Analysis
-
max time kernel
125s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
24-06-2024 03:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
351789ab20058da3e8a4d712f838386990c4299be89b0f204740f27351575d29_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
351789ab20058da3e8a4d712f838386990c4299be89b0f204740f27351575d29_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
351789ab20058da3e8a4d712f838386990c4299be89b0f204740f27351575d29_NeikiAnalytics.exe
-
Size
256KB
-
MD5
0e55bb35fc8995b92b6d75933570f740
-
SHA1
958e9cdbcded3ba4516bd045ec4db18e0fa50bb4
-
SHA256
351789ab20058da3e8a4d712f838386990c4299be89b0f204740f27351575d29
-
SHA512
017a7317758d416daa5ce31db1f739466703e56cba16d5e7416de11da68f8788197406df7ccb288bc23bf11a87a98a8baacd081e4c8d39aa729f10982b6f7ce2
-
SSDEEP
6144:msPlpSUw4rQD85k/hQO+zrWnAdqjeOpKfduBU:hfrQg5W/+zrWAI5KFuU
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epbpbnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkogpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlhfmqge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceeieced.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkhhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdjihgef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqajihle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Koaclfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egkehllh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfando32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imkeneja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipdojfgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgjkfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nibebfpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epmfgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdpjba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qndkpmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgchgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcpbik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghghnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqajihle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjcppidk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefdpjkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahkok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqapnjli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phnnho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfejjgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfigck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmodaadg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahbekjcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnjoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Geoonjeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Objaha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igijkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmpdgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjnhnbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hokjkbkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdfahaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glcfgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhnkffeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdqlajbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbffjmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gembhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejmhkiig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knaeeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nabopjmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akfkbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edaalk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Einebddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfllkece.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oekhacbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohncbdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjoilfek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liboodmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aicfgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmlbaqfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnnhbjnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpnddn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghekhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdjihgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qobdgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enpban32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opccallb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocalkn32.exe -
