Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
29/06/2024, 22:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
079f95deda774e06ef955d1ab127a757173435a916cd8af0ead66003b167d1f6_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
079f95deda774e06ef955d1ab127a757173435a916cd8af0ead66003b167d1f6_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
079f95deda774e06ef955d1ab127a757173435a916cd8af0ead66003b167d1f6_NeikiAnalytics.exe
-
Size
104KB
-
MD5
3a28d8eae9e48dd14db7074168009250
-
SHA1
83958135f5e42ac4918cfc31518744126b256840
-
SHA256
079f95deda774e06ef955d1ab127a757173435a916cd8af0ead66003b167d1f6
-
SHA512
d9ee8e22e5ee442ce7f5a6cb052f92abdc24ae48dc1938f558139436007092dd82720e47ad2a37ba77d530bf04931bf6b8cbc77db6758bbdf647b932a7c08f16
-
SSDEEP
3072:qBbnav+qgQZHeXguukRCe5Vx7cEGrhkngpDvchkqbAIQS:ubHtguN5Vx4brq2Ahn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 079f95deda774e06ef955d1ab127a757173435a916cd8af0ead66003b167d1f6_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbicfoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldidkbpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgfjbgmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boqbfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjojofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djmicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jiondcpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkijmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacgdhlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjdhmdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kahojc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Miooigfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eojnkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmpkjkma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghmiam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcfkfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llkbap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iokfhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jofiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhmjkaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngnbgplj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojfaijcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chpmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkhcmgnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmhheqje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kblhgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogblbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgeefbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Behnnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccahbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gopkmhjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geolea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enakbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djpmccqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjlhneio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifcbodli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifcbodli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnemdecl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgidao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddigjkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icbimi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehgppi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keanebkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbqabkql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oklkmnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aipddi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlcgeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Keanebkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkgbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hggomh32.exe -
Executes dropped EXE 64 IoCs
pid Process 1760 Dkhcmgnl.exe 2624 Dhmcfkme.exe 2820 Dkkpbgli.exe 2932 Dqhhknjp.exe 2020 Dcfdgiid.exe 2528 Djpmccqq.exe 1436 Dqjepm32.exe 2892 Dchali32.exe 3052 Dfgmhd32.exe 1316 Dqlafm32.exe 1040 Doobajme.exe 2744 Dgfjbgmh.exe 1828 Eihfjo32.exe 1764 Eqonkmdh.exe 2072 Ecmkghcl.exe 2960 Ebpkce32.exe 304 Emeopn32.exe 1484 Epdkli32.exe 628 Ebbgid32.exe 404 Efncicpm.exe 2144 Eilpeooq.exe 2312 Emhlfmgj.exe 820 Ebedndfa.exe 1380 Eiomkn32.exe 1508 Egamfkdh.exe 2996 Elmigj32.exe 2340 Eeempocb.exe 1736 Ejbfhfaj.exe 2760 Ennaieib.exe 2540 Ealnephf.exe 2516 Fehjeo32.exe 3012 Fjdbnf32.exe 2860 Fmcoja32.exe 3068 Fcmgfkeg.exe 2200 Fhhcgj32.exe 2904 Ffkcbgek.exe 900 Faagpp32.exe 1400 Faagpp32.exe 2248 Fdoclk32.exe 2120 Fmhheqje.exe 2756 Fdapak32.exe 764 Fjlhneio.exe 2864 Fioija32.exe 1972 Fmjejphb.exe 2112 Flmefm32.exe 2616 Fddmgjpo.exe 348 Ffbicfoc.exe 1792 Fiaeoang.exe 2468 Fmlapp32.exe 2408 Gpknlk32.exe 1924 Gonnhhln.exe 2840 Gbijhg32.exe 2140 Gfefiemq.exe 2680 Gicbeald.exe 2156 Ghfbqn32.exe 2260 Glaoalkh.exe 2620 Gopkmhjk.exe 2692 Gbkgnfbd.exe 3056 Gangic32.exe 352 Gejcjbah.exe 620 Gieojq32.exe 2716 Ghhofmql.exe 1132 Gkgkbipp.exe 776 Gobgcg32.exe -
