Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
28/06/2024, 07:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8c54beb7732f9ed452ffc5a4fff4aab84cdc62935e3b6b794d42ddc313725870_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
8c54beb7732f9ed452ffc5a4fff4aab84cdc62935e3b6b794d42ddc313725870_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
8c54beb7732f9ed452ffc5a4fff4aab84cdc62935e3b6b794d42ddc313725870_NeikiAnalytics.exe
-
Size
96KB
-
MD5
e1f2f57b616daba47b6e579a42ee9450
-
SHA1
25daf930d31743efc9b5d4eee291d2b618d9f811
-
SHA256
8c54beb7732f9ed452ffc5a4fff4aab84cdc62935e3b6b794d42ddc313725870
-
SHA512
689fa48de108b7fa910fd5652a676413e3fa90f0746d8aff84a9c2936a8fec0b761558f668ad930a6ee539dfbf629c1801465fa455f8f1bb4c75236686405144
-
SSDEEP
1536:vkz7RHKfy2OEYeD3jhLzcKS1YB2uKNYknBGee0ZR+HuTc8s8Nk/BOm7CMy0QiLiY:vkzNXCDhPye2uqYABHZR+gc8dNk5Om77
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mggpgmof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifkojiim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mochnppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncmdhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmqdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nefpnhlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imbkadcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldenbcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcjkcplm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmkmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfoedl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cckace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmfbogcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhnfkigh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckdjbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keoapb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngfcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apajlhka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joplbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Miooigfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhfipcid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaobdjof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chnqkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inhdehbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqljlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ongnonkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmqdkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefpnhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbhmnkjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdcnlglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgkafo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhncmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnbacbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmaled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Effcma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldnhad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhpfqama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioccco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkpgfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbjgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okikfagn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbdjhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ampqjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkcbhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcmhiojk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphmeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogeigofa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aibajhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbhbom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikddbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfqahgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkgmgmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkppbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpigfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gomedi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdhhqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcnpbi32.exe -