Executes dropped EXE 64 IoCs
pid Process 2392 Lmlhnagm.exe 2588 Mffimglk.exe 2612 Mponel32.exe 2736 Melfncqb.exe 2460 Mdacop32.exe 2360 Moidahcn.exe 772 Nibebfpl.exe 2684 Ndjfeo32.exe 2304 Npagjpcd.exe 2524 Nhllob32.exe 1912 Ocdmaj32.exe 2844 Ollajp32.exe 1544 Oalfhf32.exe 2084 Ocalkn32.exe 2248 Pngphgbf.exe 2024 Pnimnfpc.exe 2072 Pjpnbg32.exe 752 Piekcd32.exe 1008 Pbnoliap.exe 956 Poapfn32.exe 900 Qkkmqnck.exe 1392 Akmjfn32.exe 1752 Aaloddnn.exe 2948 Amcpie32.exe 1812 Alhmjbhj.exe 2412 Becnhgmg.exe 2548 Beejng32.exe 2464 Bjbcfn32.exe 1524 Bhfcpb32.exe 2132 Bejdiffp.exe 472 Chkmkacq.exe 2716 Cgpjlnhh.exe 2688 Cphndc32.exe 2628 Cmlong32.exe 2816 Cgdcgm32.exe 1136 Dnjngk32.exe 1528 Dknoaoaj.exe 624 Dciceaoe.exe 2068 Dnnhbjnk.exe 2964 Ddhpod32.exe 1436 Enqdhj32.exe 2636 Eobapbbg.exe 1776 Ejgemkbm.exe 1664 Eqamje32.exe 1956 Ejjbbkpj.exe 1976 Ebefgm32.exe 2032 Emkkdf32.exe 2540 Ebgclm32.exe 2416 Egdlec32.exe 1616 Fidhof32.exe 2600 Fqomci32.exe 2572 Fkdaqa32.exe 1612 Fqajihle.exe 2640 Ffnbaojm.exe 1464 Fpffje32.exe 2924 Ffqofohj.exe 264 Fafcdh32.exe 1604 Giahhj32.exe 2780 Gfehan32.exe 2880 Gmoqnhla.exe 2680 Gfgegnbb.exe 1256 Gppipc32.exe 2320 Gembhj32.exe 2900 Glgjednf.exe -
Loads dropped DLL 64 IoCs
pid Process 1704 351789ab20058da3e8a4d712f838386990c4299be89b0f204740f27351575d29_NeikiAnalytics.exe 1704 351789ab20058da3e8a4d712f838386990c4299be89b0f204740f27351575d29_NeikiAnalytics.exe 2392 Lmlhnagm.exe 2392 Lmlhnagm.exe 2588 Mffimglk.exe 2588 Mffimglk.exe 2612 Mponel32.exe 2612 Mponel32.exe 2736 Melfncqb.exe 2736 Melfncqb.exe 2460 Mdacop32.exe 2460 Mdacop32.exe 2360 Moidahcn.exe 2360 Moidahcn.exe 772 Nibebfpl.exe 772 Nibebfpl.exe 2684 Ndjfeo32.exe 2684 Ndjfeo32.exe 2304 Npagjpcd.exe 2304 Npagjpcd.exe 2524 Nhllob32.exe 2524 Nhllob32.exe 1912 Ocdmaj32.exe 1912 Ocdmaj32.exe 2844 Ollajp32.exe 2844 Ollajp32.exe 1544 Oalfhf32.exe 1544 Oalfhf32.exe 2084 Ocalkn32.exe 2084 Ocalkn32.exe 2248 Pngphgbf.exe 2248 Pngphgbf.exe 2024 Pnimnfpc.exe 2024 Pnimnfpc.exe 2072 Pjpnbg32.exe 2072 Pjpnbg32.exe 752 Piekcd32.exe 752 Piekcd32.exe 1008 Pbnoliap.exe 1008 Pbnoliap.exe 956 Poapfn32.exe 956 Poapfn32.exe 900 Qkkmqnck.exe 900 Qkkmqnck.exe 1392 Akmjfn32.exe 1392 Akmjfn32.exe 1752 Aaloddnn.exe 1752 Aaloddnn.exe 2948 Amcpie32.exe 2948 Amcpie32.exe 1812 Alhmjbhj.exe 1812 Alhmjbhj.exe 2412 Becnhgmg.exe 2412 Becnhgmg.exe 2548 Beejng32.exe 2548 Beejng32.exe 2464 Bjbcfn32.exe 2464 Bjbcfn32.exe 1524 Bhfcpb32.exe 1524 Bhfcpb32.exe 2132 Bejdiffp.exe 2132 Bejdiffp.exe 472 Chkmkacq.exe 472 Chkmkacq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aeiecfga.exe Adjhicpo.exe File created C:\Windows\SysWOW64\Plpqim32.exe Pfchqf32.exe File created C:\Windows\SysWOW64\Hgkfkohg.dll Jojloc32.exe File opened for modification C:\Windows\SysWOW64\Lhklha32.exe Ljgkom32.exe File opened for modification C:\Windows\SysWOW64\Lpflkb32.exe Lngpog32.exe File created C:\Windows\SysWOW64\Ipfpae32.dll Aknngo32.exe File opened for modification C:\Windows\SysWOW64\Docopbaf.exe Dcmnja32.exe File opened for modification C:\Windows\SysWOW64\Epqgopbi.exe Eifobe32.exe File opened for modification C:\Windows\SysWOW64\Egmbnkie.exe Enenef32.exe File created C:\Windows\SysWOW64\Ljamki32.dll Qcachc32.exe File created C:\Windows\SysWOW64\Mbchni32.exe Mobomnoq.exe File opened for modification C:\Windows\SysWOW64\Cbbomjnn.exe Ckhfpp32.exe File opened for modification C:\Windows\SysWOW64\Oiahnnji.exe Onldqejb.exe File created C:\Windows\SysWOW64\Hkogpn32.exe Hdeoccgn.exe File created C:\Windows\SysWOW64\Ioliqbjn.exe Ilnmdgkj.exe File opened for modification C:\Windows\SysWOW64\Pgegok32.exe Pqkobqhd.exe File created C:\Windows\SysWOW64\Maoalb32.exe Miclhpjp.exe File created C:\Windows\SysWOW64\Einebddd.exe Enhaeldn.exe File opened for modification C:\Windows\SysWOW64\Oabplobe.exe Opccallb.exe File opened for modification C:\Windows\SysWOW64\Khjgel32.exe Koaclfgl.exe File created C:\Windows\SysWOW64\Bgddam32.exe Bpjldc32.exe File created C:\Windows\SysWOW64\Pffjjc32.dll Iqfiii32.exe File opened for modification C:\Windows\SysWOW64\Ffpkob32.exe Eocfmh32.exe File created C:\Windows\SysWOW64\Epmfgo32.exe Ddfebnoo.exe File created C:\Windows\SysWOW64\Ojacgdmh.dll Gojhafnb.exe File created C:\Windows\SysWOW64\Oeegnj32.exe Oingii32.exe File created C:\Windows\SysWOW64\Pojbkh32.exe Peanbblf.exe File created C:\Windows\SysWOW64\Nebhgckp.dll Edfbaabj.exe File created C:\Windows\SysWOW64\Gniiomgc.dll Jakjjcnd.exe File created C:\Windows\SysWOW64\Jmaebf32.dll Joggci32.exe File created C:\Windows\SysWOW64\Jbclgf32.exe Jgjkfi32.exe File created C:\Windows\SysWOW64\Phklaacg.exe Ojglhm32.exe File