Loads dropped DLL 64 IoCs
pid Process 2992 079f95deda774e06ef955d1ab127a757173435a916cd8af0ead66003b167d1f6_NeikiAnalytics.exe 2992 079f95deda774e06ef955d1ab127a757173435a916cd8af0ead66003b167d1f6_NeikiAnalytics.exe 1760 Dkhcmgnl.exe 1760 Dkhcmgnl.exe 2624 Dhmcfkme.exe 2624 Dhmcfkme.exe 2820 Dkkpbgli.exe 2820 Dkkpbgli.exe 2932 Dqhhknjp.exe 2932 Dqhhknjp.exe 2020 Dcfdgiid.exe 2020 Dcfdgiid.exe 2528 Djpmccqq.exe 2528 Djpmccqq.exe 1436 Dqjepm32.exe 1436 Dqjepm32.exe 2892 Dchali32.exe 2892 Dchali32.exe 3052 Dfgmhd32.exe 3052 Dfgmhd32.exe 1316 Dqlafm32.exe 1316 Dqlafm32.exe 1040 Doobajme.exe 1040 Doobajme.exe 2744 Dgfjbgmh.exe 2744 Dgfjbgmh.exe 1828 Eihfjo32.exe 1828 Eihfjo32.exe 1764 Eqonkmdh.exe 1764 Eqonkmdh.exe 2072 Ecmkghcl.exe 2072 Ecmkghcl.exe 2960 Ebpkce32.exe 2960 Ebpkce32.exe 304 Emeopn32.exe 304 Emeopn32.exe 1484 Epdkli32.exe 1484 Epdkli32.exe 628 Ebbgid32.exe 628 Ebbgid32.exe 404 Efncicpm.exe 404 Efncicpm.exe 2144 Eilpeooq.exe 2144 Eilpeooq.exe 2312 Emhlfmgj.exe 2312 Emhlfmgj.exe 820 Ebedndfa.exe 820 Ebedndfa.exe 1380 Eiomkn32.exe 1380 Eiomkn32.exe 1508 Egamfkdh.exe 1508 Egamfkdh.exe 2996 Elmigj32.exe 2996 Elmigj32.exe 2340 Eeempocb.exe 2340 Eeempocb.exe 1736 Ejbfhfaj.exe 1736 Ejbfhfaj.exe 2760 Ennaieib.exe 2760 Ennaieib.exe 2540 Ealnephf.exe 2540 Ealnephf.exe 2516 Fehjeo32.exe 2516 Fehjeo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jqfffqpm.exe Jiondcpk.exe File created C:\Windows\SysWOW64\Kmopod32.exe Kiccofna.exe File created C:\Windows\SysWOW64\Fjhlioai.dll Bidjnkdg.exe File opened for modification C:\Windows\SysWOW64\Edkcojga.exe Ebmgcohn.exe File created C:\Windows\SysWOW64\Lkojpojq.dll Ebbgid32.exe File created C:\Windows\SysWOW64\Kpkofpgq.exe Kpkofpgq.exe File created C:\Windows\SysWOW64\Edekcace.dll Dcenlceh.exe File created C:\Windows\SysWOW64\Lghegkoc.dll Fjdbnf32.exe File opened for modification C:\Windows\SysWOW64\Jonplmcb.exe Jkbcln32.exe File created C:\Windows\SysWOW64\Peiepfgg.exe Pmanoifd.exe File opened for modification C:\Windows\SysWOW64\Pjenhm32.exe Peiepfgg.exe File opened for modification C:\Windows\SysWOW64\Cafecmlj.exe Cohigamf.exe File created C:\Windows\SysWOW64\Cnmehnan.exe Cojema32.exe File opened for modification C:\Windows\SysWOW64\Chbjffad.exe Cpkbdiqb.exe File created C:\Windows\SysWOW64\Chhpdp32.dll Gkgkbipp.exe File created C:\Windows\SysWOW64\Khejeajg.dll Hlcgeo32.exe File created C:\Windows\SysWOW64\Kpmlkp32.exe Kpmlkp32.exe File opened for modification C:\Windows\SysWOW64\Kmaled32.exe Kifpdelo.exe File opened for modification C:\Windows\SysWOW64\Lbqabkql.exe Llfifq32.exe File created C:\Windows\SysWOW64\Geemiobo.dll Edkcojga.exe File created C:\Windows\SysWOW64\Mpdnkb32.exe Mlibjc32.exe File opened for modification C:\Windows\SysWOW64\Fcmgfkeg.exe Fmcoja32.exe File opened for modification C:\Windows\SysWOW64\Kahojc32.exe Knjbnh32.exe File created C:\Windows\SysWOW64\Kpkofpgq.exe Kahojc32.exe File created C:\Windows\SysWOW64\Konojnki.dll Kpmlkp32.exe File opened for modification C:\Windows\SysWOW64\Monhhk32.exe Mkclhl32.exe File created C:\Windows\SysWOW64\Mhgmapfi.exe Mppepcfg.exe File created C:\Windows\SysWOW64\Pmanoifd.exe Pjcabmga.exe File created C:\Windows\SysWOW64\Ebedndfa.exe Emhlfmgj.exe File created C:\Windows\SysWOW64\Ndabhn32.dll Hnojdcfi.exe File created C:\Windows\SysWOW64\Cddfocpb.dll Kcdnao32.exe File opened for modification C:\Windows\SysWOW64\Oklkmnbp.exe Npfgpe32.exe File opened for modification C:\Windows\SysWOW64\Bdgafdfp.exe Bpleef32.exe File opened for modification C:\Windows\SysWOW64\Dglpbbbg.exe Doehqead.exe File opened for modification C:\Windows\SysWOW64\Dchali32.exe Dqjepm32.exe File created C:\Windows\SysWOW64\Hdhbam32.exe Hnojdcfi.exe File created C:\Windows\SysWOW64\Jdnaob32.dll Ilknfn32.exe File created C:\Windows\SysWOW64\Bnpanefm.dll Kaceodek.exe File opened for modification C:\Windows\SysWOW64\Dcenlceh.exe Dknekeef.exe File opened for modification C:\Windows\SysWOW64\Icbimi32.exe Hkkalk32.exe File created C:\Windows\SysWOW64\Mlkopcge.exe Meagci32.exe File opened for modification C:\Windows\SysWOW64\Bfadgq32.exe Bdbhke32.exe File created C:\Windows\SysWOW64\Opfdll32.dll Cjdfmo32.exe File opened for modification C:\Windows\SysWOW64\Njlockkm.exe Ngnbgplj.exe File created