Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16/05/2024, 19:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1cfbfe390f91cf49b3533cd0b33a0bc0_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1cfbfe390f91cf49b3533cd0b33a0bc0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
1cfbfe390f91cf49b3533cd0b33a0bc0_NeikiAnalytics.exe
-
Size
224KB
-
MD5
1cfbfe390f91cf49b3533cd0b33a0bc0
-
SHA1
e6de992dcc99b2182f1d89a3ab35f534bb0865ab
-
SHA256
7b8a2447c8a23c9a6f4448b07fba9a9e8a2c04c17e6d790730a25bb35a171955
-
SHA512
0c23d4493740048f630a0a758f2c176eb3adf6d401299cb887247f056f1cdb2ed749a5611a4d367deb31f883dccc01dab6bae5c69f8a87026e21ee14ab3536dd
-
SSDEEP
6144:yTyxkw3gKVtxel9Whg/LxHoOZedgKVtxel9Wh:yTgmL2OZo
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfgdhjmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngibaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clpabm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demofaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dldkmlhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieagbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbojdmcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccngld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhkbkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bobhal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blobjaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kobkpdfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meoell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkklljmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfpdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgagfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oohqqlei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkaglf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajeeeblb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfgegnbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iibfajdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peedka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onocmadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 1988 Kafbec32.exe 2172 Kgpjanje.exe 2748 Kfbkmk32.exe 2792 Kfgdhjmk.exe 1680 Lldlqakb.exe 2516 Lfjqnjkh.exe 2344 Lpbefoai.exe 2204 Lijjoe32.exe 2808 Lbcnhjnj.exe 272 Llkbap32.exe 812 Lecgje32.exe 1040 Lollckbk.exe 600 Mkclhl32.exe 860 Mdkqqa32.exe 2368 Maoajf32.exe 2104 Mijfnh32.exe 2428 Mgnfhlin.exe 1544 Moiklogi.exe 1664 Mgqcmlgl.exe 772 Mhbped32.exe 1300 Mpigfa32.exe 620 Najdnj32.exe 2856 Nhdlkdkg.exe 3016 Ncjqhmkm.exe 3004 Ndkmpe32.exe 2852 Nncahjgl.exe 2848 Nejiih32.exe 3044 Nglfapnl.exe 2676 Npdjje32.exe 2556 Nhkbkc32.exe 2696 Nnhkcj32.exe 2600 Npfgpe32.exe 2580 Oklkmnbp.exe 1036 Olmhdf32.exe 2592 Ofelmloo.exe 2224 Olpdjf32.exe 1028 Ofhick32.exe 2256 Ojcecjee.exe 1624 Oopnlacm.exe 788 Ofjfhk32.exe 1332 Ohibdf32.exe 2348 Obafnlpn.exe 2484 Odobjg32.exe 2088 Omfkke32.exe 1004 Obcccl32.exe 964 Pdaoog32.exe 1856 Pimkpfeh.exe 2168 Pklhlael.exe 2012 Pqhpdhcc.exe 892 Piphee32.exe 2036 Pkndaa32.exe 3024 Pnlqnl32.exe 2704 Pefijfii.exe 2652 Pgeefbhm.exe 2548 Pnomcl32.exe 2552 Pmanoifd.exe 2948 Pclfkc32.exe 1536 Pggbla32.exe 2700 Pnajilng.exe 2448 Ppbfpd32.exe 2260 Pgioaa32.exe 592 Pikkiijf.exe 1212 Qabcjgkh.exe 2356 Qbcpbo32.exe -
Loads dropped DLL 64 IoCs
