Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
12-05-2024 07:36
Behavioral task
behavioral1
Sample
7dfb66cfb3edb03c72d1c72908db5a30_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
7dfb66cfb3edb03c72d1c72908db5a30_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
7dfb66cfb3edb03c72d1c72908db5a30_NeikiAnalytics.exe
-
Size
640KB
-
MD5
7dfb66cfb3edb03c72d1c72908db5a30
-
SHA1
3e43d72e4cd59770b6e665c4fcd9191c9611acc0
-
SHA256
01df3df89a6f7d6cdbe7854a470782fb9a62b43bfb2402ec9403d04a81efd2c4
-
SHA512
445f8e6b5dfebd61ab7a500a98ae774253791837030919a20f9c93beb5e4c76a89b7bddf91f201b6cdcf4819f3dc8a8ef10ba7b50f86a141d2aa35be9304266d
-
SSDEEP
12288:p6XludXHaINIVIIVy2oIvPKiK13fS2hEYM9RIPk:wX8dXHfNIVIIVy2jU13fS2hEYM9RIPk
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbgmbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkmbgdfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oicpfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adeplhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejgcdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eecqjpee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkece32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmhheqje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmiam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oojknblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obigjnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebedndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffkcbgek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faagpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqcoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hacmcfge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocajbekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ankdiqih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emcbkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Facdeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klqfhbbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncancbha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bingpmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beehencq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fphafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gegfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmafennb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khcnad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apajlhka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckdjbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhhcgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnbkddem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocajbekl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pphjgfqq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppjglfon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankdiqih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Banepo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebpkce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffpmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnkbdlbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnbacbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnbacbac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cobbhfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djpmccqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiqbndpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdfflm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libgjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgajhbkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afiecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bingpmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebgacddo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmgdddmq.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000c00000001342e-5.dat family_berbew behavioral1/files/0x000700000001418c-18.dat family_berbew behavioral1/files/0x000700000001431b-33.dat family_berbew behavioral1/memory/2552-41-0x00000000002D0000-0x000000000030E000-memory.dmp family_berbew behavioral1/files/0x0008000000014367-54.dat family_berbew behavioral1/files/0x0006000000014b1c-62.dat family_berbew behavioral1/files/0x0006000000014c2d-76.dat family_berbew behavioral1/files/0x000600000001507a-96.dat family_berbew behavioral1/files/0x00060000000150d9-110.dat family_berbew behavioral1/files/0x0035000000013f2c-117.dat family_berbew behavioral1/files/0x0006000000015662-137.dat family_berbew behavioral1/files/0x0006000000015ae3-144.dat family_berbew behavioral1/files/0x0006000000015b85-157.dat family_berbew behavioral1/files/0x0006000000015ca8-170.dat family_berbew behavioral1/files/0x0006000000015cc5-186.dat family_berbew behavioral1/files/0x0006000000015ce3-196.dat family_berbew behavioral1/files/0x0006000000015cf8-213.dat family_berbew behavioral1/files/0x0006000000015d21-227.dat family_berbew behavioral1/memory/584-229-0x0000000000250000-0x000000000028E000-memory.dmp family_berbew behavioral1/files/0x0006000000015d59-236.dat family_berbew behavioral1/files/0x0006000000015d85-245.dat family_berbew behavioral1/files/0x0006000000015f23-254.dat family_berbew behavioral1/files/0x0006000000016013-266.dat family_berbew behavioral1/files/0x00060000000161ee-276.dat family_berbew behavioral1/files/0x00060000000164ec-290.dat family_berbew behavioral1/files/0x00060000000167bf-297.dat family_berbew behavioral1/memory/816-300-0x0000000000250000-0x000000000028E000-memory.dmp family_berbew behavioral1/files/0x0006000000016c1f-308.dat family_berbew behavioral1/memory/828-312-0x0000000000300000-0x000000000033E000-memory.dmp family_berbew behavioral1/memory/828-311-0x0000000000300000-0x000000000033E000-memory.dmp family_berbew behavioral1/files/0x0006000000016c38-319.dat family_berbew behavioral1/files/0x0006000000016cb5-331.dat family_berbew behavioral1/files/0x0006000000016ced-341.dat family_berbew behavioral1/files/0x0006000000016cfd-354.dat family_berbew behavioral1/files/0x0006000000016d10-363.dat family_berbew behavioral1/files/0x0006000000016d21-376.dat family_berbew behavioral1/memory/2660-378-0x00000000002D0000-0x000000000030E000-memory.dmp family_berbew behavioral1/memory/2660-377-0x00000000002D0000-0x000000000030E000-memory.dmp family_berbew behavioral1/files/0x0006000000016d31-385.dat family_berbew behavioral1/files/0x0006000000016d85-398.dat family_berbew behavioral1/files/0x0006000000016e56-407.dat family_berbew behavioral1/files/0x000600000001737b-420.dat family_berbew behavioral1/memory/2028-422-0x00000000002D0000-0x000000000030E000-memory.dmp family_berbew behavioral1/memory/2028-421-0x00000000002D0000-0x000000000030E000-memory.dmp family_berbew behavioral1/files/0x000600000001738c-430.dat family_berbew behavioral1/files/0x00060000000173dc-440.dat family_berbew behavioral1/files/0x00060000000173e7-451.dat family_berbew behavioral1/files/0x0006000000017472-464.dat family_berbew behavioral1/files/0x0006000000017510-470.dat family_berbew behavioral1/memory/1884-482-0x0000000001F60000-0x0000000001F9E000-memory.dmp family_berbew behavioral1/memory/2636-473-0x0000000000440000-0x000000000047E000-memory.dmp family_berbew behavioral1/files/0x000d00000001865b-484.dat family_berbew behavioral1/memory/2996-491-0x00000000002D0000-0x000000000030E000-memory.dmp family_berbew behavioral1/files/0x000500000001877f-495.dat family_berbew behavioral1/files/0x00060000000190bc-507.dat family_berbew behavioral1/files/0x00050000000191dc-517.dat family_berbew behavioral1/files/0x000500000001920f-528.dat family_berbew behavioral1/files/0x0005000000019232-539.dat family_berbew behavioral1/files/0x0005000000019257-551.dat family_berbew behavioral1/files/0x000500000001925d-560.dat family_berbew behavioral1/files/0x0005000000019369-570.dat family_berbew behavioral1/files/0x00050000000193a9-581.dat family_berbew behavioral1/files/0x00050000000193bb-593.dat family_berbew behavioral1/files/0x00050000000193e6-603.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1144 Kikdkh32.exe 2552 Kfoedl32.exe 2684 Khcnad32.exe 2732 Klqfhbbe.exe 2596 Loapim32.exe 2480 Lhjdbcef.exe 2972 Lgoacojo.exe 3008 Lganiohl.exe 2124 Libgjj32.exe 2548 Meigpkka.exe 2824 Migpeiag.exe 2832 Mcodno32.exe 2328 Mnieom32.exe 1940 Mgajhbkg.exe 3060 Mnkbdlbd.exe 584 Nnplpl32.exe 824 Nqqdag32.exe 328 Nfmmin32.exe 1752 Nhlifi32.exe 1572 Ncancbha.exe 620 Nfpjomgd.exe 1332 Nkmbgdfl.exe 816 Ohqbqhde.exe 828 Oojknblb.exe 2420 Obigjnkf.exe 2392 Oicpfh32.exe 2252 Odjpkihg.exe 1056 Okchhc32.exe 2656 Oelmai32.exe 2660 Ogjimd32.exe 2620 Oenifh32.exe 2624 Ocajbekl.exe 2580 Pphjgfqq.exe 2028 Pgobhcac.exe 2240 Ppjglfon.exe 2092 Pbiciana.exe 348 Pchpbded.exe 2636 Pbkpna32.exe 1884 Pnbacbac.exe 2996 Pfiidobe.exe 2652 Pigeqkai.exe 2128 Pbpjiphi.exe 452 Pijbfj32.exe 1504 Qjknnbed.exe 112 Qnfjna32.exe 2280 Qeqbkkej.exe 2260 Qhooggdn.exe 976 Qmlgonbe.exe 748 Qecoqk32.exe 2920 Adeplhib.exe 2200 Ankdiqih.exe 2172 Aajpelhl.exe 2012 Ahchbf32.exe 2568 Ajbdna32.exe 2692 Apomfh32.exe 1712 Afiecb32.exe 2612 Ajdadamj.exe 2976 Ambmpmln.exe 1820 Apajlhka.exe 1268 Afkbib32.exe 2792 Amejeljk.exe 2704 Alhjai32.exe 2056 Afmonbqk.exe 1768 Ahokfj32.exe -