C:\Windows\SysWOW64\Ojolhk32.exe Oklkmnbp.exe File created C:\Windows\SysWOW64\Elmigj32.exe Egamfkdh.exe File created C:\Windows\SysWOW64\Olndbg32.dll Faagpp32.exe File created C:\Windows\SysWOW64\Ldahol32.dll Gangic32.exe File opened for modification C:\Windows\SysWOW64\Lbcnhjnj.exe Logbhl32.exe File opened for modification C:\Windows\SysWOW64\Onhgbmfb.exe Okikfagn.exe File created C:\Windows\SysWOW64\Ddpkof32.dll Pqhpdhcc.exe File created C:\Windows\SysWOW64\Lanfmb32.dll Ebedndfa.exe File created C:\Windows\SysWOW64\Ncolgf32.dll Hknach32.exe File opened for modification C:\Windows\SysWOW64\Kgnnln32.exe Kcbakpdo.exe File opened for modification C:\Windows\SysWOW64\Mppepcfg.exe Monhhk32.exe File created C:\Windows\SysWOW64\Dhhlgc32.dll Ekelld32.exe File created C:\Windows\SysWOW64\Imehcohk.dll Edpmjj32.exe File created C:\Windows\SysWOW64\Fpmkde32.dll Ghhofmql.exe File opened for modification C:\Windows\SysWOW64\Jjojofgn.exe Jbgbni32.exe File created C:\Windows\SysWOW64\Kcdnao32.exe Keanebkb.exe File opened for modification C:\Windows\SysWOW64\Mlkopcge.exe Meagci32.exe File created C:\Windows\SysWOW64\Mledlaqd.dll Dfffnn32.exe File created C:\Windows\SysWOW64\Keoapb32.exe Kaceodek.exe File created C:\Windows\SysWOW64\Cfmepigc.dll Kmjfdejp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4552 4504 WerFault.exe 397 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kcfkfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aplifb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Egllae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Faagpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phoccb32.dll" Jcgogk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aamfnkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqljpedj.dll" Kjjmbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmjfdejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Okgnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiaej32.dll" Bmkmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cldooj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ejhlgaeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djpmccqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll" Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfimidmd.dll" Kjcpii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpmlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhglodcb.dll" Qpgpkcpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbhnhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpkofpgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qmicohqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfamcogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ealnephf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Doehqead.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 079f95deda774e06ef955d1ab127a757173435a916cd8af0ead66003b167d1f6_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Doobajme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gkgkbipp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Leonofpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Moiklogi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Anccmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Emieil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hcnpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jofiln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nacgdhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfkjnkib.dll" Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnajilng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdgmd32.dll" Emieil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gdopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baoohhdn.dll" Kkijmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mgqcmlgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aekodi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bghjhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mkclhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mlkopcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkhcmgnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chgdod32.dll" Jokcgmee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egllae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmpkjkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncnkh32.dll" Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkgmgmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qbelgood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gobgcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbnhng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgbggnhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dccagcgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmngmj32.dll" Jbnhng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kcbakpdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nkbhgojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jfekcg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2992 