Analysis
-
max time kernel
139s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
16/05/2024, 11:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dc3f7feebf307013747f905da18e7ff0_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
dc3f7feebf307013747f905da18e7ff0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
dc3f7feebf307013747f905da18e7ff0_NeikiAnalytics.exe
-
Size
576KB
-
MD5
dc3f7feebf307013747f905da18e7ff0
-
SHA1
762c28818cbad5afd0d9c081f5d1b96e83c25922
-
SHA256
86256f6e4b46e3c56727799e61fec850548d04561ddb41be4f08c9cc8d422f1e
-
SHA512
ab8f7e6681d86b0a3195e10746feaed182e12710f0fa9c2f435568d526f97447839a482767caecd1a1e34fbd9fb7196587941d108dec871bc137130e67637e7d
-
SSDEEP
12288:M2hFGyXu1jGG1ws5iETdqvZNemWrsiLk6mqgSgRDO:M2zGyXsGG1ws5ipX6
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djbiicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmjejphb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kegnkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mepnpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njbcim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppjglfon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqhhknjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjjddchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eijcpoac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gieojq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlgigdoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njgldmdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiedjneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjbmjplb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doobajme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oicpfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Begeknan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmoipopd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnigda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmlgonbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gopkmhjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghknp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kljqgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgfgdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onbddoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbmmcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Comimg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epaogi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eflgccbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mofecpnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofpfnqjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paggai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnfjna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afmonbqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pccfge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Penfelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfgmhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmcoja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbdqmghm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dngoibmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpcpbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kanopipl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfpjomgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfflopdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfeddafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckffgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecpgmhai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kanopipl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nocemcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppoqge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdadamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpfcgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdqafgnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkjica32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mofecpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgmglh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnccfpb.exe -
Executes dropped EXE 64 IoCs