Executes dropped EXE 64 IoCs
pid Process 2788 Eemnlanj.exe 2532 Ejjfdhlb.exe 2800 Eepkaalh.exe 2576 Ehngnlkk.exe 2632 Emkofcic.exe 2880 Ecehbm32.exe 1772 Ejopog32.exe 2604 Ebjdcj32.exe 2704 Empiab32.exe 1968 Fpnemn32.exe 1372 Fekneebh.exe 2104 Flefbo32.exe 2748 Ffjjoh32.exe 1728 Fhlfgppj.exe 2904 Foeodj32.exe 800 Fhncmp32.exe 1032 Fafheedg.exe 956 Febcfd32.exe 1188 Fdddaqck.exe 1548 Fmmhjf32.exe 2820 Fahdkebe.exe 900 Gomedi32.exe 2232 Gakaqd32.exe 1992 Gdimmp32.exe 2968 Gkceijfb.exe 2536 Gppnaaej.exe 2964 Gkeboj32.exe 2228 Gmdoke32.exe 2368 Glgofbjn.exe 2428 Gcagcl32.exe 2340 Geocph32.exe 2620 Gccdil32.exe 864 Geapeg32.exe 356 Gllhaa32.exe 2328 Hahqjh32.exe 1272 Hedmkgmi.exe 1196 Hhbigblm.exe 2776 Hkqecnkq.exe 1612 Holacm32.exe 268 Hakmph32.exe 836 Hakmph32.exe 2712 Hdijlc32.exe 2084 Hlpamq32.exe 452 Hkcbhn32.exe 2664 Hnandi32.exe 1708 Hfifff32.exe 2988 Hfifff32.exe 108 Hhgbba32.exe 2240 Hgjbmoob.exe 1924 Hgjbmoob.exe 2784 Hndkji32.exe 2624 Hqbgfd32.exe 2360 Hhioga32.exe 2636 Hglocnmp.exe 2372 Hjkkojlc.exe 1236 Hbbcpg32.exe 2180 Hqddldcp.exe 848 Inhdehbj.exe 1776 Iqgqacam.exe 2284 Idblbb32.exe 1360 Igainn32.exe 2012 Ijoeji32.exe 2696 Imnafd32.exe 2392 Iqimgc32.exe -
Loads dropped DLL 64 IoCs
pid Process 2276 8c54beb7732f9ed452ffc5a4fff4aab84cdc62935e3b6b794d42ddc313725870_NeikiAnalytics.exe 2276 8c54beb7732f9ed452ffc5a4fff4aab84cdc62935e3b6b794d42ddc313725870_NeikiAnalytics.exe 2788 Eemnlanj.exe 2788 Eemnlanj.exe 2532 Ejjfdhlb.exe 2532 Ejjfdhlb.exe 2800 Eepkaalh.exe 2800 Eepkaalh.exe 2576 Ehngnlkk.exe 2576 Ehngnlkk.exe 2632 Emkofcic.exe 2632 Emkofcic.exe 2880 Ecehbm32.exe 2880 Ecehbm32.exe 1772 Ejopog32.exe 1772 Ejopog32.exe 2604 Ebjdcj32.exe 2604 Ebjdcj32.exe 2704 Empiab32.exe 2704 Empiab32.exe 1968 Fpnemn32.exe 1968 Fpnemn32.exe 1372 Fekneebh.exe 1372 Fekneebh.exe 2104 Flefbo32.exe 2104 Flefbo32.exe 2748 Ffjjoh32.exe 2748 Ffjjoh32.exe 1728 Fhlfgppj.exe 1728 Fhlfgppj.exe 2904 Foeodj32.exe 2904 Foeodj32.exe 800 Fhncmp32.exe 800 Fhncmp32.exe 1032 Fafheedg.exe 1032 Fafheedg.exe 956 Febcfd32.exe 956 Febcfd32.exe 1188 Fdddaqck.exe 1188 Fdddaqck.exe 1548 Fmmhjf32.exe 1548 Fmmhjf32.exe 2820 Fahdkebe.exe 2820 Fahdkebe.exe 900 Gomedi32.exe 900 Gomedi32.exe 2232 Gakaqd32.exe 2232 Gakaqd32.exe 1992 Gdimmp32.exe 1992 Gdimmp32.exe 2968 Gkceijfb.exe 2968 Gkceijfb.exe 2536 Gppnaaej.exe 2536 Gppnaaej.exe 2964 Gkeboj32.exe 2964 Gkeboj32.exe 2228 Gmdoke32.exe 2228 Gmdoke32.exe 2368 Glgofbjn.exe 2368 Glgofbjn.exe 2428 Gcagcl32.exe 2428 Gcagcl32.exe 2340 Geocph32.exe 2340 Geocph32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ojkbol32.dll Hhgbba32.exe File opened for modification C:\Windows\SysWOW64\Nofabc32.exe Nqcagfim.exe File created C:\Windows\SysWOW64\Bommnc32.exe Bkaqmeah.exe File created C:\Windows\SysWOW64\Ajfaqa32.dll Dhpiojfb.exe File created C:\Windows\SysWOW64\Ahgnke32.exe Aehboi32.exe File created C:\Windows\SysWOW64\Eqbddk32.exe Ebodiofk.exe File opened for modification C:\Windows\SysWOW64\Gppnaaej.exe Gkceijfb.exe File opened for modification C:\Windows\SysWOW64\Labhkh32.exe Lodlom32.exe File created C:\Windows\SysWOW64\Jkkilgnq.dll Magnek32.exe File created C:\Windows\SysWOW64\Nokeef32.dll Hlcgeo32.exe File created C:\Windows\SysWOW64\Meigpkka.exe Mcjkcplm.exe File created C:\Windows\SysWOW64\Nejiih32.exe Nncahjgl.exe File created C:\Windows\SysWOW64\Qmlgonbe.exe Qjmkcbcb.exe File created C:\Windows\SysWOW64\Kjqipbka.dll Bhahlj32.exe File created C:\Windows\SysWOW64\Bifjqh32.dll Pimkpfeh.exe File created C:\Windows\SysWOW64\Nanbpedg.dll Ceaadk32.exe File created C:\Windows\SysWOW64\Fmmkhm32.dll Fhncmp32.exe File opened for modification C:\Windows\SysWOW64\Abbbnchb.exe Apcfahio.exe File opened for modification C:\Windows\SysWOW64\Jehkodcm.exe Jfekcg32.exe File created C:\Windows\SysWOW64\Acmmle32.dll Aibajhdn.exe File opened for modification C:\Windows\SysWOW64\Kcolba32.exe Kpcpbb32.exe File opened for modification C:\Windows\SysWOW64\Ahgnke32.exe Aehboi32.exe File created C:\Windows\SysWOW64\Bhigphio.exe Bekkcljk.exe File opened for modification C:\Windows\SysWOW64\Eloemi32.exe Egdilkbf.exe File created C:\Windows\SysWOW64\Jkpgfn32.exe Jmmfkafa.exe File opened for modification C:\Windows\SysWOW64\Jnclnihj.exe