wrote to memory of 1760 2992 079f95deda774e06ef955d1ab127a757173435a916cd8af0ead66003b167d1f6_NeikiAnalytics.exe 28 PID 2992 wrote to memory of 1760 2992 079f95deda774e06ef955d1ab127a757173435a916cd8af0ead66003b167d1f6_NeikiAnalytics.exe 28 PID 2992 wrote to memory of 1760 2992 079f95deda774e06ef955d1ab127a757173435a916cd8af0ead66003b167d1f6_NeikiAnalytics.exe 28 PID 2992 wrote to memory of 1760 2992 079f95deda774e06ef955d1ab127a757173435a916cd8af0ead66003b167d1f6_NeikiAnalytics.exe 28 PID 1760 wrote to memory of 2624 1760 Dkhcmgnl.exe 29 PID 1760 wrote to memory of 2624 1760 Dkhcmgnl.exe 29 PID 1760 wrote to memory of 2624 1760 Dkhcmgnl.exe 29 PID 1760 wrote to memory of 2624 1760 Dkhcmgnl.exe 29 PID 2624 wrote to memory of 2820 2624 Dhmcfkme.exe 30 PID 2624 wrote to memory of 2820 2624 Dhmcfkme.exe 30 PID 2624 wrote to memory of 2820 2624 Dhmcfkme.exe 30 PID 2624 wrote to memory of 2820 2624 Dhmcfkme.exe 30 PID 2820 wrote to memory of 2932 2820 Dkkpbgli.exe 31 PID 2820 wrote to memory of 2932 2820 Dkkpbgli.exe 31 PID 2820 wrote to memory of 2932 2820 Dkkpbgli.exe 31 PID 2820 wrote to memory of 2932 2820 Dkkpbgli.exe 31 PID 2932 wrote to memory of 2020 2932 Dqhhknjp.exe 32 PID 2932 wrote to memory of 2020 2932 Dqhhknjp.exe 32 PID 2932 wrote to memory of 2020 2932 Dqhhknjp.exe 32 PID 2932 wrote to memory of 2020 2932 Dqhhknjp.exe 32 PID 2020 wrote to memory of 2528 2020 Dcfdgiid.exe 33 PID 2020 wrote to memory of 2528 2020 Dcfdgiid.exe 33 PID 2020 wrote to memory of 2528 2020 Dcfdgiid.exe 33 PID 2020 wrote to memory of 2528 2020 Dcfdgiid.exe 33 PID 2528 wrote to memory of 1436 2528 Djpmccqq.exe 34 PID 2528 wrote to memory of 1436 2528 Djpmccqq.exe 34 PID 2528 wrote to memory of 1436 2528 Djpmccqq.exe 34 PID 2528 wrote to memory of 1436 2528 Djpmccqq.exe 34 PID 1436 wrote to memory of 2892 1436 Dqjepm32.exe 35 PID 1436 wrote to memory of 2892 1436 Dqjepm32.exe 35 PID 1436 wrote to memory of 2892 1436 Dqjepm32.exe 35 PID 1436 wrote to memory of 2892 1436 Dqjepm32.exe 35 PID 2892 wrote to memory of 3052 2892 Dchali32.exe 36 PID 2892 wrote to memory of 3052 2892 Dchali32.exe 36 PID 2892 wrote to memory of 3052 2892 Dchali32.exe 36 PID 2892 wrote to memory of 3052 2892 Dchali32.exe 36 PID 3052 wrote to memory of 1316 3052 Dfgmhd32.exe 37 PID 3052 wrote to memory of 1316 3052 Dfgmhd32.exe 37 PID 3052 wrote to memory of 1316 3052 Dfgmhd32.exe 37 PID 3052 wrote to memory of 1316 3052 Dfgmhd32.exe 37 PID 1316 wrote to memory of 1040 1316 Dqlafm32.exe 38 PID 1316 wrote to memory of 1040 1316 Dqlafm32.exe 38 PID 1316 wrote to memory of 1040 1316 Dqlafm32.exe 38 PID 1316 wrote to memory of 1040 1316 Dqlafm32.exe 38 PID 1040 wrote to memory of 2744 1040 Doobajme.exe 39 PID 1040 wrote to memory of 2744 1040 Doobajme.exe 39 PID 1040 wrote to memory of 2744 1040 Doobajme.exe 39 PID 1040 wrote to memory of 2744 1040 Doobajme.exe 39 PID 2744 wrote to memory of 1828 2744 Dgfjbgmh.exe 40 PID 2744 wrote to memory of 1828 2744 Dgfjbgmh.exe 40 PID 2744 wrote to memory of 1828 2744 Dgfjbgmh.exe 40 PID 2744 wrote to memory of 1828 2744 Dgfjbgmh.exe 40 PID 1828 wrote to memory of 1764 1828 Eihfjo32.exe 41 PID 1828 wrote to memory of 1764 1828 Eihfjo32.exe 41 PID 1828 wrote to memory of 1764 1828 Eihfjo32.exe 41 PID 1828 wrote to memory of 1764 1828 Eihfjo32.exe 41 PID 1764 wrote to memory of 2072 1764 Eqonkmdh.exe 42 PID 1764 wrote to memory of 2072 1764 Eqonkmdh.exe 42 PID 1764 wrote to memory of 2072 1764 Eqonkmdh.exe 42 PID 1764 wrote to memory of 2072 1764 Eqonkmdh.exe 42 PID 2072 wrote to memory of 2960 2072 Ecmkghcl.exe 43 PID 2072 wrote to memory of 2960 2072 Ecmkghcl.exe 43 PID 2072 wrote to memory of 2960 2072 Ecmkghcl.exe 43 PID 2072 wrote to memory of 2960 2072 Ecmkghcl.