Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
25/05/2024, 17:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2e95eb2f00d1a303e55eb351b7029ad0_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
2e95eb2f00d1a303e55eb351b7029ad0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
2e95eb2f00d1a303e55eb351b7029ad0_NeikiAnalytics.exe
-
Size
87KB
-
MD5
2e95eb2f00d1a303e55eb351b7029ad0
-
SHA1
b80f719984456d03381ebbf31566cd22c076eb12
-
SHA256
7c68c2d6d507f96d1050a325f118cfa5b0477c28bfeb57658259ddbdb8b09620
-
SHA512
a20e73b082f8318b0e010846eea97253ea546a11dc51bde9e390d923376ca94e2ab97824b31d1151da6f81a6af2b3a52867d1006eb7eb48e2261871d9f2008dd
-
SSDEEP
1536:TJgQjQo+pNmDQyw3V5AqgE5QXCQ0caY6xxxxxxxxxxxxxx3xxxxxxqbxxxxxxKg/:TdgNmnl0qXCj0CgIebAnDlmbGcGFDex
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkommo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimkpfeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahdaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ceodnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iqalka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mamddf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mimbdhhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdmmfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpigfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndmjedoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Najdnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nglfapnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceclqan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbhke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddokpmfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggkllpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jiakjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpmlkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbheh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gejcjbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gobgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onjgiiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amkpegnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aplifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Albjlcao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bppoqeja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejgcdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdogl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijeghgoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lahkigca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njlockkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebodiofk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efaibbij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idhopq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkopcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkommo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cadhnmnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aefeijle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lemaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Meagci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Meccii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dolnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enhacojl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpiipf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djpmccqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gobgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifcbodli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfahhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 2e95eb2f00d1a303e55eb351b7029ad0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejiih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jicgpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcbakpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfbkmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egafleqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffkcbgek.exe -
Executes dropped EXE 64 IoCs