Loads dropped DLL 64 IoCs
pid Process 2292 7dfb66cfb3edb03c72d1c72908db5a30_NeikiAnalytics.exe 2292 7dfb66cfb3edb03c72d1c72908db5a30_NeikiAnalytics.exe 1144 Kikdkh32.exe 1144 Kikdkh32.exe 2552 Kfoedl32.exe 2552 Kfoedl32.exe 2684 Khcnad32.exe 2684 Khcnad32.exe 2732 Klqfhbbe.exe 2732 Klqfhbbe.exe 2596 Loapim32.exe 2596 Loapim32.exe 2480 Lhjdbcef.exe 2480 Lhjdbcef.exe 2972 Lgoacojo.exe 2972 Lgoacojo.exe 3008 Lganiohl.exe 3008 Lganiohl.exe 2124 Libgjj32.exe 2124 Libgjj32.exe 2548 Meigpkka.exe 2548 Meigpkka.exe 2824 Migpeiag.exe 2824 Migpeiag.exe 2832 Mcodno32.exe 2832 Mcodno32.exe 2328 Mnieom32.exe 2328 Mnieom32.exe 1940 Mgajhbkg.exe 1940 Mgajhbkg.exe 3060 Mnkbdlbd.exe 3060 Mnkbdlbd.exe 584 Nnplpl32.exe 584 Nnplpl32.exe 824 Nqqdag32.exe 824 Nqqdag32.exe 328 Nfmmin32.exe 328 Nfmmin32.exe 1752 Nhlifi32.exe 1752 Nhlifi32.exe 1572 Ncancbha.exe 1572 Ncancbha.exe 620 Nfpjomgd.exe 620 Nfpjomgd.exe 1332 Nkmbgdfl.exe 1332 Nkmbgdfl.exe 816 Ohqbqhde.exe 816 Ohqbqhde.exe 828 Oojknblb.exe 828 Oojknblb.exe 2420 Obigjnkf.exe 2420 Obigjnkf.exe 2392 Oicpfh32.exe 2392 Oicpfh32.exe 2252 Odjpkihg.exe 2252 Odjpkihg.exe 1056 Okchhc32.exe 1056 Okchhc32.exe 2656 Oelmai32.exe 2656 Oelmai32.exe 2660 Ogjimd32.exe 2660 Ogjimd32.exe 2620 Oenifh32.exe 2620 Oenifh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Egadpgfp.dll Fmcoja32.exe File created C:\Windows\SysWOW64\Qeqbkkej.exe Qnfjna32.exe File created C:\Windows\SysWOW64\Fmhheqje.exe Fhkpmjln.exe File opened for modification C:\Windows\SysWOW64\Fjlhneio.exe Ffpmnf32.exe File created C:\Windows\SysWOW64\Cnkajfop.dll Hdfflm32.exe File opened for modification C:\Windows\SysWOW64\Pbpjiphi.exe Pigeqkai.exe File created C:\Windows\SysWOW64\Cckace32.exe Ckdjbh32.exe File created C:\Windows\SysWOW64\Gieojq32.exe Gangic32.exe File created C:\Windows\SysWOW64\Egdgmmje.dll Okchhc32.exe File created C:\Windows\SysWOW64\Pnbacbac.exe Pbkpna32.exe File created C:\Windows\SysWOW64\Mefagn32.dll Pijbfj32.exe File opened for modification C:\Windows\SysWOW64\Alhjai32.exe Amejeljk.exe File opened for modification C:\Windows\SysWOW64\Ddagfm32.exe Dbbkja32.exe File created C:\Windows\SysWOW64\Hllopfgo.dll Ghmiam32.exe File created C:\Windows\SysWOW64\Pfabenjd.dll Gogangdc.exe File created C:\Windows\SysWOW64\Pbiciana.exe Ppjglfon.exe File created C:\Windows\SysWOW64\Afkbib32.exe Apajlhka.exe File created C:\Windows\SysWOW64\Bpfcgg32.exe Ahokfj32.exe File created C:\Windows\SysWOW64\Ljpojo32.dll Pgobhcac.exe File opened for modification C:\Windows\SysWOW64\Bnefdp32.exe Bgknheej.exe File created C:\Windows\SysWOW64\Hppiecpn.dll Cckace32.exe File created C:\Windows\SysWOW64\Qjknnbed.exe Pijbfj32.exe File created C:\Windows\SysWOW64\Cobbhfhg.exe Cfinoq32.exe File opened for modification C:\Windows\SysWOW64\Ilknfn32.exe Idceea32.exe File opened for modification C:\Windows\SysWOW64\Kikdkh32.exe 7dfb66cfb3edb03c72d1c72908db5a30_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Mnkbdlbd.exe Mgajhbkg.exe File created C:\Windows\SysWOW64\Odjpkihg.exe Oicpfh32.exe File opened for modification C:\Windows\SysWOW64\Bommnc32.exe Bloqah32.exe File created C:\Windows\SysWOW64\Banepo32.exe Bopicc32.exe File created C:\Windows\SysWOW64\Dekpaqgc.dll Epdkli32.exe File created C:\Windows\SysWOW64\Fnpnndgp.exe Fckjalhj.exe File created C:\Windows\SysWOW64\Gegfdb32.exe Gonnhhln.exe File created C:\Windows\SysWOW64\Doffod32.dll Oenifh32.exe File created C:\Windows\SysWOW64\Hjlanqkq.dll Cnippoha.exe File created C:\Windows\SysWOW64\Eloemi32.exe Eiaiqn32.exe File created C:\Windows\SysWOW64\Alogkm32.dll Hpapln32.exe File created C:\Windows\SysWOW64\Ejdmpb32.dll Hjjddchg.exe File created C:\Windows\SysWOW64\Ljfekqdn.dll Mcodno32.exe File created C:\Windows\SysWOW64\Okchhc32.exe Odjpkihg.exe File opened for modification C:\Windows\SysWOW64\Comimg32.exe Chcqpmep.exe File created C:\Windows\SysWOW64\Ebedndfa.exe Epfhbign.exe File opened for modification C:\Windows\SysWOW64\Eeempocb.exe