Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30/06/2024, 23:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
22b7419214a39565f39b18571d2e7afa55504bc55fb2e81021ff530b5467f2d7_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
22b7419214a39565f39b18571d2e7afa55504bc55fb2e81021ff530b5467f2d7_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
22b7419214a39565f39b18571d2e7afa55504bc55fb2e81021ff530b5467f2d7_NeikiAnalytics.exe
-
Size
64KB
-
MD5
61ccd9dd212c1a62be239aebc2cb3d50
-
SHA1
dcd06f5635c5918c834e32283cc9168b3bf64ea0
-
SHA256
22b7419214a39565f39b18571d2e7afa55504bc55fb2e81021ff530b5467f2d7
-
SHA512
e9fcdaea49944273d09f020d68433a042ad5e03059b050646d3d0b4d58dd0f5ab8c89154c44da603fa8bb71afcc5a4144a31dd0a553b2c48425028aa87f0cb90
-
SSDEEP
1536:YkFQETSVdnNr1Zca0PkZFEGWOsT8l4110tXUwXfzwv:aVMLHn105Pzwv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdaoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknekeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iheddndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcmafj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgalqkbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfbccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dflkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkommo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnaocmmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbmmcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojahnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpngfgle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hedocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anafhopc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbflib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pciifc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mabgcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Effcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaqcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkppbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqhpdhcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhhcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbhela32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiomkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmjaic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imfqjbli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnajilng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmapm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baqbenep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeqdep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhgmpfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nefpnhlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pamiog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cghggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pigeqkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdgcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kohkfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpeofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biamilfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfoqmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekelld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnpmipql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leajdfnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldidkbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjenhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmehnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlgpgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkqbaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpjiajeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgdmmgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpncej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlcbenjb.exe -
Executes dropped EXE 64 IoCs
pid Process 2736 Nhnfkigh.exe 2644 Odegpj32.exe 2704 Oojknblb.exe 2756 Odgcfijj.exe 2596 Ogfpbeim.exe 2912 Onphoo32.exe 1736 Oiellh32.exe 2760 Onbddoog.exe 2936 Oqqapjnk.exe 1928 Ocomlemo.exe 1748 Ondajnme.exe 2616 Oqcnfjli.exe 1596 Ogmfbd32.exe 2260 Ongnonkb.exe 2844 Paejki32.exe 540 Pfbccp32.exe 1552 Pipopl32.exe 1448 Ppjglfon.exe 360 Pfdpip32.exe 412 Piblek32.exe 3032 Plahag32.exe 1456 Pbkpna32.exe 1648 Pfflopdh.exe 900 Piehkkcl.exe 2984 Ppoqge32.exe 1852 Pbmmcq32.exe 1500 Pigeqkai.exe 2556 Ppamme32.exe 2536 Penfelgm.exe 2824 Qlhnbf32.exe 2576 Qbbfopeg.exe 2488 Qeqbkkej.exe 2464 Qnigda32.exe 2668 Qagcpljo.exe 2776 Adeplhib.exe 768 Amndem32.exe 660 Aajpelhl.exe 2680 Affhncfc.exe 1504 Aiedjneg.exe 1440 Aalmklfi.exe 1836 Apomfh32.exe 2396 Abmibdlh.exe 792 Aigaon32.exe 2840 Apajlhka.exe 1124 Afkbib32.exe 452 Aiinen32.exe 1548 Aoffmd32.exe 1304 Aepojo32.exe 992 Ahokfj32.exe 1560 Boiccdnf.exe 2604 Bbdocc32.exe 3060 Bebkpn32.exe 2568 Bingpmnl.exe 3008 Blmdlhmp.exe 2796 Bbflib32.exe 2432 Bdhhqk32.exe 1936 Bhcdaibd.exe 2780 Bkaqmeah.exe 2800 Bnpmipql.exe 1912 Begeknan.exe 860 Bhfagipa.exe 1848 Bopicc32.exe 2252 Bnbjopoi.exe 1628 Bhhnli32.exe -