pid Process 2224 Ddokpmfo.exe 2088 Dbbkja32.exe 2736 Dkkpbgli.exe 2628 Dbehoa32.exe 2648 Dcfdgiid.exe 2532 Djpmccqq.exe 3000 Dmoipopd.exe 2612 Dchali32.exe 2152 Dgfjbgmh.exe 1940 Eqonkmdh.exe 1528 Ejgcdb32.exe 2760 Ecpgmhai.exe 1288 Eilpeooq.exe 2240 Ekklaj32.exe 1176 Efppoc32.exe 1392 Eeempocb.exe 2344 Ealnephf.exe 324 Fnpnndgp.exe 796 Fcmgfkeg.exe 316 Ffkcbgek.exe 700 Fpdhklkl.exe 2124 Fdoclk32.exe 2120 Fmhheqje.exe 892 Fpfdalii.exe 1964 Fdapak32.exe 2004 Fddmgjpo.exe 2620 Fmlapp32.exe 2932 Gpknlk32.exe 2800 Gegfdb32.exe 2624 Gicbeald.exe 2632 Gangic32.exe 2440 Gejcjbah.exe 1676 Gldkfl32.exe 2900 Gobgcg32.exe 2764 Ghkllmoi.exe 1308 Glfhll32.exe 640 Gacpdbej.exe 2792 Gdamqndn.exe 1264 Ggpimica.exe 1192 Gkkemh32.exe 2268 Gmjaic32.exe 1492 Gaemjbcg.exe 1104 Ghoegl32.exe 2468 Hiqbndpb.exe 856 Hahjpbad.exe 1364 Hpkjko32.exe 3044 Hcifgjgc.exe 2220 Hicodd32.exe 828 Hlakpp32.exe 1748 Hdhbam32.exe 2984 Hggomh32.exe 2456 Hnagjbdf.exe 2720 Hobcak32.exe 2520 Hcnpbi32.exe 2536 Hellne32.exe 2564 Hhjhkq32.exe 2460 Hpapln32.exe 2988 Hacmcfge.exe 876 Henidd32.exe 2012 Hhmepp32.exe 2752 Hkkalk32.exe 2772 Icbimi32.exe 784 Ieqeidnl.exe 1988 Ihoafpmp.exe -
Loads dropped DLL 64 IoCs
pid Process 1796 2e95eb2f00d1a303e55eb351b7029ad0_NeikiAnalytics.exe 1796 2e95eb2f00d1a303e55eb351b7029ad0_NeikiAnalytics.exe 2224 Ddokpmfo.exe 2224 Ddokpmfo.exe 2088 Dbbkja32.exe 2088 Dbbkja32.exe 2736 Dkkpbgli.exe 2736 Dkkpbgli.exe 2628 Dbehoa32.exe 2628 Dbehoa32.exe 2648 Dcfdgiid.exe 2648 Dcfdgiid.exe 2532 Djpmccqq.exe 2532 Djpmccqq.exe 3000 Dmoipopd.exe 3000 Dmoipopd.exe 2612 Dchali32.exe 2612 Dchali32.exe 2152 Dgfjbgmh.exe 2152 Dgfjbgmh.exe 1940 Eqonkmdh.exe 1940 Eqonkmdh.exe 1528 Ejgcdb32.exe 1528 Ejgcdb32.exe 2760 Ecpgmhai.exe 2760 Ecpgmhai.exe 1288 Eilpeooq.exe 1288 Eilpeooq.exe 2240 Ekklaj32.exe 2240 Ekklaj32.exe 1176 Efppoc32.exe 1176 Efppoc32.exe 1392 Eeempocb.exe 1392 Eeempocb.exe 2344 Ealnephf.exe 2344 Ealnephf.exe 324 Fnpnndgp.exe 324 Fnpnndgp.exe 796 Fcmgfkeg.exe 796 Fcmgfkeg.exe 316 Ffkcbgek.exe 316 Ffkcbgek.exe 700 Fpdhklkl.exe 700 Fpdhklkl.exe 2124 Fdoclk32.exe 2124 Fdoclk32.exe 2120 Fmhheqje.exe 2120 Fmhheqje.exe 892 Fpfdalii.exe 892 Fpfdalii.exe 1964 Fdapak32.exe 1964 Fdapak32.exe 2004 Fddmgjpo.exe 2004 Fddmgjpo.exe 2620 Fmlapp32.exe 2620 Fmlapp32.exe 2932 Gpknlk32.exe 2932 Gpknlk32.exe 2800 Gegfdb32.exe 2800 Gegfdb32.exe 2624 Gicbeald.exe 2624 Gicbeald.exe 2632 Gangic32.exe 2632 Gangic32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fjkhohik.dll Obcccl32.exe File opened for modification C:\Windows\SysWOW64\Pmdjdh32.exe Pnajilng.exe File created C:\Windows\SysWOW64\Ccnnibig.dll Ajejgp32.exe File created C:\Windows\SysWOW64\Ejgcdb32.exe Eqonkmdh.exe File created C:\Windows\SysWOW64\Facklcaq.dll Fnpnndgp.exe File created C:\Windows\SysWOW64\Hhmepp32.exe Henidd32.exe File created C:\Windows\SysWOW64\Cnkicn32.exe Cklmgb32.exe File created C:\Windows\SysWOW64\Gaemjbcg.exe Gmjaic32.exe File opened for modification C:\Windows\SysWOW64\Icbimi32.exe Hkkalk32.exe File created C:\Windows\SysWOW64\Mgljbm32.exe Mdmmfa32.exe File created C:\Windows\SysWOW64\Kgoboqcm.dll Ojolhk32.exe File created C:\Windows\SysWOW64\Ebjglbml.exe Eplkpgnh.exe File opened for modification C:\Windows\SysWOW64\Dcfdgiid.exe Dbehoa32.exe File created C:\Windows\SysWOW64\Fnpnndgp.exe Ealnephf.exe File created C:\Windows\SysWOW64\Chhpdp32.dll Gldkfl32.exe File created C:\Windows\SysWOW64\Fdoclk32.exe Fpdhklkl.exe File created C:\Windows\SysWOW64\Nncahjgl.exe Nkeelohh.exe File created C:\Windows\SysWOW64\Abhimnma.exe Anlmmp32.exe File created C:\Windows\SysWOW64\Jjlnif32.exe Jfqahgpg.exe File created C:\Windows\SysWOW64\Necfoajd.dll Oopnlacm.exe File created C:\Windows\SysWOW64\Ohibdf32.exe Ofjfhk32.exe File created C:\Windows\SysWOW64\Ilcbjpbn.dll Bdbhke32.exe File created C:\Windows\SysWOW64\Olndbg32.dll Fpdhklkl.exe File created C:\Windows\SysWOW64\Gpknlk32.exe Fmlapp32.exe File opened for modification C:\Windows\SysWOW64\Hobcak32.exe Hnagjbdf.exe File created C:\Windows\SysWOW64\Bplpldoa.dll Bfenbpec.exe File opened for modification C:\Windows\SysWOW64\Ihoafpmp.exe Ieqeidnl.exe File opened for modification C:\Windows\SysWOW64\Eqonkmdh.exe Dgfjbgmh.exe File created C:\Windows\SysWOW64\Nopodm32.dll Fpfdalii.exe File created C:\Windows\SysWOW64\Ghkllmoi.exe Gobgcg32.exe File opened for modification C:\Windows\SysWOW64\Anojbobe.exe Aplifb32.exe File created C:\Windows\SysWOW64\Kaplbi32.dll Pbfpik32.exe File created C:\Windows\SysWOW64\Anojbobe.exe Aplifb32.exe File opened for modification C:\Windows\SysWOW64\Dbhnhp32.exe Dcenlceh.exe File created C:\Windows\SysWOW64\Dmoipopd.exe Djpmccqq.exe File created C:\Windows\SysWOW64\Nneloe32.dll Nceclqan.exe File created C:\Windows\SysWOW64\Ipnnggjm.dll Joplbl32.exe File created C:\Windows\SysWOW64\Kkijmm32.exe Kcbakpdo.exe File created C:\Windows\SysWOW64\Cfgnhbba.dll Cnkicn32.exe File created C:\Windows\SysWOW64\Mpigfa32.exe Mlmlecec.exe File opened for modification C:\Windows\SysWOW64\Dgfjbgmh.exe Dchali32.exe File created C:\Windows\SysWOW64\Jknpfqoh.dll Mkeimlfm.exe File created C:\Windows\SysWOW64\Eppmppld.dll Mlkopcge.exe File