Analysis
-
max time kernel
147s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 16:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ce6566c61fbba4236203f203444e7890_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
ce6566c61fbba4236203f203444e7890_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
ce6566c61fbba4236203f203444e7890_NeikiAnalytics.exe
-
Size
56KB
-
MD5
ce6566c61fbba4236203f203444e7890
-
SHA1
90cb186899992a81b49363a52e8a2976ede62747
-
SHA256
0e1d54945b8026596322c4b5562c8d13d5e230b63ddbdcade46b049778ceb651
-
SHA512
d8af1f2c54700458942ca216dd05dcde118cd0d619de8ac2fbbbd015df22c669f26cb81078325463bf45b0c3d58519129af8adbb9dd7d58a65a71d14b9cc4277
-
SSDEEP
1536:J0T7QBByI5lvCbo/oTogVo2oyRJoKoa4fKXQKprfGEIaDlfzd6sS9RCsK:J47QNrgML7PnbSXHprplDlf4esK
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhqbkhch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfmfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjnfniii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghelfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gohjaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gphmeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikkjbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apimacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljmlbfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhmcfkme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enihne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgeefbhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlkdkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkbhgojk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iimjmbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cadhnmnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iipgcaob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkklljmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hodpgjha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqmcpahh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncahjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfjbgnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlcnda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jonplmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpleef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfdjhndl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdbkjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljmlbfhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpcqaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iheddndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpbaebdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndbcpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onhgbmfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abhimnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fepiimfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbfhbeek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbfdaigg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nehmdhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oopnlacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oikojfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkmmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egdilkbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndbcpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aamfnkai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbfbgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbfhbeek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mieeibkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbmjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dflkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqmcpahh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icmegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egamfkdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncgdbmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnomcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mooaljkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcknbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgidao32.exe -
Executes dropped EXE 64 IoCs