pid Process 1932 Jghknp32.exe 2716 Kpcpbb32.exe 2640 Kljqgc32.exe 2812 Kcahhq32.exe 2476 Kphimanc.exe 2496 Kakbjibo.exe 2492 Kegnkh32.exe 2416 Kanopipl.exe 2784 Kdlkld32.exe 312 Lfmdnp32.exe 1724 Lgoacojo.exe 2164 Lpgele32.exe 1528 Lipjejgp.exe 1784 Ldenbcge.exe 2124 Mgfgdn32.exe 2276 Mlcple32.exe 1484 Mdqafgnf.exe 632 Mlgigdoh.exe 1860 Mkjica32.exe 1208 Mofecpnl.exe 3060 Mepnpj32.exe 2032 Mhnjle32.exe 2244 Magnek32.exe 2524 Mhqfbebj.exe 1692 Mgcgmb32.exe 2712 Njbcim32.exe 1804 Nplkfgoe.exe 2148 Ncjgbcoi.exe 2600 Ndjdlffl.exe 2292 Njgldmdc.exe 2456 Nleiqhcg.exe 2288 Nocemcbj.exe 2512 Nlgefh32.exe 2780 Nqcagfim.exe 812 Ncancbha.exe 2748 Nfpjomgd.exe 764 Nccjhafn.exe 1636 Ofbfdmeb.exe 1872 Oojknblb.exe 2828 Oicpfh32.exe 2104 Onphoo32.exe 1156 Oqndkj32.exe 2136 Okchhc32.exe 2864 Onbddoog.exe 3052 Oelmai32.exe 2856 Okfencna.exe 2304 Omgaek32.exe 1188 Ocajbekl.exe 2064 Ogmfbd32.exe 3028 Ofpfnqjp.exe 1708 Pminkk32.exe 1748 Paejki32.exe 2360 Pccfge32.exe 2900 Pjmodopf.exe 2604 Pipopl32.exe 1700 Paggai32.exe 1788 Ppjglfon.exe 1848 Pfdpip32.exe 2336 Piblek32.exe 1428 Plahag32.exe 2388 Pfflopdh.exe 2100 Piehkkcl.exe 2096 Ppoqge32.exe 988 Pbmmcq32.exe -
Loads dropped DLL 64 IoCs
pid Process 2312 dc3f7feebf307013747f905da18e7ff0_NeikiAnalytics.exe 2312 dc3f7feebf307013747f905da18e7ff0_NeikiAnalytics.exe 1932 Jghknp32.exe 1932 Jghknp32.exe 2716 Kpcpbb32.exe 2716 Kpcpbb32.exe 2640 Kljqgc32.exe 2640 Kljqgc32.exe 2812 Kcahhq32.exe 2812 Kcahhq32.exe 2476 Kphimanc.exe 2476 Kphimanc.exe 2496 Kakbjibo.exe 2496 Kakbjibo.exe 2492 Kegnkh32.exe 2492 Kegnkh32.exe 2416 Kanopipl.exe 2416 Kanopipl.exe 2784 Kdlkld32.exe 2784 Kdlkld32.exe 312 Lfmdnp32.exe 312 Lfmdnp32.exe 1724 Lgoacojo.exe 1724 Lgoacojo.exe 2164 Lpgele32.exe 2164 Lpgele32.exe 1528 Lipjejgp.exe 1528 Lipjejgp.exe 1784 Ldenbcge.exe 1784 Ldenbcge.exe 2124 Mgfgdn32.exe 2124 Mgfgdn32.exe 2276 Mlcple32.exe 2276 Mlcple32.exe 1484 Mdqafgnf.exe 1484 Mdqafgnf.exe 632 Mlgigdoh.exe 632 Mlgigdoh.exe 1860 Mkjica32.exe 1860 Mkjica32.exe 1208 Mofecpnl.exe 1208 Mofecpnl.exe 3060 Mepnpj32.exe 3060 Mepnpj32.exe 2032 Mhnjle32.exe 2032 Mhnjle32.exe 2244 Magnek32.exe 2244 Magnek32.exe 2524 Mhqfbebj.exe 2524 Mhqfbebj.exe 1692 Mgcgmb32.exe 1692 Mgcgmb32.exe 2712 Njbcim32.exe 2712 Njbcim32.exe 1804 Nplkfgoe.exe 1804 Nplkfgoe.exe 2148 Ncjgbcoi.exe 2148 Ncjgbcoi.exe 2600 Ndjdlffl.exe 2600 Ndjdlffl.exe 2292 Njgldmdc.exe 2292 Njgldmdc.exe 2456 Nleiqhcg.exe 2456 Nleiqhcg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Adeplhib.exe Qmlgonbe.exe File opened for modification C:\Windows\SysWOW64\Bdlblj32.exe Bopicc32.exe File opened for modification C:\Windows\SysWOW64\Epieghdk.exe Egamfkdh.exe File created C:\Windows\SysWOW64\Hgbebiao.exe Gphmeo32.exe File opened for modification C:\Windows\SysWOW64\Njbcim32.exe Mgcgmb32.exe File created C:\Windows\SysWOW64\Ncjgbcoi.exe Nplkfgoe.exe File created C:\Windows\SysWOW64\Dkmmhf32.exe Dqhhknjp.exe File created C:\Windows\SysWOW64\Kleiio32.dll Gbijhg32.exe File created C:\Windows\SysWOW64\Hjhhocjj.exe Hgilchkf.exe File created C:\Windows\SysWOW64\Liqebf32.dll Hjhhocjj.exe File created C:\Windows\SysWOW64\Omgaek32.exe Okfencna.exe File created C:\Windows\SysWOW64\Doobajme.exe Dmafennb.exe File opened for modification C:\Windows\SysWOW64\Bagpopmj.exe Bpfcgg32.exe File created C:\Windows\SysWOW64\Ccfhhffh.exe Cphlljge.exe File created C:\Windows\SysWOW64\Lmpnnmjg.dll Ncancbha.exe File opened for modification C:\Windows\SysWOW64\Fnbkddem.exe Fcmgfkeg.exe File created C:\Windows\SysWOW64\Mhfkbo32.dll Hodpgjha.exe File created C:\Windows\SysWOW64\Qngmeo32.dll Mhqfbebj.exe File created C:\Windows\SysWOW64\Gdcbnc32.dll Ogmfbd32.exe File opened for modification C:\Windows\SysWOW64\Ppoqge32.exe Piehkkcl.exe File created C:\Windows\SysWOW64\Abbbnchb.exe Alhjai32.exe File opened for modification C:\Windows\SysWOW64\Cdlnkmha.exe Cbnbobin.exe File opened for modification C:\Windows\SysWOW64\Djnpnc32.exe Dgodbh32.exe File created C:\Windows\SysWOW64\Hnagjbdf.exe Hejoiedd.exe File opened for modification C:\Windows\SysWOW64\Mofecpnl.exe Mkjica32.exe File created C:\Windows\SysWOW64\Eaepofcm.dll Mgcgmb32.exe File created C:\Windows\SysWOW64\Hbbhkqaj.dll Bhfagipa.exe File opened for modification C:\Windows\SysWOW64\Dmoipopd.exe Dkmmhf32.exe File opened for modification C:\Windows\SysWOW64\Fpdhklkl.exe Fnbkddem.exe File created C:\Windows\SysWOW64\Gkkemh32.exe Gacpdbej.exe File created C:\Windows\SysWOW64\Nccjhafn.exe Nfpjomgd.exe File created C:\Windows\SysWOW64\Pipopl32.exe Pjmodopf.exe File opened for modification C:\Windows\SysWOW64\Abbbnchb.exe Alhjai32.exe File created C:\Windows\SysWOW64\Afmonbqk.exe Abbbnchb.exe File created C:\Windows\SysWOW64\Cdlnkmha.exe Cbnbobin.exe File created C:\Windows\SysWOW64\Cillgpen.dll Dmafennb.exe File opened for modification