Loads dropped DLL 64 IoCs
pid Process 2964 22b7419214a39565f39b18571d2e7afa55504bc55fb2e81021ff530b5467f2d7_NeikiAnalytics.exe 2964 22b7419214a39565f39b18571d2e7afa55504bc55fb2e81021ff530b5467f2d7_NeikiAnalytics.exe 2736 Nhnfkigh.exe 2736 Nhnfkigh.exe 2644 Odegpj32.exe 2644 Odegpj32.exe 2704 Oojknblb.exe 2704 Oojknblb.exe 2756 Odgcfijj.exe 2756 Odgcfijj.exe 2596 Ogfpbeim.exe 2596 Ogfpbeim.exe 2912 Onphoo32.exe 2912 Onphoo32.exe 1736 Oiellh32.exe 1736 Oiellh32.exe 2760 Onbddoog.exe 2760 Onbddoog.exe 2936 Oqqapjnk.exe 2936 Oqqapjnk.exe 1928 Ocomlemo.exe 1928 Ocomlemo.exe 1748 Ondajnme.exe 1748 Ondajnme.exe 2616 Oqcnfjli.exe 2616 Oqcnfjli.exe 1596 Ogmfbd32.exe 1596 Ogmfbd32.exe 2260 Ongnonkb.exe 2260 Ongnonkb.exe 2844 Paejki32.exe 2844 Paejki32.exe 540 Pfbccp32.exe 540 Pfbccp32.exe 1552 Pipopl32.exe 1552 Pipopl32.exe 1448 Ppjglfon.exe 1448 Ppjglfon.exe 360 Pfdpip32.exe 360 Pfdpip32.exe 412 Piblek32.exe 412 Piblek32.exe 3032 Plahag32.exe 3032 Plahag32.exe 1456 Pbkpna32.exe 1456 Pbkpna32.exe 1648 Pfflopdh.exe 1648 Pfflopdh.exe 900 Piehkkcl.exe 900 Piehkkcl.exe 2984 Ppoqge32.exe 2984 Ppoqge32.exe 1852 Pbmmcq32.exe 1852 Pbmmcq32.exe 1500 Pigeqkai.exe 1500 Pigeqkai.exe 2556 Ppamme32.exe 2556 Ppamme32.exe 2536 Penfelgm.exe 2536 Penfelgm.exe 2824 Qlhnbf32.exe 2824 Qlhnbf32.exe 2576 Qbbfopeg.exe 2576 Qbbfopeg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iemkjqde.dll Lijjoe32.exe File created C:\Windows\SysWOW64\Pimkpfeh.exe Pdaoog32.exe File opened for modification C:\Windows\SysWOW64\Kmgbdo32.exe Kilfcpqm.exe File opened for modification C:\Windows\SysWOW64\Obcccl32.exe Onhgbmfb.exe File created C:\Windows\SysWOW64\Ppbfpd32.exe Pnajilng.exe File created C:\Windows\SysWOW64\Diceon32.dll Ndemjoae.exe File created C:\Windows\SysWOW64\Cgqjffca.dll Eflgccbp.exe File created C:\Windows\SysWOW64\Hpkjko32.exe Hiqbndpb.exe File created C:\Windows\SysWOW64\Jonplmcb.exe Jmocpado.exe File opened for modification C:\Windows\SysWOW64\Mhloponc.exe Mdacop32.exe File created C:\Windows\SysWOW64\Pdmaibnf.dll Chcqpmep.exe File created C:\Windows\SysWOW64\Lfmffhde.exe Lgjfkk32.exe File opened for modification C:\Windows\SysWOW64\Nhkbkc32.exe Nnennj32.exe File created C:\Windows\SysWOW64\Mjapln32.dll Hdlhjl32.exe File created C:\Windows\SysWOW64\Pdlbongd.dll Mabgcd32.exe File opened for modification C:\Windows\SysWOW64\Ecpgmhai.exe Ekholjqg.exe File created C:\Windows\SysWOW64\Kdanej32.dll Fhhcgj32.exe File created C:\Windows\SysWOW64\Hgdbhi32.exe Hcifgjgc.exe File opened for modification C:\Windows\SysWOW64\Lbeknj32.exe Llkbap32.exe File created C:\Windows\SysWOW64\Hpjbaocl.dll Mcegmm32.exe File created C:\Windows\SysWOW64\Copfbfjj.exe Ckdjbh32.exe File created C:\Windows\SysWOW64\Hmhfjo32.dll Glaoalkh.exe File created C:\Windows\SysWOW64\Fqiaclmk.dll Pdaoog32.exe File opened for modification C:\Windows\SysWOW64\Pefijfii.exe Pbhmnkjf.exe File created C:\Windows\SysWOW64\Fmcoja32.exe Fjdbnf32.exe File created C:\Windows\SysWOW64\Hojopmqk.dll Hellne32.exe File opened for modification C:\Windows\SysWOW64\Pggbla32.exe Pamiog32.exe File opened for modification C:\Windows\SysWOW64\Dhdcji32.exe Dfffnn32.exe File created C:\Windows\SysWOW64\Hakphqja.exe Homclekn.exe File opened for modification C:\Windows\SysWOW64\Cgbdhd32.exe Coklgg32.exe File opened for modification C:\Windows\SysWOW64\Fejgko32.exe Fmcoja32.exe File opened for modification C:\Windows\SysWOW64\Hicodd32.exe Hgdbhi32.exe File created C:\Windows\SysWOW64\Aghcamqb.dll Fljafg32.exe File opened for modification C:\Windows\SysWOW64\Abjebn32.exe Ahdaee32.exe File opened for modification C:\Windows\SysWOW64\Mbmjah32.exe Mponel32.exe File opened for modification C:\Windows\SysWOW64\Nplmop32.exe Naimccpo.exe File created C:\Windows\SysWOW64\Gfjhgdck.exe Gdllkhdg.exe File opened for modification C:\Windows\SysWOW64\Bcaomf32.exe Bdooajdc.exe File created C:\Windows\SysWOW64\Jqfffqpm.exe Jiondcpk.exe File created C:\Windows\SysWOW64\Jbkpmm32.dll Mhbped32.exe File created C:\Windows\SysWOW64\Clialdph.dll Dookgcij.exe File created C:\Windows\SysWOW64\Ddbkoipg.dll Ogmfbd32.exe File created C:\Windows\SysWOW64\Efjcibje.dll Epieghdk.exe File opened for modification C:\Windows\SysWOW64\Kcdnao32.exe Kmjfdejp.exe File created C:\Windows\SysWOW64\Eqmbdn32.dll Lihmjejl.exe File created C:\Windows\SysWOW64\Kohkfj32.exe Kmjojo32.exe File created C:\Windows\SysWOW64\Maedhd32.exe Mmihhelk.exe File opened for modification C:\Windows\SysWOW64\Ahlgfdeq.exe Aemkjiem.exe File opened for modification C:\Windows\SysWOW64\Hpgfki32.exe