Joplbl32.exe File created C:\Windows\SysWOW64\Cekkkkhe.dll Kjnfniii.exe File created C:\Windows\SysWOW64\Jmbgpg32.exe Jjdkdl32.exe File created C:\Windows\SysWOW64\Npfpmgon.dll Kphimanc.exe File opened for modification C:\Windows\SysWOW64\Ofdcjm32.exe Obigjnkf.exe File opened for modification C:\Windows\SysWOW64\Aiedjneg.exe Affhncfc.exe File created C:\Windows\SysWOW64\Kfgdhjmk.exe Kblhgk32.exe File created C:\Windows\SysWOW64\Ikpjgkjq.exe Igdogl32.exe File created C:\Windows\SysWOW64\Cdikkg32.exe Cpnojioo.exe File created C:\Windows\SysWOW64\Kqkmadea.dll Febcfd32.exe File created C:\Windows\SysWOW64\Bilpdm32.dll Gakaqd32.exe File created C:\Windows\SysWOW64\Egadpgfp.dll Fcmgfkeg.exe File created C:\Windows\SysWOW64\Hcplhi32.exe Hodpgjha.exe File opened for modification C:\Windows\SysWOW64\Fehjeo32.exe Ealnephf.exe File created C:\Windows\SysWOW64\Ohkgmi32.dll Mijfnh32.exe File opened for modification C:\Windows\SysWOW64\Ofelmloo.exe Ogblbo32.exe File created C:\Windows\SysWOW64\Pqkmjh32.exe Pbhmnkjf.exe File opened for modification C:\Windows\SysWOW64\Hjkkojlc.exe Hglocnmp.exe File created C:\Windows\SysWOW64\Oqcnfjli.exe Omgaek32.exe File opened for modification C:\Windows\SysWOW64\Bommnc32.exe Bkaqmeah.exe File opened for modification C:\Windows\SysWOW64\Bghabf32.exe Bhfagipa.exe File opened for modification C:\Windows\SysWOW64\Iidbke32.exe Iffeoj32.exe File created C:\Windows\SysWOW64\Dmoipopd.exe Dnlidb32.exe File opened for modification C:\Windows\SysWOW64\Dmafennb.exe Djbiicon.exe File created C:\Windows\SysWOW64\Eofjhkoj.dll Doehqead.exe File created C:\Windows\SysWOW64\Ijlhmj32.dll Mcegmm32.exe File opened for modification C:\Windows\SysWOW64\Nkbhgojk.exe Nhdlkdkg.exe File opened for modification C:\Windows\SysWOW64\Alpmfdcb.exe Aibajhdn.exe File created C:\Windows\SysWOW64\Mbeegk32.dll Fmmhjf32.exe File opened for modification C:\Windows\SysWOW64\Gomedi32.exe Fahdkebe.exe File created C:\Windows\SysWOW64\Mqkgkfhp.dll Geocph32.exe File created C:\Windows\SysWOW64\Kipnfged.exe Kedaeh32.exe File created C:\Windows\SysWOW64\Jfkkimlh.exe Jclomamd.exe File created C:\Windows\SysWOW64\Mcodno32.exe Mochnppo.exe File created C:\Windows\SysWOW64\Kleiio32.dll Gegfdb32.exe File created C:\Windows\SysWOW64\Mfacfkje.dll Djhphncm.exe File opened for modification C:\Windows\SysWOW64\Jkjdhpea.exe Jgnhga32.exe File created C:\Windows\SysWOW64\Cdcfgc32.dll Ampqjm32.exe File created C:\Windows\SysWOW64\Ebinic32.exe Ejbfhfaj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7952 7308 WerFault.exe 851 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcplhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmceigep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oklkmnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifkojiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jegble32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnplpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgnljad.dll" Dgaqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eloemi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhhcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meagci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohibdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjifqd32.dll" Ahgnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fahdkebe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lecgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onqamf32.dll" Afcenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iffhidee.dll" Ncmdhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpbbfi32.dll" Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eebfei32.dll" 