bhglodcb.dll Qcbllb32.exe File created C:\Windows\SysWOW64\Bpnbkeld.exe Blbfjg32.exe File created C:\Windows\SysWOW64\Pogclp32.exe Pklhlael.exe File created C:\Windows\SysWOW64\Illjbiak.dll Efaibbij.exe File opened for modification C:\Windows\SysWOW64\Cnobnmpl.exe Cjdfmo32.exe File opened for modification C:\Windows\SysWOW64\Ggpimica.exe Gelppaof.exe File created C:\Windows\SysWOW64\Jcdbbloa.exe Joifam32.exe File created C:\Windows\SysWOW64\Dpbnlj32.dll Jifdebic.exe File created C:\Windows\SysWOW64\Bdgafdfp.exe Bpleef32.exe File created C:\Windows\SysWOW64\Bifgdk32.exe Bekkcljk.exe File opened for modification C:\Windows\SysWOW64\Ejkima32.exe Egllae32.exe File created C:\Windows\SysWOW64\Pabakh32.dll Gkgkbipp.exe File created C:\Windows\SysWOW64\Hellne32.exe Hgilchkf.exe File opened for modification C:\Windows\SysWOW64\Kmjfdejp.exe Kngfih32.exe File created C:\Windows\SysWOW64\Gokfbfnk.dll Nejiih32.exe File opened for modification C:\Windows\SysWOW64\Bbokmqie.exe Bocolb32.exe File created C:\Windows\SysWOW64\Kgpjanje.exe Kafbec32.exe File opened for modification C:\Windows\SysWOW64\Mpbaebdd.exe Mmceigep.exe File opened for modification C:\Windows\SysWOW64\Egafleqm.exe Ecejkf32.exe File created C:\Windows\SysWOW64\Bekkcljk.exe Bghjhp32.exe File created C:\Windows\SysWOW64\Emeopn32.exe Ejgcdb32.exe File created C:\Windows\SysWOW64\Gpmjak32.exe Ghfbqn32.exe File created C:\Windows\SysWOW64\Loclnq32.dll Jmmfkafa.exe File created C:\Windows\SysWOW64\Fkeemhpn.dll Nolhan32.exe File created C:\Windows\SysWOW64\Ppbfpd32.exe Pmdjdh32.exe File created C:\Windows\SysWOW64\Pdpfph32.dll Ihoafpmp.exe File opened for modification C:\Windows\SysWOW64\Nlphkb32.exe Nialog32.exe File created C:\Windows\SysWOW64\Nehmdhja.exe Namqci32.exe File created C:\Windows\SysWOW64\Ofelmloo.exe Ogblbo32.exe File created C:\Windows\SysWOW64\Agjiphda.dll Behnnm32.exe File created C:\Windows\SysWOW64\Pmdjdh32.exe Pmdjdh32.exe File opened for modification C:\Windows\SysWOW64\Amkpegnj.exe Aipddi32.exe File opened for modification C:\Windows\SysWOW64\Bekkcljk.exe Bghjhp32.exe File opened for modification C:\Windows\SysWOW64\Mkclhl32.exe Mhdplq32.exe File created C:\Windows\SysWOW64\Mmhodf32.exe Mimbdhhb.exe File created C:\Windows\SysWOW64\Nolhan32.exe Mpigfa32.exe File created C:\Windows\SysWOW64\Kjmbgl32.dll Npfgpe32.exe File opened for modification C:\Windows\SysWOW64\Ohfeog32.exe Ofhick32.exe File opened for modification C:\Windows\SysWOW64\Moiklogi.exe Mpfkqb32.exe File created C:\Windows\SysWOW64\Bkddcl32.dll Pedleg32.exe File opened for modification C:\Windows\SysWOW64\Cnmehnan.exe Cojema32.exe File created C:\Windows\SysWOW64\Fjaonpnn.exe Effcma32.exe File created C:\Windows\SysWOW64\Aekodi32.exe Aaobdjof.exe File created C:\Windows\SysWOW64\Oegjkb32.dll Bfadgq32.exe File created C:\Windows\SysWOW64\Haloha32.dll Bifgdk32.exe File created C:\Windows\SysWOW64\Lanfmb32.dll Ekklaj32.exe File created C:\Windows\SysWOW64\Jmmfkafa.exe Jiakjb32.exe File opened for modification C:\Windows\SysWOW64\Mamddf32.exe Mmahdggc.exe File created C:\Windows\SysWOW64\Nblnkb32.dll Ofjfhk32.exe File created C:\Windows\SysWOW64\Amkpegnj.exe Aipddi32.exe File created C:\Windows\SysWOW64\Ejmmiihp.dll Cnmehnan.exe File opened for modification C:\Windows\SysWOW64\Dknekeef.exe Dhpiojfb.exe File created C:\Windows\SysWOW64\Ahoanjcc.dll Emnndlod.exe File created C:\Windows\SysWOW64\Hgilchkf.exe Hcnpbi32.exe File created C:\Windows\SysWOW64\Knhfdmdo.dll Ajjcbpdd.exe File created C:\Windows\SysWOW64\Cddaphkn.exe Ceaadk32.exe File created C:\Windows\SysWOW64\Dhbfdjdp.exe Ddgjdk32.exe File opened for modification C:\Windows\SysWOW64\Edpmjj32.exe Eqdajkkb.exe File created C:\Windows\SysWOW64\Ajejgp32.exe Albjlcao.exe File opened for modification C:\Windows\SysWOW64\Bghjhp32.exe Bblogakg.exe -
Program crash 1 IoCs
pid pid_target Process 4980 5404 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gangic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Logbhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lojomkdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mijfnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbfpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiomkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nolhan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqljpedj.dll" Kkgmgmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnkajj32.dll" Fdoclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjjndgdk.dll" Kgkafo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfcijc32.dll" Kmopod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miooigfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqideepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emieil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eflgccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmocpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Delpclld.dll" Mijfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbjgh32.dll" Mmhodf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpigfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlnnp32.dll" Onjgiiad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncfnmo32.dll" Bpleef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdanej32.dll" Fhffaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cafecmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgllco32.dll" Ejmebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bekkcljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll" Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jifdebic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjqccigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdklej32.dll" Lihmjejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgoboqcm.dll" Ojolhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghniakc.dll" Oqideepg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkgkbipp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chnqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfamcogo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnmfog32.dll" Mamddf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojahnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgggfhdc.dll" Okgnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcnbablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjhknm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abhimnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgpimg32.dll" Bekkcljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbllihbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clilkfnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nehmdhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkeelohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onqamf32.dll" Aefeijle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bidjnkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eplkpgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhcebp32.dll" Jjjacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjfho32.dll" Dbhnhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flojhn32.dll" Cdbdjhmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmjjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpmlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keefji32.dll" Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dliijipn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiilgb32.dll" Pmdjdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkpagq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1520 wrote to memory of 1664 1520 e92bd6c24dc6f0015de76c3b48cf8b80_NeikiAnalytics.exe 28 PID 1520 wrote to memory of 1664 1520 e92bd6c24dc6f0015de76c3b48cf8b80_NeikiAnalytics.exe 28 PID 1520 wrote to memory of 1664 1520 e92bd6c24dc6f0015de76c3b48cf8b80_NeikiAnalytics.exe 28 PID 1520 wrote to memory of 1664 1520 e92bd6c24dc6f0015de76c3b48cf8b80_NeikiAnalytics.exe 28 PID 1664 wrote to memory of 2980 1664 Doobajme.exe 29 PID 1664 wrote to memory of 2980 1664 Doobajme.exe 29 PID 1664 wrote to memory of 2980 1664 Doobajme.exe 29 PID 1664 wrote to memory of 2980 1664 Doobajme.exe 29 PID 2980 wrote to memory of 2636 2980 Epaogi32.exe 30 PID 2980 wrote to memory of 2636 2980 Epaogi32.exe 30 PID 2980 wrote to memory of 2636 2980 Epaogi32.exe 30 PID 2980 wrote to memory of 2636 2980 Epaogi32.exe 30 PID 2636 wrote to memory of 2548 2636 Ecmkghcl.exe 31 PID 2636 wrote to memory of 2548 2636 Ecmkghcl.exe 31 PID 2636 wrote to memory of 2548 2636 Ecmkghcl.exe 31 PID 2636 wrote to memory of 2548 2636 Ecmkghcl.exe 31 PID 2548 wrote to memory of 2440 2548 Eflgccbp.exe 32 PID 2548 wrote to memory of 2440 2548 Eflgccbp.exe 32 PID 2548 wrote to memory of 2440 2548 Eflgccbp.exe 32 PID 2548 wrote to memory of 2440 2548 Eflgccbp.exe 32 PID 2440 wrote to memory of 2412 2440 Ejgcdb32.exe 33 PID 2440 wrote to memory of 2412 2440 Ejgcdb32.exe 33 PID 2440 wrote to memory of 2412 2440 Ejgcdb32.exe 33 PID 2440 wrote to memory of 2412 2440 Ejgcdb32.exe 33 PID 2412 wrote to memory of 2676 2412 Emeopn32.exe 34 PID 2412 wrote to memory of 2676 2412 Emeopn32.exe 34 PID 2412 wrote to memory of 2676 2412 Emeopn32.exe 34 PID 2412 wrote to memory of 2676 2412 Emeopn32.exe 34 PID 2676 wrote to memory of 2404 2676 Epdkli32.exe 35 PID 2676 wrote to memory of 2404 2676 Epdkli32.exe 35 PID 2676 wrote to memory of 2404 2676 Epdkli32.exe 35 PID 2676 wrote to memory of 2404 2676 Epdkli32.exe 35 PID 2404 wrote to memory of 2760 2404 Efncicpm.exe 36 PID 2404 wrote to memory of 2760 2404 Efncicpm.exe 36 PID 2404 wrote to memory of 2760 2404 Efncicpm.exe 36 PID 2404 wrote to memory of 2760 2404 Efncicpm.exe 36 PID 2760 wrote to memory of 2892 2760 Eilpeooq.exe 37 PID 2760 wrote to memory of 2892 2760 Eilpeooq.exe 37 PID 2760 wrote to memory of 2892 2760 Eilpeooq.exe 37 PID 2760 wrote to memory of 2892 2760 Eilpeooq.exe 37 PID 2892 wrote to memory of 1860 2892 Ekklaj32.exe 38 PID 2892 wrote to memory of 1860 2892 Ekklaj32.exe 38 PID 2892 wrote to memory of 1860 2892 Ekklaj32.exe 38 PID 2892 wrote to memory of 1860 2892 Ekklaj32.exe 38 PID 1860 wrote to memory of 1276 1860 Eiomkn32.exe 39 PID 1860 wrote to memory of 1276 1860 Eiomkn32.exe 39 PID 1860 wrote to memory of 1276 1860 Eiomkn32.exe 39 PID 1860 wrote to memory of 1276 1860 Eiomkn32.exe 39 PID 1276 wrote to memory of 1800 1276 Elmigj32.exe 40 PID 1276 wrote to memory of 1800 1276 Elmigj32.exe 40 PID 1276 wrote to memory of 1800 1276 Elmigj32.exe 40 PID 1276 wrote to memory of 1800 1276 Elmigj32.exe 40 PID 1800 wrote to memory of 1820 1800 Eeempocb.exe 41 PID 1800 wrote to memory of 1820 1800 Eeempocb.exe 41 PID 1800 wrote to memory of 1820 1800 Eeempocb.exe 41 PID 1800 wrote to memory of 1820 1800 Eeempocb.exe 41 PID 1820 wrote to memory of 324 1820 Egdilkbf.exe 42 PID 1820 wrote to memory of 324 1820 Egdilkbf.exe 42 PID 1820 wrote to memory of 324 1820 Egdilkbf.exe 42 PID 1820 wrote to memory of 324 