pid Process 1700 1cfbfe390f91cf49b3533cd0b33a0bc0_NeikiAnalytics.exe 1700 1cfbfe390f91cf49b3533cd0b33a0bc0_NeikiAnalytics.exe 1988 Kafbec32.exe 1988 Kafbec32.exe 2172 Kgpjanje.exe 2172 Kgpjanje.exe 2748 Kfbkmk32.exe 2748 Kfbkmk32.exe 2792 Kfgdhjmk.exe 2792 Kfgdhjmk.exe 1680 Lldlqakb.exe 1680 Lldlqakb.exe 2516 Lfjqnjkh.exe 2516 Lfjqnjkh.exe 2344 Lpbefoai.exe 2344 Lpbefoai.exe 2204 Lijjoe32.exe 2204 Lijjoe32.exe 2808 Lbcnhjnj.exe 2808 Lbcnhjnj.exe 272 Llkbap32.exe 272 Llkbap32.exe 812 Lecgje32.exe 812 Lecgje32.exe 1040 Lollckbk.exe 1040 Lollckbk.exe 600 Mkclhl32.exe 600 Mkclhl32.exe 860 Mdkqqa32.exe 860 Mdkqqa32.exe 2368 Maoajf32.exe 2368 Maoajf32.exe 2104 Mijfnh32.exe 2104 Mijfnh32.exe 2428 Mgnfhlin.exe 2428 Mgnfhlin.exe 1544 Moiklogi.exe 1544 Moiklogi.exe 1664 Mgqcmlgl.exe 1664 Mgqcmlgl.exe 772 Mhbped32.exe 772 Mhbped32.exe 1300 Mpigfa32.exe 1300 Mpigfa32.exe 620 Najdnj32.exe 620 Najdnj32.exe 2856 Nhdlkdkg.exe 2856 Nhdlkdkg.exe 3016 Ncjqhmkm.exe 3016 Ncjqhmkm.exe 3004 Ndkmpe32.exe 3004 Ndkmpe32.exe 2852 Nncahjgl.exe 2852 Nncahjgl.exe 2848 Nejiih32.exe 2848 Nejiih32.exe 3044 Nglfapnl.exe 3044 Nglfapnl.exe 2676 Npdjje32.exe 2676 Npdjje32.exe 2556 Nhkbkc32.exe 2556 Nhkbkc32.exe 2696 Nnhkcj32.exe 2696 Nnhkcj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kpcqnf32.exe Khlili32.exe File created C:\Windows\SysWOW64\Dknajh32.exe Dddimn32.exe File created C:\Windows\SysWOW64\Dhhhbg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nfdfmfle.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lijiaabk.exe Process not Found File created C:\Windows\SysWOW64\Gnddig32.dll Linphc32.exe File created C:\Windows\SysWOW64\Aopjkjhh.dll Jaeafklf.exe File opened for modification C:\Windows\SysWOW64\Fnfcel32.exe Fkhgip32.exe File created C:\Windows\SysWOW64\Ocaeoe32.dll Ifoqjo32.exe File created C:\Windows\SysWOW64\Cnmehnan.exe Cgcmlcja.exe File created C:\Windows\SysWOW64\Odifibfn.dll Process not Found File created C:\Windows\SysWOW64\Eaeipfei.exe Process not Found File created C:\Windows\SysWOW64\Bmfmjjgm.dll Aplifb32.exe File created C:\Windows\SysWOW64\Offmilba.dll Hbfepmmn.exe File opened for modification C:\Windows\SysWOW64\Npjlhcmd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mfgnnhkc.exe Process not Found File created C:\Windows\SysWOW64\Qjhjbhcg.dll Process not Found File created C:\Windows\SysWOW64\Fngpfnqg.dll Process not Found File created C:\Windows\SysWOW64\Biafnecn.exe Bajomhbl.exe File created C:\Windows\SysWOW64\Bhdbmf32.dll Qfonkfqd.exe File created C:\Windows\SysWOW64\Ogmnad32.dll Process not Found File created C:\Windows\SysWOW64\Ekohgi32.dll Process not Found File created C:\Windows\SysWOW64\Ednoihel.dll Process not Found File created C:\Windows\SysWOW64\Qimagi32.dll Ihhcbf32.exe File created C:\Windows\SysWOW64\Jegaol32.dll Process not Found File created C:\Windows\SysWOW64\Hjcmgp32.exe Hbleeb32.exe File created C:\Windows\SysWOW64\Ephbal32.exe Process not Found File created C:\Windows\SysWOW64\Fdffdghm.dll Process not Found File created C:\Windows\SysWOW64\Nomqhi32.dll Pkljdj32.exe File created C:\Windows\SysWOW64\Chhldeho.exe Cielhh32.exe File created C:\Windows\SysWOW64\Hdhbci32.exe Process not Found File created C:\Windows\SysWOW64\Paodbg32.dll Process not Found File created C:\Windows\SysWOW64\Ikonfbfj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hmjoqo32.exe Process not Found File created C:\Windows\SysWOW64\Knbnol32.dll Process not Found File created C:\Windows\SysWOW64\Eklaogoi.dll Dlahng32.exe File opened for modification C:\Windows\SysWOW64\Ochcem32.exe Process not Found File created C:\Windows\SysWOW64\Qqeagm32.dll Oionacqo.exe File created C:\Windows\SysWOW64\Chocodch.