8c54beb7732f9ed452ffc5a4fff4aab84cdc62935e3b6b794d42ddc313725870_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcagcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojopmqk.dll" Hellne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncjqhmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qbelgood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gellaqbd.dll" Cnkicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbfahp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onhgbmfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgioaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdimmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obljmlpp.dll" Nfpjomgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clcflkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epaogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gangic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Incpoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmmcjehm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djklnnaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npnhlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odegpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjqipbka.dll" Bhahlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fejgko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jifdebic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kneicieh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmjfdejp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alnqqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhlqhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bommnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cppkph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdgnaicn.dll" Fpnemn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bokphdld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll" Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckcmac32.dll" Jjojofgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anojbobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhigphio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpeliikc.dll" Abbbnchb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cillgpen.dll" Dmafennb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnqphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmbgl32.dll" Nacgdhlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Keikqhhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Libgjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdlnkmha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eijcpoac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikddbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll" Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnoej32.dll" Dlgldibq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2276 wrote to memory of 2788 2276 8c54beb7732f9ed452ffc5a4fff4aab84cdc62935e3b6b794d42ddc313725870_NeikiAnalytics.exe 28 PID 2276 wrote to memory of 2788 2276 8c54beb7732f9ed452ffc5a4fff4aab84cdc62935e3b6b794d42ddc313725870_NeikiAnalytics.exe 28 PID 2276 wrote to memory of 2788 2276 8c54beb7732f9ed452ffc5a4fff4aab84cdc62935e3b6b794d42ddc313725870_NeikiAnalytics.exe 28 PID 2276 wrote to memory of 2788 2276 8c54beb7732f9ed452ffc5a4fff4aab84cdc62935e3b6b794d42ddc313725870_NeikiAnalytics.exe 28 PID 2788 wrote to memory of 2532 2788 Eemnlanj.exe 29 PID 2788 wrote to memory of 2532 2788 Eemnlanj.exe 29 PID 2788 wrote to memory of 2532 2788 Eemnlanj.exe 29 PID 2788 wrote to memory of 2532 2788 Eemnlanj.exe 29 PID 2532 wrote to memory of 2800 2532 Ejjfdhlb.exe 30 PID 2532 wrote to memory of 2800 2532 Ejjfdhlb.exe 30 PID 2532 wrote to memory of 2800 2532 Ejjfdhlb.exe 30 PID 2532 wrote to memory of 2800 2532 Ejjfdhlb.exe 30 PID 2800 wrote to memory of 2576 2800 Eepkaalh.exe 31 PID 2800 wrote to memory of 2576 2800 Eepkaalh.exe 31 PID 2800 wrote to memory of 2576 2800 Eepkaalh.exe 31 PID 2800 wrote to memory of 2576 2800 Eepkaalh.exe 31 PID 2576 wrote to memory of 2632 2576 Ehngnlkk.exe 32 PID 2576 wrote to memory of 2632 2576 Ehngnlkk.exe 32 PID 2576 wrote to memory of 2632 2576 Ehngnlkk.exe 32 PID 2576 wrote to memory of 2632 2576 Ehngnlkk.exe 32 PID 2632 wrote to memory of 2880 2632 Emkofcic.exe 33 PID 2632 wrote to memory of 2880 2632 Emkofcic.exe 33 PID 2632 wrote to memory of 2880 2632 Emkofcic.exe 33 PID 2632 wrote to memory of 2880 2632 Emkofcic.exe 33 PID 2880 wrote to memory of 1772 2880 Ecehbm32.exe 34 PID 2880 wrote to memory of 1772 2880 Ecehbm32.exe 34 PID 2880 wrote to memory of 1772 2880 Ecehbm32.exe 34 PID 2880 wrote to memory of 1772 2880 Ecehbm32.exe 34 PID 1772 wrote to memory of 2604 1772 Ejopog32.exe 35 PID 1772 wrote to memory of 2604 1772 Ejopog32.exe 35 PID 1772 