Hlljjjnm.exe File opened for modification C:\Windows\SysWOW64\Heglio32.exe Hakphqja.exe File created C:\Windows\SysWOW64\Pfdpip32.exe Ppjglfon.exe File created C:\Windows\SysWOW64\Blmdlhmp.exe Bingpmnl.exe File opened for modification C:\Windows\SysWOW64\Ealnephf.exe Ebinic32.exe File opened for modification C:\Windows\SysWOW64\Kjqccigf.exe Knjbnh32.exe File opened for modification C:\Windows\SysWOW64\Mppepcfg.exe Monhhk32.exe File created C:\Windows\SysWOW64\Lhpbmi32.dll Hkhnle32.exe File created C:\Windows\SysWOW64\Eeejnlhc.dll Ngfflj32.exe File created C:\Windows\SysWOW64\Hkhnle32.exe Hhjapjmi.exe File created C:\Windows\SysWOW64\Gnhqpo32.dll Ijdqna32.exe File created C:\Windows\SysWOW64\Dflkdp32.exe Cobbhfhg.exe File created C:\Windows\SysWOW64\Mcaiqm32.dll Oikojfgk.exe File opened for modification C:\Windows\SysWOW64\Fjongcbl.exe Fcefji32.exe File opened for modification C:\Windows\SysWOW64\Hedocp32.exe Hbfbgd32.exe File created C:\Windows\SysWOW64\Hgeadcbc.dll Amndem32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6884 6528 WerFault.exe 656 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inlepd32.dll" Oqkqkdne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eojnkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgimglf.dll" Iefhhbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll" Nmpnhdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgnnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhckpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jchhkjhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnpcnhmk.dll" Gikaio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Figlolbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oikojfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecejkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knjbnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keednado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhnmij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjljhjkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obafnlpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfdpip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcjfoqkg.dll" Ahdaee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdlgpgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Echfaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jonplmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbaileio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nibebfpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekholjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moljch32.dll" Qbelgood.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkaiqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpmbcmh.dll" Lfbpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effqclic.dll" Mlcbenjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogfpbeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giegfm32.dll" Kbbngf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dccagcgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kofopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nckjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leajdfnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjapnke.dll" Dkhcmgnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlcgibn.dll" Iblpjdpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lajhofao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkommo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chpmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mabgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjclpeak.dll" Ngibaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfqpfb32.dll" Affhncfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmpfojmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqkqkdne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abhimnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchkpi32.dll" Ekhhadmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Heglio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnppf32.dll" Nkbalifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okgnab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aefeijle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bblogakg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiihdlpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggbhk32.dll" Mlfojn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckdjbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flehkhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lndohedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfppiho.dll" Mponel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fagjnn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2964 wrote