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\079f95deda774e06ef955d1ab127a757173435a916cd8af0ead66003b167d1f6_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\079f95deda774e06ef955d1ab127a757173435a916cd8af0ead66003b167d1f6_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:304 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:628 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:404 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:820 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1380 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe35⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe36⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe37⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:900 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1400 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe40⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe42⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe44⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe45⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe46⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe47⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe49⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe51⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe52⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe53⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe54⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe55⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe56⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe57⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3056 -
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe61⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1132 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:776 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe66⤵
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe67⤵PID:800
-
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe68⤵PID:2092
-
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1152 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:540 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe71⤵PID:688
-
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe72⤵PID:1504
-
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe73⤵PID:2360
-
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe75⤵PID:2668
-
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe76⤵PID:2780
-
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe77⤵PID:1516
-
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe78⤵PID:2924
-
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe80⤵PID:2908
-
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1696 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe82⤵PID:2268
-
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1220 -
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe84⤵
- Modifies registry class
PID:1144 -
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe85⤵PID:1236
-
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe86⤵PID:2972
-
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe87⤵PID:580
-
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe88⤵PID:2068
-
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe89⤵PID:2812
-
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe90⤵
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2544 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe92⤵
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe93⤵
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe94⤵PID:1992
-
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1708 -
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe96⤵PID:1360
-
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1084 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe98⤵PID:1136
-
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe99⤵PID:1804
-
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe100⤵PID:2052
-
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe101⤵PID:2064
-
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe102⤵PID:1248
-
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe103⤵PID:3016
-
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe104⤵PID:1976
-
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe105⤵PID:2584
-
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe106⤵PID:844
-
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1860 -
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe109⤵PID:1532
-
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe111⤵PID:2108
-
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe112⤵PID:2956
-
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe113⤵
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2940 -
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe115⤵PID:804
-
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe116⤵PID:2764
-
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe117⤵
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe119⤵
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe120⤵PID:1776
-
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe121⤵PID:2944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-