1820 Egdilkbf.exe 42 PID 324 wrote to memory of 2804 324 Eloemi32.exe 43 PID 324 wrote to memory of 2804 324 Eloemi32.exe 43 PID 324 wrote to memory of 2804 324 Eloemi32.exe 43 PID 324 wrote to memory of 2804 324 Eloemi32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\e92bd6c24dc6f0015de76c3b48cf8b80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e92bd6c24dc6f0015de76c3b48cf8b80_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:636 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe33⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe35⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe38⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe41⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe42⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe43⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe44⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe46⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe47⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe48⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe49⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe50⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe51⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe52⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe53⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe54⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe55⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe57⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe58⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe61⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe62⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe64⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe65⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe66⤵PID:1244
-
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe67⤵PID:2196
-
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe68⤵PID:1372
-
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe69⤵
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe70⤵PID:2612
-
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe71⤵PID:2020
-
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe72⤵
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe73⤵PID:2316
-
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe74⤵PID:3068
-
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe75⤵PID:2480
-
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe76⤵PID:1792
-
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:576 -
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe78⤵PID:2272
-
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe79⤵PID:1132
-
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe80⤵PID:1052
-
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe81⤵PID:1936
-
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe82⤵PID:2400
-
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe83⤵PID:1336
-
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe84⤵PID:692
-
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe85⤵PID:1296
-
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe86⤵PID:2248
-
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2420 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe88⤵PID:1216
-
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe89⤵PID:1868
-
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe90⤵PID:2040
-
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe91⤵PID:2348
-
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe92⤵PID:2716
-
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe93⤵PID:1484
-
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe94⤵
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe95⤵PID:760
-
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe96⤵PID:320
-
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe97⤵PID:3060
-
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe98⤵PID:1028
-
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe99⤵PID:1104
-
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe100⤵PID:1916
-
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe101⤵
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe102⤵
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe103⤵PID:2588
-
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe104⤵
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe105⤵
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe106⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe107⤵PID:1396
-
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe108⤵PID:812
-
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe109⤵PID:2076
-
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe110⤵PID:2908
-
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe111⤵PID:1236
-
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:488 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe113⤵PID:852
-
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe114⤵PID:2416
-
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe115⤵
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe116⤵PID:672
-
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe117⤵PID:2280
-
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe119⤵PID:2724
-
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe120⤵PID:1760
-
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe121⤵PID:2352
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-