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pimkpfeh.exe Pdaoog32.exe File opened for modification C:\Windows\SysWOW64\Kdnkdmec.exe Process not Found File opened for modification C:\Windows\SysWOW64\Flnndp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ooabmbbe.exe Process not Found File created C:\Windows\SysWOW64\Engeeehn.dll Process not Found File created C:\Windows\SysWOW64\Oqhiplaj.dll Aaobdjof.exe File created C:\Windows\SysWOW64\Jhpjaq32.dll Oappcfmb.exe File created C:\Windows\SysWOW64\Imjjki32.dll Process not Found File created C:\Windows\SysWOW64\Hjqmnofi.dll Njpgpbpf.exe File opened for modification C:\Windows\SysWOW64\Haqnea32.exe Process not Found File created C:\Windows\SysWOW64\Iecbnqcj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Iediin32.exe Process not Found File created C:\Windows\SysWOW64\Hjkfmc32.dll Process not Found File created C:\Windows\SysWOW64\Alodeacc.exe Process not Found File created C:\Windows\SysWOW64\Ajmfad32.exe Abfnpg32.exe File opened for modification C:\Windows\SysWOW64\Nibqqh32.exe Process not Found File created C:\Windows\SysWOW64\Nmnojp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pidaba32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kocmim32.exe Process not Found File created C:\Windows\SysWOW64\Dnhanebc.dll Process not Found File created C:\Windows\SysWOW64\Ifblipqh.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hjcppidk.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nfahomfd.exe Process not Found File created C:\Windows\SysWOW64\Iefmgahq.dll Bppoqeja.exe File created C:\Windows\SysWOW64\Hcigco32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 4728 3128 Process not Found 2266 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgeegb32.dll" Lollckbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqncgcah.dll" Blkioa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mccbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlhjhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmffciep.dll" Bgibnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnbopmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcdhbgoc.dll" Clmdmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jabbhcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiofep.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbeded32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ficfbkij.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdjijco.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odldga32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdkjlm32.dll" Nhdlkdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnkga32.dll" Qngmgjeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iecdhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oohfokgp.dll" Qglmpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngoohnkj.dll" Nigome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chnqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pggbla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Labkdack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idqcamnn.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amhpnkch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibijie32.dll" Figlolbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emkkdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkhgip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldhcb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffbpca32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kigeamik.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llkcqmgj.dll" Nbpeoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Objbia32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmjlhfof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meoell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ookpodkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdlgpgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll" Cfnmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffbnkppp.dll" Bepjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liiffa32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieidmbcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikmgj32.dll" Ddajoelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkdhopfa.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1700 wrote to memory of 1988 1700 1cfbfe390f91cf49b3533cd0b33a0bc0_NeikiAnalytics.exe 28 PID 1700 wrote to memory of 1988 1700 1cfbfe390f91cf49b3533cd0b33a0bc0_NeikiAnalytics.exe 28 PID 1700 wrote to memory of 1988 1700 1cfbfe390f91cf49b3533cd0b33a0bc0_NeikiAnalytics.exe 28 PID 1700 wrote to memory of 1988 1700 1cfbfe390f91cf49b3533cd0b33a0bc0_NeikiAnalytics.exe 28 PID 1988 wrote to memory of 2172 1988 Kafbec32.exe 29 PID 1988 wrote to memory of 2172 1988 Kafbec32.exe 29 PID 1988 wrote to memory of 2172 1988 Kafbec32.exe 29 PID 1988 wrote to memory of 2172 1988 Kafbec32.exe 29 PID 2172 wrote to memory of 2748 2172 Kgpjanje.exe 30 PID 2172 wrote to memory of 2748 2172 Kgpjanje.exe 30 PID 2172 wrote to memory of 2748 2172 Kgpjanje.exe 30 PID 2172 wrote to memory of 2748 2172 Kgpjanje.exe 30 PID 2748 wrote to memory of 2792 2748 Kfbkmk32.exe 31 PID 2748 wrote to memory of 2792 2748 Kfbkmk32.exe 31 PID 2748 wrote to memory of 2792 2748 Kfbkmk32.exe 31 PID 2748 wrote to memory of 2792 2748 Kfbkmk32.exe 31 PID 2792 wrote to memory of 1680 2792 Kfgdhjmk.exe 32 PID 2792 wrote to memory of 1680 2792 Kfgdhjmk.exe 32 PID 2792 wrote to memory of 1680 2792 Kfgdhjmk.exe 32 PID 2792 wrote to memory of 1680 2792 Kfgdhjmk.exe 32 PID 1680 wrote to memory of 2516 1680 Lldlqakb.exe 33 PID 1680 wrote to memory of 2516 1680 Lldlqakb.exe 33 PID 1680 wrote to memory of 2516 1680 Lldlqakb.exe 33 PID 1680 wrote to memory of 2516 1680 Lldlqakb.exe 33 PID 2516 wrote to memory of 2344 2516 Lfjqnjkh.exe 34 PID 2516 wrote to memory of 2344 2516 Lfjqnjkh.exe 34 PID 2516 wrote to memory of 2344 2516 Lfjqnjkh.exe 34 PID 2516 wrote to memory of 2344 2516 Lfjqnjkh.exe 34 PID 2344 wrote to memory of 2204 2344 Lpbefoai.exe 35 PID 2344 wrote to memory of 2204 2344 Lpbefoai.exe 35 PID 2344 wrote to memory of 2204 2344 Lpbefoai.exe 35 PID 2344 wrote to memory of 2204 2344 Lpbefoai.exe 35 PID 2204 wrote to memory of 2808 2204 Lijjoe32.exe 36 PID 2204 wrote to memory of 2808 2204 Lijjoe32.exe 36 PID 2204 wrote to memory of 2808 2204 Lijjoe32.exe 36 PID 2204 wrote to memory of 2808 2204 Lijjoe32.exe 36 PID 2808 wrote to memory of 272 2808 Lbcnhjnj.exe 37 PID 2808 wrote to memory of 272 2808 Lbcnhjnj.exe 37 PID 2808 wrote to memory of 272 2808 Lbcnhjnj.exe 37 PID 2808 wrote to memory of 272 2808 Lbcnhjnj.exe 37 PID 272 wrote to memory of 812 272 Llkbap32.exe 38 PID 272 wrote to memory of 812 272 Llkbap32.exe 38 PID 272 wrote to memory of 812 272 Llkbap32.exe 38 PID 272 wrote to memory of 812 272 Llkbap32.exe 38 PID 812 wrote to memory of 1040 812 Lecgje32.exe 39 PID 812 wrote to memory of 1040 812 Lecgje32.exe 39 PID 812 wrote to memory of 1040 812 Lecgje32.exe 39 PID 812 wrote to memory of 1040 812 Lecgje32.exe 39 PID 1040 wrote to memory of 600 1040 Lollckbk.exe 40 PID 1040 wrote to memory of 600 1040 Lollckbk.exe 40 PID 1040 wrote to memory of 600 1040 Lollckbk.exe 40 PID 1040 wrote to memory of 600 1040 Lollckbk.exe 40 PID 600 wrote to memory of 860 600 Mkclhl32.exe 41 PID 600 wrote to memory of 860 600 Mkclhl32.exe 41 PID 600 wrote to memory of 860 600 Mkclhl32.exe 41 PID 600 wrote to memory of 860 600 Mkclhl32.exe 41 PID 860 wrote to memory of 2368 860 Mdkqqa32.exe 42 PID 860 wrote to memory of 2368 860 Mdkqqa32.exe 42 PID 860 wrote to memory of 2368 860 Mdkqqa32.exe 42 PID 860 wrote to memory of 2368 860 Mdkqqa32.exe 42 PID 2368 wrote to memory of 2104 2368 Maoajf32.exe 43 PID 2368 wrote to memory of 2104 2368 Maoajf32.exe 43 PID 2368 wrote to memory of 2104 2368 Maoajf32.exe 43 PID 2368 wrote to memory of 2104 2368 Maoajf32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\1cfbfe390f91cf49b3533cd0b33a0bc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1cfbfe390f91cf49b3533cd0b33a0bc0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Mgnfhlin.exeC:\Windows\system32\Mgnfhlin.