created C:\Windows\SysWOW64\Cfeoofge.dll Dgfjbgmh.exe File created C:\Windows\SysWOW64\Hlakpp32.exe Hicodd32.exe File opened for modification C:\Windows\SysWOW64\Ndpfkdmf.exe Npdjje32.exe File opened for modification C:\Windows\SysWOW64\Bghjhp32.exe Bblogakg.exe File created C:\Windows\SysWOW64\Nanbpedg.dll Cafecmlj.exe File created C:\Windows\SysWOW64\Hcifgjgc.exe Hpkjko32.exe File created C:\Windows\SysWOW64\Hkkalk32.exe Hhmepp32.exe File created C:\Windows\SysWOW64\Mijgof32.dll Ohibdf32.exe File created C:\Windows\SysWOW64\Egafleqm.exe Eojnkg32.exe File created C:\Windows\SysWOW64\Ekgednng.dll Egafleqm.exe File opened for modification C:\Windows\SysWOW64\Ikddbj32.exe Idklfpon.exe File created C:\Windows\SysWOW64\Aaobdjof.exe Abmbhn32.exe File created C:\Windows\SysWOW64\Cojema32.exe Cgcmlcja.exe File created C:\Windows\SysWOW64\Nadddkfi.dll Oqideepg.exe File created C:\Windows\SysWOW64\Lijfoo32.dll Pjcabmga.exe File created C:\Windows\SysWOW64\Dpiddoma.dll Cklmgb32.exe File created C:\Windows\SysWOW64\Dlnbeh32.exe Dhbfdjdp.exe File created C:\Windows\SysWOW64\Feocmm32.dll Jiakjb32.exe File created C:\Windows\SysWOW64\Namqci32.exe Nondgn32.exe File opened for modification C:\Windows\SysWOW64\Okikfagn.exe Omfkke32.exe File created C:\Windows\SysWOW64\Ebodiofk.exe Ejhlgaeh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4760 4744 WerFault.exe 386 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hobcak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpkbdiqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gegfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Inngcfid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ceodnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mdmmfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ofelmloo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Anojbobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpooed32.dll" Biicik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcbakpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llkbap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Omdneebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmpfojmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadfjo32.dll" Cpnojioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfmepigc.dll" Kngfih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lahkigca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qbelgood.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmpfojmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmkmdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dlkepi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jfqahgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbgljdk.dll" Aefeijle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Doehqead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imehcohk.dll" Emieil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqmmidel.dll" Monhhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkemkhcd.dll" Pefijfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbolehjh.dll" Ekklaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hcifgjgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjlnif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lefdpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onjgiiad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ogeigofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aehboi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekkdc32.dll" Blgpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbepi32.dll" Fmhheqje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jcgogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lemaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkijmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olkbjhpi.dll" Chnqkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Llkbap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ejkima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpdgnh32.dll" Lajhofao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Caknol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eqonkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll" Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll" Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpffnl32.dll" Ikddbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jejhecaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blleofcd.dll" Lahkigca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdekadnf.dll" Jnemdecl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddpkh32.dll" Bhigphio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnoej32.dll" Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll" Hkkalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loolpo32.dll" Mdmmfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndkmpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qcpofbjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfeoofge.dll" Dgfjbgmh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1796 