Ebgacddo.exe File opened for modification C:\Windows\SysWOW64\Pphjgfqq.exe Ocajbekl.exe File opened for modification C:\Windows\SysWOW64\Bgknheej.exe Banepo32.exe File created C:\Windows\SysWOW64\Nfpjomgd.exe Ncancbha.exe File opened for modification C:\Windows\SysWOW64\Oelmai32.exe Okchhc32.exe File opened for modification C:\Windows\SysWOW64\Qhooggdn.exe Qeqbkkej.exe File created C:\Windows\SysWOW64\Bommnc32.exe Bloqah32.exe File created C:\Windows\SysWOW64\Hacmcfge.exe Hpapln32.exe File opened for modification C:\Windows\SysWOW64\Meigpkka.exe Libgjj32.exe File created C:\Windows\SysWOW64\Oicpfh32.exe Obigjnkf.exe File opened for modification C:\Windows\SysWOW64\Pbiciana.exe Ppjglfon.exe File created C:\Windows\SysWOW64\Bioggp32.dll Ckdjbh32.exe File opened for modification C:\Windows\SysWOW64\Fnpnndgp.exe Fckjalhj.exe File opened for modification C:\Windows\SysWOW64\Nfpjomgd.exe Ncancbha.exe File created C:\Windows\SysWOW64\Gfegkapd.dll Pchpbded.exe File created C:\Windows\SysWOW64\Hnojdcfi.exe Hgdbhi32.exe File created C:\Windows\SysWOW64\Ebbjqa32.dll Pbpjiphi.exe File created C:\Windows\SysWOW64\Lonkjenl.dll Ebgacddo.exe File opened for modification C:\Windows\SysWOW64\Bagpopmj.exe Bpfcgg32.exe File created C:\Windows\SysWOW64\Coklgg32.exe Cllpkl32.exe File created C:\Windows\SysWOW64\Cgbdhd32.exe Coklgg32.exe File created C:\Windows\SysWOW64\Fhkpmjln.exe Fdoclk32.exe File opened for modification C:\Windows\SysWOW64\Hacmcfge.exe Hpapln32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2516 2312 WerFault.exe 200 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qeqbkkej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmafennb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkmbgdfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pphjgfqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mefagn32.dll" Pijbfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oockje32.dll" Cjbmjplb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfjhgfl.dll" Nkmbgdfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebpkce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll" Fmlapp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaqcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppiecpn.dll" Cckace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkabadei.dll" Epfhbign.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnieom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfinoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pofgpn32.dll" Qnfjna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhooggdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dodonf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkkpbgli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhjhkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idceea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cckace32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebedndfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffkcbgek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilknfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beehencq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdphdj.dll" Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibckiab.dll" Eeempocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdooi32.dll" Facdeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffpmnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgdbhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahokfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idphiplp.dll" Bhcdaibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klqfhbbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdppp32.dll" Ogjimd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocajbekl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcnpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkmbgdfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhooggdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiaiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll" Icbimi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddagfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdoik32.dll" Epaogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcbom32.dll" Nhlifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhfilfi.dll" Cgbdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjjddchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 7dfb66cfb3edb03c72d1c72908db5a30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpokk32.dll" Pnbacbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bommnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcnpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnkbdlbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adeplhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epfhbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gegfdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aajpelhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhkpmjln.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2292 wrote to memory of 1144 2292 7dfb66cfb3edb03c72d1c72908db5a30_NeikiAnalytics.exe 28 PID 2292 wrote to memory of 1144 2292 7dfb66cfb3edb03c72d1c72908db5a30_NeikiAnalytics.exe 28 PID 2292 wrote to memory of 1144 2292 7dfb66cfb3edb03c72d1c72908db5a30_NeikiAnalytics.exe 28 PID 2292 wrote to memory of 1144 2292 7dfb66cfb3edb03c72d1c72908db5a30_NeikiAnalytics.exe 28 PID 1144 wrote to memory of 2552 1144 Kikdkh32.exe 29 PID 1144 wrote to memory of 2552 1144 Kikdkh32.exe 29 PID 1144 wrote to memory of 2552 1144 Kikdkh32.exe 29 PID 1144 wrote to memory of 2552 1144 Kikdkh32.exe 29 PID 2552 wrote to memory of 2684 2552 Kfoedl32.exe 30 PID 2552 wrote to memory of 2684 2552 Kfoedl32.exe 30 PID 2552 wrote to memory of 2684 2552 Kfoedl32.exe 30 PID 2552 wrote to memory of 2684 2552 Kfoedl32.exe 30 PID 2684 wrote to memory of 2732 2684 Khcnad32.exe 31 PID 2684 wrote to memory of 2732 2684 Khcnad32.exe 31 PID 2684 wrote to memory of 2732 2684 Khcnad32.exe 31 PID 2684 wrote to memory of 2732 2684 Khcnad32.exe 31 PID 2732 wrote to memory of 2596 2732 Klqfhbbe.exe 32 PID 2732 wrote to memory of 2596 2732 Klqfhbbe.exe 32 PID 2732 wrote to memory of 2596 2732 Klqfhbbe.exe 32 PID 2732 wrote to memory of 2596 2732 Klqfhbbe.exe 32 PID 2596 wrote to memory of 2480 2596 Loapim32.exe 33 PID 2596 wrote to memory of 2480 2596 Loapim32.exe 33 PID 2596 wrote to memory of 2480 2596 Loapim32.exe 33 PID 2596 wrote to memory of 2480 2596 Loapim32.exe 33 PID 2480 wrote to memory of 2972 2480 Lhjdbcef.exe 34 PID 2480 wrote to memory of 2972 2480 Lhjdbcef.exe 34 PID 2480 wrote to memory of 2972 2480 Lhjdbcef.exe 34 PID 2480 wrote to memory of 2972 2480 Lhjdbcef.exe 34 PID 2972 wrote to memory of 3008 2972 Lgoacojo.exe 35 PID 2972 wrote to memory of 3008 2972 Lgoacojo.exe 35 PID 2972 wrote to memory of 3008 2972 Lgoacojo.exe 35 PID 2972 wrote to memory of 3008 2972 Lgoacojo.exe 35 PID 3008 wrote to memory of 2124 3008 Lganiohl.exe 36 PID 3008 wrote to memory of 2124 3008 Lganiohl.exe 36 PID 3008 wrote to memory of 2124 3008 Lganiohl.exe 36 PID 3008 wrote to memory of 2124 3008 Lganiohl.exe 36 PID 2124 wrote to memory of 2548 2124 Libgjj32.exe 37 PID 2124 wrote to memory of 2548 2124 Libgjj32.exe 37 PID 2124 wrote to memory of 2548 2124 Libgjj32.exe 37 PID 2124 wrote to memory of 2548 2124 Libgjj32.exe 37 PID 2548 wrote to memory of 2824 2548 Meigpkka.exe 38 PID 2548 wrote to memory of 2824 2548 Meigpkka.exe 38 PID 2548 wrote to memory of 2824 2548 Meigpkka.exe 38 PID 2548 wrote to memory of 2824 2548 Meigpkka.exe 38 PID 2824 wrote to memory of 2832 2824 Migpeiag.exe 39 PID 2824 wrote to memory of 2832 2824 Migpeiag.exe 39 PID 2824 wrote to memory of 2832 2824 Migpeiag.exe 39 PID 2824 wrote to memory of 2832 2824 Migpeiag.exe 39 PID 2832 wrote to memory of 2328 2832 Mcodno32.exe 40 PID 2832 wrote to memory of 2328 2832 Mcodno32.exe 40 PID 2832 wrote to memory of 2328 2832 Mcodno32.exe 40 PID 2832 wrote to memory of 2328 2832 Mcodno32.exe 40 PID 2328 wrote to memory of 1940 2328 Mnieom32.exe 41 PID 2328 wrote to memory of 1940 2328 Mnieom32.exe 41 PID 2328 wrote to memory of 1940 2328 Mnieom32.exe 41 PID 2328 wrote to memory of 1940 2328 Mnieom32.exe 41 PID 1940 wrote to memory of 3060 1940 Mgajhbkg.exe 42 PID 1940 wrote to memory of 3060 1940 Mgajhbkg.exe 42 PID 1940 wrote to memory of 3060 1940 Mgajhbkg.exe 42 PID 1940 wrote to memory of 3060 1940 Mgajhbkg.exe 42 PID 3060 wrote to memory of 584 3060 Mnkbdlbd.exe 43 PID 3060 wrote to memory of 584 3060 Mnkbdlbd.exe 43 PID 3060 wrote to memory of 584 3060 Mnkbdlbd.exe 43 PID 3060 wrote to memory of 584 3060 