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:772 -
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:620 -
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe33⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe34⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe35⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Ofelmloo.exeC:\Windows\system32\Ofelmloo.exe36⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe37⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe38⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Ojcecjee.exeC:\Windows\system32\Ojcecjee.exe39⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe40⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Ofjfhk32.exeC:\Windows\system32\Ofjfhk32.exe41⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe42⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe43⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Odobjg32.exeC:\Windows\system32\Odobjg32.exe44⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe45⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Obcccl32.exeC:\Windows\system32\Obcccl32.exe46⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:964 -
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe48⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe49⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe50⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe51⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe52⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe53⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe54⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe55⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe56⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Pmanoifd.exeC:\Windows\system32\Pmanoifd.exe57⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Pclfkc32.exeC:\Windows\system32\Pclfkc32.exe58⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe60⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe61⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe62⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Pikkiijf.exeC:\Windows\system32\Pikkiijf.exe63⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Qabcjgkh.exeC:\Windows\system32\Qabcjgkh.exe64⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe65⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Qimhoi32.exeC:\Windows\system32\Qimhoi32.exe66⤵PID:2880
-
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe67⤵PID:2192
-
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe68⤵PID:340
-
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe69⤵PID:1612
-
C:\Windows\SysWOW64\Qedhdjnh.exeC:\Windows\system32\Qedhdjnh.exe70⤵PID:2332
-
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe71⤵PID:2016
-
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe72⤵PID:1712
-
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe73⤵PID:1592
-
C:\Windows\SysWOW64\Aefeijle.exeC:\Windows\system32\Aefeijle.exe74⤵PID:2148
-
C:\Windows\SysWOW64\Ahdaee32.exeC:\Windows\system32\Ahdaee32.exe75⤵PID:2876
-
C:\Windows\SysWOW64\Aplifb32.exeC:\Windows\system32\Aplifb32.exe76⤵