wrote to memory of 2224 1796 2e95eb2f00d1a303e55eb351b7029ad0_NeikiAnalytics.exe 28 PID 1796 wrote to memory of 2224 1796 2e95eb2f00d1a303e55eb351b7029ad0_NeikiAnalytics.exe 28 PID 1796 wrote to memory of 2224 1796 2e95eb2f00d1a303e55eb351b7029ad0_NeikiAnalytics.exe 28 PID 1796 wrote to memory of 2224 1796 2e95eb2f00d1a303e55eb351b7029ad0_NeikiAnalytics.exe 28 PID 2224 wrote to memory of 2088 2224 Ddokpmfo.exe 29 PID 2224 wrote to memory of 2088 2224 Ddokpmfo.exe 29 PID 2224 wrote to memory of 2088 2224 Ddokpmfo.exe 29 PID 2224 wrote to memory of 2088 2224 Ddokpmfo.exe 29 PID 2088 wrote to memory of 2736 2088 Dbbkja32.exe 30 PID 2088 wrote to memory of 2736 2088 Dbbkja32.exe 30 PID 2088 wrote to memory of 2736 2088 Dbbkja32.exe 30 PID 2088 wrote to memory of 2736 2088 Dbbkja32.exe 30 PID 2736 wrote to memory of 2628 2736 Dkkpbgli.exe 31 PID 2736 wrote to memory of 2628 2736 Dkkpbgli.exe 31 PID 2736 wrote to memory of 2628 2736 Dkkpbgli.exe 31 PID 2736 wrote to memory of 2628 2736 Dkkpbgli.exe 31 PID 2628 wrote to memory of 2648 2628 Dbehoa32.exe 32 PID 2628 wrote to memory of 2648 2628 Dbehoa32.exe 32 PID 2628 wrote to memory of 2648 2628 Dbehoa32.exe 32 PID 2628 wrote to memory of 2648 2628 Dbehoa32.exe 32 PID 2648 wrote to memory of 2532 2648 Dcfdgiid.exe 33 PID 2648 wrote to memory of 2532 2648 Dcfdgiid.exe 33 PID 2648 wrote to memory of 2532 2648 Dcfdgiid.exe 33 PID 2648 wrote to memory of 2532 2648 Dcfdgiid.exe 33 PID 2532 wrote to memory of 3000 2532 Djpmccqq.exe 34 PID 2532 wrote to memory of 3000 2532 Djpmccqq.exe 34 PID 2532 wrote to memory of 3000 2532 Djpmccqq.exe 34 PID 2532 wrote to memory of 3000 2532 Djpmccqq.exe 34 PID 3000 wrote to memory of 2612 3000 Dmoipopd.exe 35 PID 3000 wrote to memory of 2612 3000 Dmoipopd.exe 35 PID 3000 wrote to memory of 2612 3000 Dmoipopd.exe 35 PID 3000 wrote to memory of 2612 3000 Dmoipopd.exe 35 PID 2612 wrote to memory of 2152 2612 Dchali32.exe 36 PID 2612 wrote to memory of 2152 2612 Dchali32.exe 36 PID 2612 wrote to memory of 2152 2612 Dchali32.exe 36 PID 2612 wrote to memory of 2152 2612 Dchali32.exe 36 PID 2152 wrote to memory of 1940 2152 Dgfjbgmh.exe 37 PID 2152 wrote to memory of 1940 2152 Dgfjbgmh.exe 37 PID 2152 wrote to memory of 1940 2152 Dgfjbgmh.exe 37 PID 2152 wrote to memory of 1940 2152 Dgfjbgmh.exe 37 PID 1940 wrote to memory of 1528 1940 Eqonkmdh.exe 38 PID 1940 wrote to memory of 1528 1940 Eqonkmdh.exe 38 PID 1940 wrote to memory of 1528 1940 Eqonkmdh.exe 38 PID 1940 wrote to memory of 1528 1940 Eqonkmdh.exe 38 PID 1528 wrote to memory of 2760 1528 Ejgcdb32.exe 39 PID 1528 wrote to memory of 2760 1528 Ejgcdb32.exe 39 PID 1528 wrote to memory of 2760 1528 Ejgcdb32.exe 39 PID 1528 wrote to memory of 2760 1528 Ejgcdb32.exe 39 PID 2760 wrote to memory of 1288 2760 Ecpgmhai.exe 40 PID 2760 wrote to memory of 1288 2760 Ecpgmhai.exe 40 PID 2760 wrote to memory of 1288 2760 Ecpgmhai.exe 40 PID 2760 wrote to memory of 1288 2760 Ecpgmhai.exe 40 PID 1288 wrote to memory of 2240 1288 Eilpeooq.exe 41 PID 1288 wrote to memory of 2240 1288 Eilpeooq.exe 41 PID 1288 wrote to memory of 2240 1288 Eilpeooq.exe 41 PID 1288 wrote to memory of 2240 1288 Eilpeooq.exe 41 PID 2240 wrote to memory of 1176 2240 Ekklaj32.exe 42 PID 2240 wrote to memory of 1176 2240 Ekklaj32.exe 42 PID 2240 wrote to memory of 1176 2240 Ekklaj32.exe 42 PID 2240 wrote to memory of 1176 2240 Ekklaj32.exe 42 PID 1176 wrote to memory of 1392 1176 Efppoc32.exe 43 PID 1176 wrote to memory of 1392 1176 Efppoc32.exe 43 PID 1176 wrote to memory of 1392 1176 Efppoc32.exe 43 PID 1176 wrote to memory of 1392 1176 Efppoc32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e95eb2f00d1a303e55eb351b7029ad0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2e95eb2f00d1a303e55eb351b7029ad0_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1392 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:324 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:796 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:316 -