pid Process 3036 Dflkdp32.exe 2128 Dngoibmo.exe 2800 Dhmcfkme.exe 2744 Djnpnc32.exe 2164 Dqhhknjp.exe 2540 Dkmmhf32.exe 2404 Dnlidb32.exe 2584 Ddeaalpg.exe 3032 Djbiicon.exe 2432 Dmafennb.exe 1636 Dcknbh32.exe 308 Djefobmk.exe 1524 Eqonkmdh.exe 1760 Eflgccbp.exe 2072 Emeopn32.exe 2884 Epdkli32.exe 540 Eeqdep32.exe 1388 Ekklaj32.exe 1516 Enihne32.exe 1360 Egamfkdh.exe 2232 Enkece32.exe 568 Eajaoq32.exe 2304 Egdilkbf.exe 2088 Ejbfhfaj.exe 900 Ebinic32.exe 1676 Flabbihl.exe 2176 Fmcoja32.exe 2356 Fejgko32.exe 2736 Fjgoce32.exe 2532 Fmekoalh.exe 2808 Fhkpmjln.exe 2632 Fjilieka.exe 2932 Fpfdalii.exe 1296 Fjlhneio.exe 2768 Fddmgjpo.exe 1624 Feeiob32.exe 2012 Gonnhhln.exe 2160 Gicbeald.exe 1500 Glaoalkh.exe 848 Gangic32.exe 2092 Gieojq32.exe 2700 Gobgcg32.exe 2508 Gbnccfpb.exe 996 Ghkllmoi.exe 2872 Gkihhhnm.exe 1592 Gacpdbej.exe 908 Gdamqndn.exe 2044 Ggpimica.exe 992 Gogangdc.exe 860 Gaemjbcg.exe 3020 Gphmeo32.exe 2060 Hgbebiao.exe 2720 Hknach32.exe 2860 Hmlnoc32.exe 2776 Hahjpbad.exe 2588 Hdfflm32.exe 2952 Hgdbhi32.exe 2780 Hnojdcfi.exe 2336 Hpmgqnfl.exe 348 Hdhbam32.exe 2440 Hggomh32.exe 2424 Hnagjbdf.exe 2248 Hobcak32.exe 2620 Hgilchkf.exe -
Loads dropped DLL 64 IoCs
pid Process 3008 ce6566c61fbba4236203f203444e7890_NeikiAnalytics.exe 3008 ce6566c61fbba4236203f203444e7890_NeikiAnalytics.exe 3036 Dflkdp32.exe 3036 Dflkdp32.exe 2128 Dngoibmo.exe 2128 Dngoibmo.exe 2800 Dhmcfkme.exe 2800 Dhmcfkme.exe 2744 Djnpnc32.exe 2744 Djnpnc32.exe 2164 Dqhhknjp.exe 2164 Dqhhknjp.exe 2540 Dkmmhf32.exe 2540 Dkmmhf32.exe 2404 Dnlidb32.exe 2404 Dnlidb32.exe 2584 Ddeaalpg.exe 2584 Ddeaalpg.exe 3032 Djbiicon.exe 3032 Djbiicon.exe 2432 Dmafennb.exe 2432 Dmafennb.exe 1636 Dcknbh32.exe 1636 Dcknbh32.exe 308 Djefobmk.exe 308 Djefobmk.exe 1524 Eqonkmdh.exe 1524 Eqonkmdh.exe 1760 Eflgccbp.exe 1760 Eflgccbp.exe 2072 Emeopn32.exe 2072 Emeopn32.exe 2884 Epdkli32.exe 2884 Epdkli32.exe 540 Eeqdep32.exe 540 Eeqdep32.exe 1388 Ekklaj32.exe 1388 Ekklaj32.exe 1516 Enihne32.exe 1516 Enihne32.exe 1360 Egamfkdh.exe 1360 Egamfkdh.exe 2232 Enkece32.exe 2232 Enkece32.exe 568 Eajaoq32.exe 568 Eajaoq32.exe 2304 Egdilkbf.exe 2304 Egdilkbf.exe 2088 Ejbfhfaj.exe 2088 Ejbfhfaj.exe 900 Ebinic32.exe 900 Ebinic32.exe 1676 Flabbihl.exe 1676 Flabbihl.exe 2176 Fmcoja32.exe 2176 Fmcoja32.exe 2356 Fejgko32.exe 2356 Fejgko32.exe 2736 Fjgoce32.exe 2736 Fjgoce32.exe 2532 Fmekoalh.exe 2532 Fmekoalh.exe 2808 Fhkpmjln.exe 2808 Fhkpmjln.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nkeghkck.dll Mkklljmg.exe File opened for modification C:\Windows\SysWOW64\Ebinic32.exe Ejbfhfaj.exe File created C:\Windows\SysWOW64\Ijgdngmf.exe Ikddbj32.exe File created C:\Windows\SysWOW64\Nclpan32.dll Jnclnihj.exe File created C:\Windows\SysWOW64\Pnomcl32.exe Pjcabmga.exe File created C:\Windows\SysWOW64\Bpooed32.dll Biicik32.exe File created C:\Windows\SysWOW64\Olliabba.dll Lmlhnagm.exe File opened for modification C:\Windows\SysWOW64\Mgljbm32.exe Mpbaebdd.exe File created C:\Windows\SysWOW64\Pgioaa32.exe Pcnbablo.exe File created C:\Windows\SysWOW64\Enlejpga.dll Jghmfhmb.exe File created C:\Windows\SysWOW64\Ljibgg32.exe Lcojjmea.exe File created C:\Windows\SysWOW64\Mpjqiq32.exe Moidahcn.exe File created C:\Windows\SysWOW64\Nelkpj32.dll Jdehon32.exe File created C:\Windows\SysWOW64\Jcmafj32.exe Jmbiipml.exe File created C:\Windows\SysWOW64\Ekklaj32.exe Eeqdep32.exe File created C:\Windows\SysWOW64\Iajcde32.exe Iokfhi32.exe File created C:\Windows\SysWOW64\Bleago32.dll Ikbgmj32.exe File opened for modification C:\Windows\SysWOW64\Jicgpb32.exe Jehkodcm.exe File created C:\Windows\SysWOW64\Kaceodek.exe Kneicieh.exe File created C:\Windows\SysWOW64\Fpngfgle.exe Fmpkjkma.exe File opened for modification C:\Windows\SysWOW64\Kbbngf32.exe Kocbkk32.exe File opened for modification C:\Windows\SysWOW64\Dogefd32.exe Dliijipn.exe File opened for modification C:\Windows\SysWOW64\Efcfga32.exe Ecejkf32.exe File created C:\Windows\SysWOW64\Pinfim32.dll Ejbfhfaj.exe File opened for modification C:\Windows\SysWOW64\Jkpgfn32.exe Jiakjb32.exe File opened for modification C:\Windows\SysWOW64\Kmopod32.exe Kgbggnhc.exe File created C:\Windows\SysWOW64\Bnilfo32.dll Papfegmk.exe File created C:\Windows\SysWOW64\Ajhgmpfg.exe Alegac32.exe File created C:\Windows\SysWOW64\Keefji32.dll Bmpfojmp.exe File created C:\Windows\SysWOW64\Hlqdei32.exe Hdildlie.exe File created C:\Windows\SysWOW64\Mieeibkn.exe Meijhc32.exe File opened for modification C:\Windows\SysWOW64\Nlhgoqhh.exe Niikceid.exe File created C:\Windows\SysWOW64\Dkmmhf32.exe Dqhhknjp.exe File opened for modification C:\Windows\SysWOW64\Jgnamk32.exe Jofiln32.exe File created C:\Windows\SysWOW64\Qcbllb32.exe Qlkdkd32.exe File opened for modification C:\Windows\SysWOW64\Qedhdjnh.exe Qfahhm32.exe File opened for modification C:\Windows\SysWOW64\Bpnbkeld.exe Bmpfojmp.exe File created C:\Windows\SysWOW64\Mhloponc.exe Mdacop32.exe File opened for modification C:\Windows\SysWOW64\Mpfkqb32.exe Mlkopcge.exe File created C:\Windows\SysWOW64\Mooaljkh.exe Mpmapm32.exe File created C:\Windows\SysWOW64\Haloha32.dll Bekkcljk.exe File opened for modification C:\Windows\SysWOW64\Cklmgb32.exe Chnqkg32.exe File created C:\Windows\SysWOW64\Gobgcg32.exe Gieojq32.exe