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Aamfnkai.exeC:\Windows\system32\Aamfnkai.exe77⤵PID:2968
-
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe78⤵PID:1508
-
C:\Windows\SysWOW64\Ajejgp32.exeC:\Windows\system32\Ajejgp32.exe79⤵PID:1520
-
C:\Windows\SysWOW64\Anafhopc.exeC:\Windows\system32\Anafhopc.exe80⤵PID:1256
-
C:\Windows\SysWOW64\Aaobdjof.exeC:\Windows\system32\Aaobdjof.exe81⤵
- Drops file in System32 directory
PID:484 -
C:\Windows\SysWOW64\Alegac32.exeC:\Windows\system32\Alegac32.exe82⤵PID:2268
-
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe83⤵PID:2364
-
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe84⤵PID:896
-
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe85⤵PID:1452
-
C:\Windows\SysWOW64\Ajjcbpdd.exeC:\Windows\system32\Ajjcbpdd.exe86⤵PID:1756
-
C:\Windows\SysWOW64\Amhpnkch.exeC:\Windows\system32\Amhpnkch.exe87⤵
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe88⤵PID:2664
-
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe89⤵PID:2656
-
C:\Windows\SysWOW64\Bfadgq32.exeC:\Windows\system32\Bfadgq32.exe90⤵PID:2752
-
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe91⤵PID:396
-
C:\Windows\SysWOW64\Bpiipf32.exeC:\Windows\system32\Bpiipf32.exe92⤵PID:780
-
C:\Windows\SysWOW64\Bbhela32.exeC:\Windows\system32\Bbhela32.exe93⤵PID:2240
-
C:\Windows\SysWOW64\Bkommo32.exeC:\Windows\system32\Bkommo32.exe94⤵PID:2244
-
C:\Windows\SysWOW64\Bpleef32.exeC:\Windows\system32\Bpleef32.exe95⤵PID:1764
-
C:\Windows\SysWOW64\Bdgafdfp.exeC:\Windows\system32\Bdgafdfp.exe96⤵PID:3052
-
C:\Windows\SysWOW64\Bfenbpec.exeC:\Windows\system32\Bfenbpec.exe97⤵PID:2180
-
C:\Windows\SysWOW64\Bidjnkdg.exeC:\Windows\system32\Bidjnkdg.exe98⤵PID:1532
-
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe99⤵PID:916
-
C:\Windows\SysWOW64\Bblogakg.exeC:\Windows\system32\Bblogakg.exe100⤵PID:1000
-
C:\Windows\SysWOW64\Bghjhp32.exeC:\Windows\system32\Bghjhp32.exe101⤵PID:2492
-
C:\Windows\SysWOW64\Bifgdk32.exeC:\Windows\system32\Bifgdk32.exe102⤵PID:2720
-
C:\Windows\SysWOW64\Bppoqeja.exeC:\Windows\system32\Bppoqeja.exe103⤵
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Biicik32.exeC:\Windows\system32\Biicik32.exe104⤵PID:2756
-
C:\Windows\SysWOW64\Ckjpacfp.exeC:\Windows\system32\Ckjpacfp.exe105⤵PID:2496
-
C:\Windows\SysWOW64\Ccahbp32.exeC:\Windows\system32\Ccahbp32.exe106⤵PID:1032
-
C:\Windows\SysWOW64\Ceodnl32.exeC:\Windows\system32\Ceodnl32.exe107⤵PID:1648
-
C:\Windows\SysWOW64\Chnqkg32.exeC:\Windows\system32\Chnqkg32.exe108⤵
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Cohigamf.exeC:\Windows\system32\Cohigamf.exe109⤵PID:1340
-
C:\Windows\SysWOW64\Cgcmlcja.exeC:\Windows\system32\Cgcmlcja.exe110⤵
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Cnmehnan.exeC:\Windows\system32\Cnmehnan.exe111⤵PID:1760
-
C:\Windows\SysWOW64\Cdgneh32.exeC:\Windows\system32\Cdgneh32.exe112⤵PID:1048
-
C:\Windows\SysWOW64\Cgejac32.exeC:\Windows\system32\Cgejac32.exe113⤵PID:2372
-
C:\Windows\SysWOW64\Cjdfmo32.exeC:\Windows\system32\Cjdfmo32.exe114⤵PID:1448
-
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe115⤵PID:2616
-
C:\Windows\SysWOW64\Cpnojioo.exeC:\Windows\system32\Cpnojioo.exe116⤵PID:2568
-
C:\Windows\SysWOW64\Cdikkg32.exeC:\Windows\system32\Cdikkg32.exe117⤵PID:3000
-
C:\Windows\SysWOW64\Cghggc32.exeC:\Windows\system32\Cghggc32.exe118⤵PID:2464
-
C:\Windows\SysWOW64\Cnaocmmi.exeC:\Windows\system32\Cnaocmmi.exe119⤵PID:2828
-
C:\Windows\SysWOW64\Cppkph32.exeC:\Windows\system32\Cppkph32.exe120⤵PID:2160
-
C:\Windows\SysWOW64\Cdlgpgef.exeC:\Windows\system32\Cdlgpgef.exe121⤵
- Modifies registry class
PID:1772
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-