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:700 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:892 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe36⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe38⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe39⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe41⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe43⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe45⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe46⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1364 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Hlakpp32.exeC:\Windows\system32\Hlakpp32.exe50⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe51⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe52⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe53⤵PID:1612
-
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe56⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe57⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe58⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe59⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe64⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:784 -
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe66⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe67⤵PID:3064
-
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2472 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe69⤵PID:1784
-
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:884 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe71⤵
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe72⤵PID:2936
-
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1040 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1048 -
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3068 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe76⤵PID:2712
-
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe77⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe78⤵
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe79⤵PID:2776
-
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe80⤵PID:3012
-
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1980 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe82⤵PID:2572
-
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe83⤵PID:600
-
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe84⤵
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe85⤵PID:2104
-
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe86⤵PID:1788
-
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:1272 -
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe88⤵
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe89⤵PID:1648
-
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe90⤵PID:2256
-
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe91⤵PID:3040
-
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe93⤵PID:2732
-
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe94⤵
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe95⤵PID:2508
-
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2848 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe97⤵PID:2992
-
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe98⤵PID:2976
-
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe99⤵PID:2316
-
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe100⤵
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe101⤵PID:2692
-
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe102⤵
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe103⤵PID:1012
-
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe104⤵PID:304
-
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe105⤵PID:816
-
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe106⤵PID:2912
-
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe107⤵PID:296
-
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe109⤵
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe110⤵
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe111⤵PID:2528
-
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe112⤵PID:3020
-
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:560 -
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe114⤵PID:2784
-
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe115⤵PID:484
-
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe116⤵PID:1400
-
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe117⤵PID:2204
-
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe118⤵PID:1672
-
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe119⤵PID:2364
-
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1512 -
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe121⤵PID:2716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-