File created C:\Windows\SysWOW64\Pdklej32.dll Lemaif32.exe File opened for modification C:\Windows\SysWOW64\Limfed32.exe Lijjoe32.exe File created C:\Windows\SysWOW64\Nefpnhlc.exe Ncgdbmmp.exe File created C:\Windows\SysWOW64\Egahmk32.dll Okikfagn.exe File created C:\Windows\SysWOW64\Pfoocjfd.exe Onhgbmfb.exe File created C:\Windows\SysWOW64\Hhijaf32.dll Enakbp32.exe File created C:\Windows\SysWOW64\Effcma32.exe Ebjglbml.exe File created C:\Windows\SysWOW64\Njmekj32.dll Hmlnoc32.exe File opened for modification C:\Windows\SysWOW64\Jbjochdi.exe Jcgogk32.exe File created C:\Windows\SysWOW64\Mppepcfg.exe Mmahdggc.exe File created C:\Windows\SysWOW64\Piphee32.exe Pqhpdhcc.exe File created C:\Windows\SysWOW64\Ajdplfmo.dll Alegac32.exe File opened for modification C:\Windows\SysWOW64\Bmpfojmp.exe Behnnm32.exe File created C:\Windows\SysWOW64\Jnfqpega.dll Jgcdki32.exe File created C:\Windows\SysWOW64\Nffjeaid.dll Leljop32.exe File created C:\Windows\SysWOW64\Hnojdcfi.exe Hgdbhi32.exe File created C:\Windows\SysWOW64\Hpmgqnfl.exe Hnojdcfi.exe File created C:\Windows\SysWOW64\Jkbcln32.exe Jicgpb32.exe File created C:\Windows\SysWOW64\Kjjndgdk.dll Kemejc32.exe File created C:\Windows\SysWOW64\Lijjoe32.exe Lflmci32.exe File created C:\Windows\SysWOW64\Moljch32.dll Qedhdjnh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5620 5532 WerFault.exe 524 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbfbgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpjhkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laegiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkbcln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nclpan32.dll" Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdnjb32.dll" Gifhnpea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jejinjob.dll" Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Affcmdmb.dll" Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fepiimfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljffag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdkjlm32.dll" Nkbhgojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amkoie32.dll" Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apbfblll.dll" Lcojjmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Copeil32.dll" Jkbcln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgejac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfffnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjongcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alpmfdcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihgainbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpjhkjde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chgdod32.dll" Jkpgfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaceodek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idcokkak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieidmbcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lphhenhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll" Gangic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmicaonb.dll" Pfjbgnme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kngfih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbfbgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikkjbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfqpega.dll" Jgcdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcefke32.dll" Lmolnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhghcb32.dll" Fagjnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifjcn32.dll" Fddmgjpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahlgfdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nelkpj32.dll" Jdehon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikhjki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nncahjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgejac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fagjnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmcnehn.dll" Iqalka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnajilng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjongcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oegbkc32.dll" Hkhnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaqkcf32.dll" Mgalqkbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncjqhmkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlbeqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdplfmo.dll" Alegac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmamaoln.dll" Hojgfemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbgkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijeghgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjjndgdk.dll" Kemejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kifpdelo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqlhdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmlhnagm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkmhaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moidahcn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3008 