Mnkbdlbd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\7dfb66cfb3edb03c72d1c72908db5a30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7dfb66cfb3edb03c72d1c72908db5a30_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:584 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:824 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:328 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:620 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:816 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:828 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe37⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:348 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe41⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:452 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe45⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe49⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe50⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe54⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe55⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe56⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe58⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe61⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe63⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe64⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe66⤵
- Drops file in System32 directory
PID:480 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe67⤵PID:1496
-
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2268 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe69⤵PID:1836
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:968 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe71⤵
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe72⤵
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe73⤵
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe74⤵PID:2860
-
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe78⤵
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe79⤵PID:2784
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe80⤵PID:1644
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe81⤵PID:3004
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe82⤵PID:1076
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe83⤵
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe84⤵
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe85⤵
- Drops file in System32 directory
PID:1256 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe86⤵
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe87⤵
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe88⤵
- Modifies registry class
PID:1004 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe89⤵
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe90⤵
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1344 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe95⤵PID:2756
-
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe96⤵PID:2804
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe97⤵
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:708 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe99⤵
- Modifies registry class
PID:560 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe100⤵
- Modifies registry class
PID:684 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe101⤵
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe102⤵PID:3028
-
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1600 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe104⤵PID:1632
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe105⤵PID:1616
-
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe106⤵PID:2720
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe108⤵PID:2632
-
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe109⤵PID:2256
-
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1416 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe111⤵
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1800 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe114⤵PID:600
-
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe115⤵
- Drops file in System32 directory
PID:1360 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe116⤵PID:1352
-
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1816 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2680 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe121⤵PID:820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-