to memory of 2736 2964 22b7419214a39565f39b18571d2e7afa55504bc55fb2e81021ff530b5467f2d7_NeikiAnalytics.exe 28 PID 2964 wrote to memory of 2736 2964 22b7419214a39565f39b18571d2e7afa55504bc55fb2e81021ff530b5467f2d7_NeikiAnalytics.exe 28 PID 2964 wrote to memory of 2736 2964 22b7419214a39565f39b18571d2e7afa55504bc55fb2e81021ff530b5467f2d7_NeikiAnalytics.exe 28 PID 2964 wrote to memory of 2736 2964 22b7419214a39565f39b18571d2e7afa55504bc55fb2e81021ff530b5467f2d7_NeikiAnalytics.exe 28 PID 2736 wrote to memory of 2644 2736 Nhnfkigh.exe 29 PID 2736 wrote to memory of 2644 2736 Nhnfkigh.exe 29 PID 2736 wrote to memory of 2644 2736 Nhnfkigh.exe 29 PID 2736 wrote to memory of 2644 2736 Nhnfkigh.exe 29 PID 2644 wrote to memory of 2704 2644 Odegpj32.exe 30 PID 2644 wrote to memory of 2704 2644 Odegpj32.exe 30 PID 2644 wrote to memory of 2704 2644 Odegpj32.exe 30 PID 2644 wrote to memory of 2704 2644 Odegpj32.exe 30 PID 2704 wrote to memory of 2756 2704 Oojknblb.exe 31 PID 2704 wrote to memory of 2756 2704 Oojknblb.exe 31 PID 2704 wrote to memory of 2756 2704 Oojknblb.exe 31 PID 2704 wrote to memory of 2756 2704 Oojknblb.exe 31 PID 2756 wrote to memory of 2596 2756 Odgcfijj.exe 32 PID 2756 wrote to memory of 2596 2756 Odgcfijj.exe 32 PID 2756 wrote to memory of 2596 2756 Odgcfijj.exe 32 PID 2756 wrote to memory of 2596 2756 Odgcfijj.exe 32 PID 2596 wrote to memory of 2912 2596 Ogfpbeim.exe 33 PID 2596 wrote to memory of 2912 2596 Ogfpbeim.exe 33 PID 2596 wrote to memory of 2912 2596 Ogfpbeim.exe 33 PID 2596 wrote to memory of 2912 2596 Ogfpbeim.exe 33 PID 2912 wrote to memory of 1736 2912 Onphoo32.exe 34 PID 2912 wrote to memory of 1736 2912 Onphoo32.exe 34 PID 2912 wrote to memory of 1736 2912 Onphoo32.exe 34 PID 2912 wrote to memory of 1736 2912 Onphoo32.exe 34 PID 1736 wrote to memory of 2760 1736 Oiellh32.exe 35 PID 1736 wrote to memory of 2760 1736 Oiellh32.exe 35 PID 1736 wrote to memory of 2760 1736 Oiellh32.exe 35 PID 1736 wrote to memory of 2760 1736 Oiellh32.exe 35 PID 2760 wrote to memory of 2936 2760 Onbddoog.exe 36 PID 2760 wrote to memory of 2936 2760 Onbddoog.exe 36 PID 2760 wrote to memory of 2936 2760 Onbddoog.exe 36 PID 2760 wrote to memory of 2936 2760 Onbddoog.exe 36 PID 2936 wrote to memory of 1928 2936 Oqqapjnk.exe 37 PID 2936 wrote to memory of 1928 2936 Oqqapjnk.exe 37 PID 2936 wrote to memory of 1928 2936 Oqqapjnk.exe 37 PID 2936 wrote to memory of 1928 2936 Oqqapjnk.exe 37 PID 1928 wrote to memory of 1748 1928 Ocomlemo.exe 38 PID 1928 wrote to memory of 1748 1928 Ocomlemo.exe 38 PID 1928 wrote to memory of 1748 1928 Ocomlemo.exe 38 PID 1928 wrote to memory of 1748 1928 Ocomlemo.exe 38 PID 1748 wrote to memory of 2616 1748 Ondajnme.exe 39 PID 1748 wrote to memory of 2616 1748 Ondajnme.exe 39 PID 1748 wrote to memory of 2616 1748 Ondajnme.exe 39 PID 1748 wrote to memory of 2616 1748 Ondajnme.exe 39 PID 2616 wrote to memory of 1596 2616 Oqcnfjli.exe 40 PID 2616 wrote to memory of 1596 2616 Oqcnfjli.exe 40 PID 2616 wrote to memory of 1596 2616 Oqcnfjli.exe 40 PID 2616 wrote to memory of 1596 2616 Oqcnfjli.exe 40 PID 1596 wrote to memory of 2260 1596 Ogmfbd32.exe 41 PID 1596 wrote to memory of 2260 1596 Ogmfbd32.exe 41 PID 1596 wrote to memory of 2260 1596 Ogmfbd32.exe 41 PID 1596 wrote to memory of 2260 1596 Ogmfbd32.exe 41 PID 2260 wrote to memory of 2844 2260 Ongnonkb.exe 42 PID 2260 wrote to memory of 2844 2260 Ongnonkb.exe 42 PID 2260 wrote to memory of 2844 2260 Ongnonkb.exe 42 PID 2260 wrote to memory of 2844 2260 Ongnonkb.exe 42 PID 2844 wrote to memory of 540 2844 Paejki32.exe 43 PID 2844 wrote to memory of 540 2844 Paejki32.exe 43 PID 2844 wrote to memory of 540 2844 Paejki32.exe 43 PID 2844 wrote to memory of 540 2844 Paejki32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\22b7419214a39565f39b18571d2e7afa55504bc55fb2e81021ff530b5467f2d7_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\22b7419214a39565f39b18571d2e7afa55504bc55fb2e81021ff530b5467f2d7_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:540 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1448 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:360 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:412 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1456 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1852 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1500 