wrote to memory of 3036 3008 ce6566c61fbba4236203f203444e7890_NeikiAnalytics.exe 28 PID 3008 wrote to memory of 3036 3008 ce6566c61fbba4236203f203444e7890_NeikiAnalytics.exe 28 PID 3008 wrote to memory of 3036 3008 ce6566c61fbba4236203f203444e7890_NeikiAnalytics.exe 28 PID 3008 wrote to memory of 3036 3008 ce6566c61fbba4236203f203444e7890_NeikiAnalytics.exe 28 PID 3036 wrote to memory of 2128 3036 Dflkdp32.exe 29 PID 3036 wrote to memory of 2128 3036 Dflkdp32.exe 29 PID 3036 wrote to memory of 2128 3036 Dflkdp32.exe 29 PID 3036 wrote to memory of 2128 3036 Dflkdp32.exe 29 PID 2128 wrote to memory of 2800 2128 Dngoibmo.exe 30 PID 2128 wrote to memory of 2800 2128 Dngoibmo.exe 30 PID 2128 wrote to memory of 2800 2128 Dngoibmo.exe 30 PID 2128 wrote to memory of 2800 2128 Dngoibmo.exe 30 PID 2800 wrote to memory of 2744 2800 Dhmcfkme.exe 31 PID 2800 wrote to memory of 2744 2800 Dhmcfkme.exe 31 PID 2800 wrote to memory of 2744 2800 Dhmcfkme.exe 31 PID 2800 wrote to memory of 2744 2800 Dhmcfkme.exe 31 PID 2744 wrote to memory of 2164 2744 Djnpnc32.exe 32 PID 2744 wrote to memory of 2164 2744 Djnpnc32.exe 32 PID 2744 wrote to memory of 2164 2744 Djnpnc32.exe 32 PID 2744 wrote to memory of 2164 2744 Djnpnc32.exe 32 PID 2164 wrote to memory of 2540 2164 Dqhhknjp.exe 33 PID 2164 wrote to memory of 2540 2164 Dqhhknjp.exe 33 PID 2164 wrote to memory of 2540 2164 Dqhhknjp.exe 33 PID 2164 wrote to memory of 2540 2164 Dqhhknjp.exe 33 PID 2540 wrote to memory of 2404 2540 Dkmmhf32.exe 34 PID 2540 wrote to memory of 2404 2540 Dkmmhf32.exe 34 PID 2540 wrote to memory of 2404 2540 Dkmmhf32.exe 34 PID 2540 wrote to memory of 2404 2540 Dkmmhf32.exe 34 PID 2404 wrote to memory of 2584 2404 Dnlidb32.exe 35 PID 2404 wrote to memory of 2584 2404 Dnlidb32.exe 35 PID 2404 wrote to memory of 2584 2404 Dnlidb32.exe 35 PID 2404 wrote to memory of 2584 2404 Dnlidb32.exe 35 PID 2584 wrote to memory of 3032 2584 Ddeaalpg.exe 36 PID 2584 wrote to memory of 3032 2584 Ddeaalpg.exe 36 PID 2584 wrote to memory of 3032 2584 Ddeaalpg.exe 36 PID 2584 wrote to memory of 3032 2584 Ddeaalpg.exe 36 PID 3032 wrote to memory of 2432 3032 Djbiicon.exe 37 PID 3032 wrote to memory of 2432 3032 Djbiicon.exe 37 PID 3032 wrote to memory of 2432 3032 Djbiicon.exe 37 PID 3032 wrote to memory of 2432 3032 Djbiicon.exe 37 PID 2432 wrote to memory of 1636 2432 Dmafennb.exe 38 PID 2432 wrote to memory of 1636 2432 Dmafennb.exe 38 PID 2432 wrote to memory of 1636 2432 Dmafennb.exe 38 PID 2432 wrote to memory of 1636 2432 Dmafennb.exe 38 PID 1636 wrote to memory of 308 1636 Dcknbh32.exe 39 PID 1636 wrote to memory of 308 1636 Dcknbh32.exe 39 PID 1636 wrote to memory of 308 1636 Dcknbh32.exe 39 PID 1636 wrote to memory of 308 1636 Dcknbh32.exe 39 PID 308 wrote to memory of 1524 308 Djefobmk.exe 40 PID 308 wrote to memory of 1524 308 Djefobmk.exe 40 PID 308 wrote to memory of 1524 308 Djefobmk.exe 40 PID 308 wrote to memory of 1524 308 Djefobmk.exe 40 PID 1524 wrote to memory of 1760 1524 Eqonkmdh.exe 41 PID 1524 wrote to memory of 1760 1524 Eqonkmdh.exe 41 PID 1524 wrote to memory of 1760 1524 Eqonkmdh.exe 41 PID 1524 wrote to memory of 1760 1524 Eqonkmdh.exe 41 PID 1760 wrote to memory of 2072 1760 Eflgccbp.exe 42 PID 1760 wrote to memory of 2072 1760 Eflgccbp.exe 42 PID 1760 wrote to memory of 2072 1760 Eflgccbp.exe 42 PID 1760 wrote to memory of 2072 1760 Eflgccbp.exe 42 PID 2072 wrote to memory of 2884 2072 Emeopn32.exe 43 PID 2072 wrote to memory of 2884 2072 Emeopn32.exe 43 PID 2072 wrote to memory of 2884 2072 Emeopn32.exe 43 PID 2072 wrote to memory of 2884 2072 Emeopn32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce6566c61fbba4236203f203444e7890_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ce6566c61fbba4236203f203444e7890_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:540 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1388 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1360 -