C:\Windows\SysWOW64\Gopkmhjk.exe Gicbeald.exe File opened for modification C:\Windows\SysWOW64\Pjmodopf.exe Pccfge32.exe File opened for modification C:\Windows\SysWOW64\Dkmmhf32.exe Dqhhknjp.exe File created C:\Windows\SysWOW64\Epaogi32.exe Eihfjo32.exe File created C:\Windows\SysWOW64\Fhffaj32.exe Ennaieib.exe File created C:\Windows\SysWOW64\Mepnpj32.exe Mofecpnl.exe File opened for modification C:\Windows\SysWOW64\Hnagjbdf.exe Hejoiedd.exe File created C:\Windows\SysWOW64\Eemeeh32.dll Ldenbcge.exe File created C:\Windows\SysWOW64\Mhqfbebj.exe Magnek32.exe File created C:\Windows\SysWOW64\Pjmodopf.exe Pccfge32.exe File created C:\Windows\SysWOW64\Qnfjna32.exe Qhmbagfa.exe File created C:\Windows\SysWOW64\Cbolpc32.dll Dgmglh32.exe File opened for modification C:\Windows\SysWOW64\Dmafennb.exe Djbiicon.exe File created C:\Windows\SysWOW64\Lpbjlbfp.dll Eeempocb.exe File created C:\Windows\SysWOW64\Bnhgoq32.dll Nccjhafn.exe File created C:\Windows\SysWOW64\Onbddoog.exe Okchhc32.exe File created C:\Windows\SysWOW64\Fncann32.dll Dhmcfkme.exe File created C:\Windows\SysWOW64\Lonkjenl.dll Ebgacddo.exe File opened for modification C:\Windows\SysWOW64\Fbdqmghm.exe Fpfdalii.exe File opened for modification C:\Windows\SysWOW64\Ldenbcge.exe Lipjejgp.exe File created C:\Windows\SysWOW64\Bpfcgg32.exe Afmonbqk.exe File opened for modification C:\Windows\SysWOW64\Bkaqmeah.exe Beehencq.exe File created C:\Windows\SysWOW64\Difoda32.dll Ncjgbcoi.exe File created C:\Windows\SysWOW64\Egamfkdh.exe Eecqjpee.exe File opened for modification C:\Windows\SysWOW64\Egamfkdh.exe Eecqjpee.exe File opened for modification C:\Windows\SysWOW64\Hjjddchg.exe Hodpgjha.exe File created C:\Windows\SysWOW64\Hdfflm32.exe Hgbebiao.exe File created C:\Windows\SysWOW64\Njbcim32.exe Mgcgmb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2556 1768 WerFault.exe 212 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkabadei.dll" Epfhbign.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gicbeald.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfgmhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnoillim.dll" Eeqdep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imgcddkm.dll" Oqndkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajphib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cobbhfhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmoipopd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eecqjpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll" Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nplkfgoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njgldmdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccnbmal.dll" Fnbkddem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdijd32.dll" Qeqbkkej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmkgjhfn.dll" Ppoqge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Beehencq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okfencna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocajbekl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbpjiphi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgodbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebedndfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nccjhafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpojo32.dll" Paggai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfdpip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qeqbkkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll" Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll" Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Medfkpfc.dll" Pccfge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Paggai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncffdfn.dll" Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjbmjplb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epieghdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gaqcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjjddchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekchhcnp.dll" Paejki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkdalhhc.dll" Bpfcgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Filldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjmodopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckggkg32.dll" Qnigda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgqjffca.dll" Eflgccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnagjbdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oicpfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qnfjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accikb32.dll" Bjijdadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmafennb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okchhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adeplhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddgkcd32.dll" Dngoibmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gphmeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncancbha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bingpmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcmgfkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjhhocjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Paejki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Paejki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlcple32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Piblek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dqhhknjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbijhg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2312 wrote to memory of 1932 2312 dc3f7feebf307013747f905da18e7ff0_NeikiAnalytics.exe 28 PID 2312 wrote to memory of 1932 2312 dc3f7feebf307013747f905da18e7ff0_NeikiAnalytics.exe 28 PID 2312 wrote to memory of 1932 2312 dc3f7feebf307013747f905da18e7ff0_NeikiAnalytics.exe 28 PID 2312 wrote to memory of 1932 2312 dc3f7feebf307013747f905da18e7ff0_NeikiAnalytics.exe 28 PID 1932 wrote to memory of 2716 1932 Jghknp32.exe 29 PID 1932 wrote to memory of 2716 1932 Jghknp32.exe 29 PID 1932 wrote to memory of 2716 1932 Jghknp32.exe 29 PID 1932 wrote to memory of 2716 1932 Jghknp32.exe 29 PID 2716 wrote to memory of 2640 2716 Kpcpbb32.exe 30 PID 2716 wrote to memory of 2640 2716 Kpcpbb32.exe 30 PID 2716 wrote to memory of 2640 2716 Kpcpbb32.exe 30 PID 2716 wrote to memory of 2640 2716 Kpcpbb32.exe 30 PID 2640 wrote to memory of 2812 2640 Kljqgc32.exe 31 PID 2640 wrote to memory of 2812 2640 Kljqgc32.exe 31 PID 2640 wrote to memory of 2812 2640 Kljqgc32.exe 31 PID 2640 wrote to memory of 2812 2640 Kljqgc32.exe 31 PID 2812 wrote to memory of 2476 2812 Kcahhq32.exe 32 PID 2812 wrote to memory of 2476 2812 Kcahhq32.exe 32 PID 2812 wrote to memory of 2476 2812 Kcahhq32.exe 32 PID 2812 wrote to memory of 2476 2812 Kcahhq32.exe 32 PID 2476 wrote to memory of 2496 2476 Kphimanc.exe 33 PID 2476 wrote to memory of 2496 2476 Kphimanc.exe 33 PID 2476 wrote to memory of 2496 2476 Kphimanc.exe 33 PID 2476 wrote to memory of 2496 2476 Kphimanc.exe 33 PID 2496 wrote to memory of 2492 2496 Kakbjibo.exe 34 PID 2496 wrote to memory of 2492 2496 Kakbjibo.exe 34 PID 2496 wrote to memory of 2492 2496 Kakbjibo.exe 34 PID 2496 wrote to memory of 2492 2496 Kakbjibo.exe 34 PID 2492 wrote to memory of 2416 2492 Kegnkh32.exe 35 PID 2492 wrote to memory of 2416 2492 Kegnkh32.exe 35 PID 2492 wrote to memory of 2416 2492 Kegnkh32.exe 35 PID 2492 wrote to memory of 2416 2492 Kegnkh32.exe 35 PID 2416 wrote to memory of 2784 2416 Kanopipl.exe 36 PID 2416 wrote to memory of 2784 2416 Kanopipl.exe 36 PID 2416 wrote to memory of 2784 2416 Kanopipl.exe 36 PID 2416 wrote to memory of 2784 2416 Kanopipl.exe 36 PID 2784 wrote to memory of 312 2784 Kdlkld32.exe 37 PID 2784 wrote to memory of 312 2784 Kdlkld32.exe 37 PID 2784 wrote to memory of 312 2784 Kdlkld32.exe 37 PID 2784 wrote to memory of 312 2784 Kdlkld32.exe 37 PID 312 wrote to memory of 1724 312 Lfmdnp32.exe 38 PID 312 wrote to memory of 1724 312 Lfmdnp32.exe 38 PID 312 wrote to memory of 1724 312 Lfmdnp32.exe 38 PID 312 wrote to memory of 1724 312 Lfmdnp32.exe 38 PID 1724 wrote to memory of 2164 1724 Lgoacojo.exe 39 PID 1724 wrote to memory of 2164 1724 Lgoacojo.exe 39 PID 1724 wrote to memory of 2164 1724 Lgoacojo.exe 39 PID 1724 wrote to memory of 2164 1724 Lgoacojo.exe 39 PID 2164 wrote to memory of 1528 2164 Lpgele32.exe 40 PID 2164 wrote to memory of 1528 2164 Lpgele32.exe 40 PID 2164 wrote to memory of 1528 2164 Lpgele32.exe 40 PID 2164 wrote to memory of 1528 2164 Lpgele32.exe 40 PID 1528 wrote to memory of 1784 1528 Lipjejgp.exe 41 PID 1528 wrote to memory of 1784 1528 Lipjejgp.exe 41 PID 1528 wrote to memory of 1784 1528 Lipjejgp.exe 41 PID 1528 wrote to memory of 1784 1528 Lipjejgp.exe 41 PID 1784 wrote to memory of 2124 1784 Ldenbcge.exe 42 PID 1784 wrote to memory of 2124 1784 Ldenbcge.exe 42 PID 1784 wrote to memory of 2124 1784 Ldenbcge.exe 42 PID 1784 wrote to memory of 2124 1784 Ldenbcge.exe 42 