wrote to memory of 2604 1772 Ejopog32.exe 35 PID 1772 wrote to memory of 2604 1772 Ejopog32.exe 35 PID 2604 wrote to memory of 2704 2604 Ebjdcj32.exe 36 PID 2604 wrote to memory of 2704 2604 Ebjdcj32.exe 36 PID 2604 wrote to memory of 2704 2604 Ebjdcj32.exe 36 PID 2604 wrote to memory of 2704 2604 Ebjdcj32.exe 36 PID 2704 wrote to memory of 1968 2704 Empiab32.exe 37 PID 2704 wrote to memory of 1968 2704 Empiab32.exe 37 PID 2704 wrote to memory of 1968 2704 Empiab32.exe 37 PID 2704 wrote to memory of 1968 2704 Empiab32.exe 37 PID 1968 wrote to memory of 1372 1968 Fpnemn32.exe 38 PID 1968 wrote to memory of 1372 1968 Fpnemn32.exe 38 PID 1968 wrote to memory of 1372 1968 Fpnemn32.exe 38 PID 1968 wrote to memory of 1372 1968 Fpnemn32.exe 38 PID 1372 wrote to memory of 2104 1372 Fekneebh.exe 39 PID 1372 wrote to memory of 2104 1372 Fekneebh.exe 39 PID 1372 wrote to memory of 2104 1372 Fekneebh.exe 39 PID 1372 wrote to memory of 2104 1372 Fekneebh.exe 39 PID 2104 wrote to memory of 2748 2104 Flefbo32.exe 40 PID 2104 wrote to memory of 2748 2104 Flefbo32.exe 40 PID 2104 wrote to memory of 2748 2104 Flefbo32.exe 40 PID 2104 wrote to memory of 2748 2104 Flefbo32.exe 40 PID 2748 wrote to memory of 1728 2748 Ffjjoh32.exe 41 PID 2748 wrote to memory of 1728 2748 Ffjjoh32.exe 41 PID 2748 wrote to memory of 1728 2748 Ffjjoh32.exe 41 PID 2748 wrote to memory of 1728 2748 Ffjjoh32.exe 41 PID 1728 wrote to memory of 2904 1728 Fhlfgppj.exe 42 PID 1728 wrote to memory of 2904 1728 Fhlfgppj.exe 42 PID 1728 wrote to memory of 2904 1728 Fhlfgppj.exe 42 PID 1728 wrote to memory of 2904 1728 Fhlfgppj.exe 42 PID 2904 wrote to memory of 800 2904 Foeodj32.exe 43 PID 2904 wrote to memory of 800 2904 Foeodj32.exe 43 PID 2904 wrote to memory of 800 2904 Foeodj32.exe 43 PID 2904 wrote to memory of 800 2904 Foeodj32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c54beb7732f9ed452ffc5a4fff4aab84cdc62935e3b6b794d42ddc313725870_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8c54beb7732f9ed452ffc5a4fff4aab84cdc62935e3b6b794d42ddc313725870_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Eemnlanj.exeC:\Windows\system32\Eemnlanj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Ejjfdhlb.exeC:\Windows\system32\Ejjfdhlb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Eepkaalh.exeC:\Windows\system32\Eepkaalh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Ehngnlkk.exeC:\Windows\system32\Ehngnlkk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Emkofcic.exeC:\Windows\system32\Emkofcic.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Ecehbm32.exeC:\Windows\system32\Ecehbm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Ejopog32.exeC:\Windows\system32\Ejopog32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Ebjdcj32.exeC:\Windows\system32\Ebjdcj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Empiab32.exeC:\Windows\system32\Empiab32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Fpnemn32.exeC:\Windows\system32\Fpnemn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Fekneebh.exeC:\Windows\system32\Fekneebh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Flefbo32.exeC:\Windows\system32\Flefbo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Ffjjoh32.exeC:\Windows\system32\Ffjjoh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Fhlfgppj.exeC:\Windows\system32\Fhlfgppj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Foeodj32.exeC:\Windows\system32\Foeodj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Fhncmp32.exeC:\Windows\system32\Fhncmp32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:800 -
C:\Windows\SysWOW64\Fafheedg.exeC:\Windows\system32\Fafheedg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1032 -
C:\Windows\SysWOW64\Febcfd32.exeC:\Windows\system32\Febcfd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:956 -
C:\Windows\SysWOW64\Fdddaqck.exeC:\Windows\system32\Fdddaqck.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1188 -