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe33⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe34⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe35⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe36⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe38⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe40⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe41⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe42⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe43⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe44⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe45⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe46⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe47⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe48⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe49⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe50⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe51⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe52⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe53⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe55⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe57⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe58⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe59⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe61⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe62⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe63⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe64⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe65⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe66⤵PID:988
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe67⤵PID:1780
-
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1268 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe69⤵
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe70⤵PID:1460
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe71⤵PID:1568
-
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe72⤵PID:2068
-
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2316 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe74⤵PID:2516
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe75⤵PID:2580
-
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe76⤵PID:1184
-
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe77⤵
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe78⤵PID:1860
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe79⤵
- Drops file in System32 directory
PID:344 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1544 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe81⤵PID:1984
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe82⤵PID:996
-
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe83⤵PID:2380
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe85⤵PID:1220
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe86⤵PID:1572
-
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe87⤵PID:2136
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe88⤵PID:2628
-
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe89⤵
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2408 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe91⤵
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe92⤵
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe93⤵PID:2808
-
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe94⤵PID:1880
-
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe95⤵PID:1336
-
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe96⤵PID:1616
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe97⤵PID:2012
-
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe98⤵
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe99⤵PID:2032
-
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe100⤵PID:1788
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe101⤵PID:1212
-
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe102⤵PID:2504
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe103⤵PID:2052
-
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1280 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe105⤵PID:2524
-
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe106⤵PID:2692
-
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe107⤵PID:2884
-
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe108⤵PID:1940
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe109⤵PID:1600
-
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe110⤵PID:2268
-
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe111⤵PID:2236
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe112⤵PID:688
-
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe113⤵PID:2156
-
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe114⤵
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe115⤵PID:684
-
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe116⤵PID:2016
-
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe118⤵PID:2608
-
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:108 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2292 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe121⤵PID:324
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-