PID 2124 wrote to memory of 2276 2124 Mgfgdn32.exe 43 PID 2124 wrote to memory of 2276 2124 Mgfgdn32.exe 43 PID 2124 wrote to memory of 2276 2124 Mgfgdn32.exe 43 PID 2124 wrote to memory of 2276 2124 Mgfgdn32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc3f7feebf307013747f905da18e7ff0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\dc3f7feebf307013747f905da18e7ff0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Jghknp32.exeC:\Windows\system32\Jghknp32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Kpcpbb32.exeC:\Windows\system32\Kpcpbb32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:632 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1860 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1208 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe34⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe35⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe39⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe40⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe42⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe46⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe48⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe52⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe56⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1848 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe61⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe66⤵PID:3056
-
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe67⤵
- Modifies registry class
PID:1380 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1404 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe69⤵
- Drops file in System32 directory
PID:604 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe71⤵
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe72⤵PID:2560
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe75⤵
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe76⤵
- Modifies registry class
PID:344 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe77⤵PID:1564
-
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe78⤵PID:1676
-
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2832 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe80⤵PID:1856
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:700 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe82⤵PID:1084
-
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe83⤵PID:1512
-
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe84⤵
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe85⤵
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe88⤵PID:1632
-
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe89⤵
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe90⤵PID:2764
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe92⤵
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2420 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe94⤵
- Drops file in System32 directory
PID:772 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe95⤵
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe96⤵PID:2852
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe97⤵
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe98⤵PID:2112
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe99⤵PID:2596
-
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe100⤵PID:2660
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe101⤵PID:340
-
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe102⤵
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe103⤵PID:2756
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:612 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe105⤵PID:2140
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe107⤵PID:1532
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe109⤵PID:2260
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe110⤵
- Drops file in System32 directory
PID:488 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe111⤵PID:3016
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2816 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe113⤵
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe114⤵PID:2552
-
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe117⤵
- Drops file in System32 directory
PID:472 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:348 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe119⤵PID:1260
-
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe120⤵PID:1100
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-