C:\Windows\SysWOW64\Fmmhjf32.exeC:\Windows\system32\Fmmhjf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Fahdkebe.exeC:\Windows\system32\Fahdkebe.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Gomedi32.exeC:\Windows\system32\Gomedi32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Gakaqd32.exeC:\Windows\system32\Gakaqd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Gdimmp32.exeC:\Windows\system32\Gdimmp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Gkceijfb.exeC:\Windows\system32\Gkceijfb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Gppnaaej.exeC:\Windows\system32\Gppnaaej.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Gkeboj32.exeC:\Windows\system32\Gkeboj32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Gmdoke32.exeC:\Windows\system32\Gmdoke32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Glgofbjn.exeC:\Windows\system32\Glgofbjn.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Gcagcl32.exeC:\Windows\system32\Gcagcl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Geocph32.exeC:\Windows\system32\Geocph32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Gccdil32.exeC:\Windows\system32\Gccdil32.exe33⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Geapeg32.exeC:\Windows\system32\Geapeg32.exe34⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Gllhaa32.exeC:\Windows\system32\Gllhaa32.exe35⤵
- Executes dropped EXE
PID:356 -
C:\Windows\SysWOW64\Hahqjh32.exeC:\Windows\system32\Hahqjh32.exe36⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Hedmkgmi.exeC:\Windows\system32\Hedmkgmi.exe37⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Hhbigblm.exeC:\Windows\system32\Hhbigblm.exe38⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Hkqecnkq.exeC:\Windows\system32\Hkqecnkq.exe39⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Holacm32.exeC:\Windows\system32\Holacm32.exe40⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Hakmph32.exeC:\Windows\system32\Hakmph32.exe41⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\Hakmph32.exeC:\Windows\system32\Hakmph32.exe42⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Hdijlc32.exeC:\Windows\system32\Hdijlc32.exe43⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Hlpamq32.exeC:\Windows\system32\Hlpamq32.exe44⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Hkcbhn32.exeC:\Windows\system32\Hkcbhn32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Hnandi32.exeC:\Windows\system32\Hnandi32.exe46⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Hfifff32.exeC:\Windows\system32\Hfifff32.exe47⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Hfifff32.exeC:\Windows\system32\Hfifff32.exe48⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Hhgbba32.exeC:\Windows\system32\Hhgbba32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:108 -
C:\Windows\SysWOW64\Hgjbmoob.exeC:\Windows\system32\Hgjbmoob.exe50⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Hgjbmoob.exeC:\Windows\system32\Hgjbmoob.exe51⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Hndkji32.exeC:\Windows\system32\Hndkji32.exe52⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Hqbgfd32.exeC:\Windows\system32\Hqbgfd32.exe53⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Hhioga32.exeC:\Windows\system32\Hhioga32.exe54⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Hglocnmp.exeC:\Windows\system32\Hglocnmp.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Hjkkojlc.exeC:\Windows\system32\Hjkkojlc.exe56⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Hbbcpg32.exeC:\Windows\system32\Hbbcpg32.exe57⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Hqddldcp.exeC:\Windows\system32\Hqddldcp.exe58⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Inhdehbj.exeC:\Windows\system32\Inhdehbj.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Iqgqacam.exeC:\Windows\system32\Iqgqacam.exe60⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Idblbb32.exeC:\Windows\system32\Idblbb32.exe61⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Igainn32.exeC:\Windows\system32\Igainn32.exe62⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Ijoeji32.exeC:\Windows\system32\Ijoeji32.exe63⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Imnafd32.exeC:\Windows\system32\Imnafd32.exe64⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Iqimgc32.exeC:\Windows\system32\Iqimgc32.exe65⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Ichico32.exeC:\Windows\system32\Ichico32.exe66⤵PID:668