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe33⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe34⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe35⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe37⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe38⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe39⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe40⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:848 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe43⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe44⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe45⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe46⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe47⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe48⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe49⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe50⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe51⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe53⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe54⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe56⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe57⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe61⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe62⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe63⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe64⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe65⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe66⤵PID:2240
-
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2076 -
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe68⤵PID:1520
-
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:952 -
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe70⤵PID:692
-
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe71⤵PID:1060
-
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe72⤵PID:1660
-
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe73⤵PID:1572
-
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe74⤵PID:2664
-
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe75⤵PID:2724
-
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe76⤵PID:2688
-
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe77⤵PID:2760
-
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe78⤵
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe79⤵PID:1292
-
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2472 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe81⤵PID:1352
-
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe82⤵
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe83⤵
- Modifies registry class
PID:328 -
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe84⤵PID:768
-
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe85⤵
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe86⤵PID:1036
-
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe87⤵
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe88⤵PID:1940
-
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe89⤵PID:2548
-
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe90⤵PID:2200
-
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe91⤵
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe92⤵PID:1812
-
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe93⤵PID:1244
-
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe94⤵PID:1152
-
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe95⤵PID:320
-
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe96⤵PID:1928
-
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe97⤵
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe98⤵
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe99⤵
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Jbjochdi.exeC:\Windows\system32\Jbjochdi.exe100⤵PID:2136
-
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe101⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe102⤵
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe103⤵
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2500 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe105⤵PID:2328
-
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe106⤵PID:1280
-
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe107⤵PID:1256
-
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2256 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe111⤵PID:2212
-
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe112⤵
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe113⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe114⤵PID:1056
-
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe115⤵PID:2536
-
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe116⤵
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe117⤵PID:2488
-
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2772 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe119⤵PID:1936
-
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe120⤵
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe121⤵PID:560
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-