-
C:\Windows\SysWOW64\Iffeoj32.exeC:\Windows\system32\Iffeoj32.exe67⤵
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Iidbke32.exeC:\Windows\system32\Iidbke32.exe68⤵PID:780
-
C:\Windows\SysWOW64\Iqljlb32.exeC:\Windows\system32\Iqljlb32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1996 -
C:\Windows\SysWOW64\Ioojhpdb.exeC:\Windows\system32\Ioojhpdb.exe70⤵PID:812
-
C:\Windows\SysWOW64\Ibmfdkcf.exeC:\Windows\system32\Ibmfdkcf.exe71⤵PID:600
-
C:\Windows\SysWOW64\Ijdnehci.exeC:\Windows\system32\Ijdnehci.exe72⤵PID:1716
-
C:\Windows\SysWOW64\Imbkadcl.exeC:\Windows\system32\Imbkadcl.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2492 -
C:\Windows\SysWOW64\Ikekmq32.exeC:\Windows\system32\Ikekmq32.exe74⤵PID:2196
-
C:\Windows\SysWOW64\Iclcnnji.exeC:\Windows\system32\Iclcnnji.exe75⤵PID:2516
-
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Iiikfehq.exeC:\Windows\system32\Iiikfehq.exe77⤵PID:2932
-
C:\Windows\SysWOW64\Ikggbpgd.exeC:\Windows\system32\Ikggbpgd.exe78⤵PID:2572
-
C:\Windows\SysWOW64\Ioccco32.exeC:\Windows\system32\Ioccco32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:240 -
C:\Windows\SysWOW64\Ibapoj32.exeC:\Windows\system32\Ibapoj32.exe80⤵PID:1552
-
C:\Windows\SysWOW64\Ifmlpigj.exeC:\Windows\system32\Ifmlpigj.exe81⤵PID:1356
-
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe82⤵PID:1700
-
C:\Windows\SysWOW64\Jgnhga32.exeC:\Windows\system32\Jgnhga32.exe83⤵
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Jkjdhpea.exeC:\Windows\system32\Jkjdhpea.exe84⤵PID:2332
-
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe85⤵PID:1416
-
C:\Windows\SysWOW64\Jagmpg32.exeC:\Windows\system32\Jagmpg32.exe86⤵PID:2236
-
C:\Windows\SysWOW64\Jinead32.exeC:\Windows\system32\Jinead32.exe87⤵PID:1048
-
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe88⤵PID:1308
-
C:\Windows\SysWOW64\Jnkmjk32.exeC:\Windows\system32\Jnkmjk32.exe89⤵PID:912
-
C:\Windows\SysWOW64\Jbfijjkl.exeC:\Windows\system32\Jbfijjkl.exe90⤵PID:1732
-
C:\Windows\SysWOW64\Jedefejo.exeC:\Windows\system32\Jedefejo.exe91⤵PID:2792
-
C:\Windows\SysWOW64\Jgcabqic.exeC:\Windows\system32\Jgcabqic.exe92⤵PID:2544
-
C:\Windows\SysWOW64\Jmpjkggj.exeC:\Windows\system32\Jmpjkggj.exe93⤵PID:2640
-
C:\Windows\SysWOW64\Jegble32.exeC:\Windows\system32\Jegble32.exe94⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Jcjbgaog.exeC:\Windows\system32\Jcjbgaog.exe95⤵PID:752
-
C:\Windows\SysWOW64\Jfhocmnk.exeC:\Windows\system32\Jfhocmnk.exe96⤵PID:2244
-
C:\Windows\SysWOW64\Jjdkdl32.exeC:\Windows\system32\Jjdkdl32.exe97⤵
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe98⤵PID:1280
-
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe99⤵PID:2744
-
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe100⤵
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe101⤵PID:1404
-
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe102⤵PID:692
-
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe103⤵PID:1252
-
C:\Windows\SysWOW64\Kpcpbb32.exeC:\Windows\system32\Kpcpbb32.exe104⤵
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe105⤵PID:2936
-
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe106⤵PID:1652
-
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe107⤵PID:2508
-
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe108⤵PID:2660
-
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe109⤵PID:2884
-
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe110⤵PID:1648
-
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2716 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe112⤵PID:288
-
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe113⤵
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe114⤵PID:1980
-
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe115⤵
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe116⤵PID:552
-
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe117⤵PID:1080
-
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe118⤵PID:2224
-
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1460 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe120⤵PID:3024
-
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe121⤵PID:2668
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-