created C:\Windows\SysWOW64\Pkhnioha.dll Chblqlcj.exe File created C:\Windows\SysWOW64\Ffpkob32.exe Eocfmh32.exe File created C:\Windows\SysWOW64\Ohnaik32.exe Nadimacd.exe File opened for modification C:\Windows\SysWOW64\Kigndekn.exe Jieaofmp.exe File opened for modification C:\Windows\SysWOW64\Ngneph32.exe Naalga32.exe File created C:\Windows\SysWOW64\Ejilio32.dll Objjnkie.exe File opened for modification C:\Windows\SysWOW64\Dmjlof32.exe Dbdham32.exe File created C:\Windows\SysWOW64\Kodghqop.exe Kflcok32.exe File opened for modification C:\Windows\SysWOW64\Pabncj32.exe Pngbcldl.exe File created C:\Windows\SysWOW64\Idgnjl32.dll Ddblgn32.exe File created C:\Windows\SysWOW64\Hcjilgdb.exe Hjaeba32.exe File created C:\Windows\SysWOW64\Akkoig32.exe Qqfkln32.exe File created C:\Windows\SysWOW64\Epbahp32.dll Iahceq32.exe File opened for modification C:\Windows\SysWOW64\Ffboohnm.exe Fqffgapf.exe File opened for modification C:\Windows\SysWOW64\Ilhlan32.exe Iockhigl.exe File opened for modification C:\Windows\SysWOW64\Fidhof32.exe Egdlec32.exe File opened for modification C:\Windows\SysWOW64\Gbaken32.exe Gjfgqk32.exe File created C:\Windows\SysWOW64\Ccbpgj32.dll Gpelnb32.exe File created C:\Windows\SysWOW64\Hckmla32.dll Bfqpecma.exe File opened for modification C:\Windows\SysWOW64\Bjpaop32.exe Bmlael32.exe File created C:\Windows\SysWOW64\Ajodjfdi.dll Hjhchg32.exe File created C:\Windows\SysWOW64\Fmkhjc32.dll Jolepe32.exe File created C:\Windows\SysWOW64\Fgilkf32.dll Pclhdl32.exe File created C:\Windows\SysWOW64\Jjijkmbi.exe Jqpebg32.exe File created C:\Windows\SysWOW64\Odecai32.dll Icdcllpc.exe File created C:\Windows\SysWOW64\Peeabm32.exe Pnkiebib.exe File created C:\Windows\SysWOW64\Cgpjlnhh.exe Chkmkacq.exe File opened for modification C:\Windows\SysWOW64\Hahlhkhi.exe Hfbhkb32.exe File created C:\Windows\SysWOW64\Gbaken32.exe Gjfgqk32.exe File opened for modification C:\Windows\SysWOW64\Mejlalji.exe Micklk32.exe File created C:\Windows\SysWOW64\Nmcmgm32.exe Nallalep.exe File created C:\Windows\SysWOW64\Aknngo32.exe Aognbnkm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4104 3544 WerFault.exe 976 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pohoplja.dll" Ailqfooi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nllbdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbdfgilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpnlndkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghemo32.dll" Nmhqokcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkepk32.dll" Nhllob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plaimk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljplkonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofgbkacb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjbqjiem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kodghqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oibpdico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaebbp32.dll" Jdkjnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bplhnoej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihglhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkabmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lginle32.dll" Kccian32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnnoic32.dll" Pdakniag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gceailog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djghpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnlbgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljamki32.dll" Qcachc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdkjdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjnignob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpegp32.dll" Bpbabf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abiqcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iahhgnkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eiekpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfndae32.dll" Mmkafhnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dihmpinj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmhbgpia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opebpdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfqnol32.dll" Qndkpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnofaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elipgofb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mklcadfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djoeki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hajhpgag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oalfhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmmhbd32.dll" Phhjblpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epmfgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecbhdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oqgjdbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbpnkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egmbnkie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbogaqb.dll" Lhklha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapefgai.dll" Pjpnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljecmgch.dll" Aojojl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddblgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opmhqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Banaaa32.dll" Ejohdbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhjgll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdeall32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Miclhpjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnfllod.dll" Knaeeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onmfin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oekhacbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ooemcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epbfmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhfnge32.dll" Gblkoham.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hghillnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldheebad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkjgclg.dll" Kpbhjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikgbof32.dll" Pmmcfi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1704 wrote to memory of 2392 1704 351789ab20058da3e8a4d712f838386990c4299be89b0f204740f27351575d29_NeikiAnalytics.exe 28 PID 1704 wrote to memory of 2392 1704 351789ab20058da3e8a4d712f838386990c4299be89b0f204740f27351575d29_NeikiAnalytics.exe 28 PID 1704 wrote to memory of 2392 1704 351789ab20058da3e8a4d712f838386990c4299be89b0f204740f27351575d29_NeikiAnalytics.exe 28 PID 1704 wrote to memory of 2392 1704 351789ab20058da3e8a4d712f838386990c4299be89b0f204740f27351575d29_NeikiAnalytics.exe 28 PID 2392 wrote to memory of 2588 2392 Lmlhnagm.exe 29 PID 2392 wrote to memory of 2588 2392 Lmlhnagm.exe 29 PID 2392 wrote to memory of 2588 2392 Lmlhnagm.exe 29 PID 2392 wrote to memory of 2588 2392 Lmlhnagm.exe 29 PID 2588 wrote to memory of 2612 2588 Mffimglk.exe 30 PID 2588 wrote to memory of 2612 2588 Mffimglk.exe 30 PID 2588 wrote to memory of 2612 2588 Mffimglk.exe 30 PID 2588 wrote to memory of 2612 2588 Mffimglk.exe 30 PID 2612 wrote to memory of 2736 2612 Mponel32.exe 31 PID 2612 wrote to memory of 2736 2612 Mponel32.exe 31 PID 2612 wrote to memory of 2736 2612 Mponel32.exe 31 PID 2612 wrote to memory of 2736 2612 Mponel32.exe 31 PID 2736 wrote to memory of 2460 2736 Melfncqb.exe 32 PID 2736 wrote to memory of 2460 2736 Melfncqb.exe 32 PID 2736 wrote to memory of 2460 2736 Melfncqb.exe 32 PID 2736 wrote to memory of 2460 2736 Melfncqb.exe 32 PID 2460 wrote to memory of 2360 2460 Mdacop32.exe 33 PID 2460 wrote to memory of 2360 2460 Mdacop32.exe 33 PID 2460 wrote to memory of 2360 2460 Mdacop32.exe 33 PID 2460 wrote to memory of 2360 2460 Mdacop32.exe 33 PID 2360 wrote to memory of 772 2360 Moidahcn.exe 34 PID 2360 wrote to memory of 772 2360 Moidahcn.exe 34 PID 2360 wrote to memory of 772 2360 Moidahcn.exe 34 PID 2360 wrote to memory of 772 2360 Moidahcn.exe 34 PID 772 wrote to memory of 2684 772 Nibebfpl.exe 35 PID 772 wrote to memory of 2684 772 Nibebfpl.exe 35 PID 772 wrote to memory of 2684 772 Nibebfpl.exe 35 PID 772 wrote to memory of 2684 772 Nibebfpl.exe 35 PID 2684 wrote to memory of 2304 2684 Ndjfeo32.exe 36 PID 2684 wrote to memory of 2304 2684 Ndjfeo32.exe 36 PID 2684 wrote to memory of 2304 2684 Ndjfeo32.exe 36 PID 2684 wrote to memory of 2304 2684 Ndjfeo32.exe 36 PID 2304 wrote to memory of 2524 2304 Npagjpcd.exe 37 PID 2304 wrote to memory of 2524 2304 Npagjpcd.exe 37 PID 2304 wrote to memory of 2524 2304 Npagjpcd.exe 37 PID 2304 wrote to memory of 2524 2304 Npagjpcd.exe 37 PID 2524 wrote to memory of 1912 2524 Nhllob32.exe 38 PID 2524 wrote to memory of 1912 2524 Nhllob32.exe 38 PID 2524 wrote to memory of 1912 2524 Nhllob32.exe 38 PID 2524 wrote to memory of 1912 2524 Nhllob32.exe 38 PID 1912 wrote to memory of 2844 1912 Ocdmaj32.exe 39 PID 1912 wrote to memory of 2844 1912 Ocdmaj32.exe 39 PID 1912 wrote to memory of 2844 1912 Ocdmaj32.exe 39 PID 1912 wrote to memory of 2844 1912 Ocdmaj32.exe 39 PID 2844 wrote to memory of 1544 2844 Ollajp32.exe 40 PID 2844 wrote to memory of 1544 2844 Ollajp32.exe 40 PID 2844 wrote to memory of 1544 2844 Ollajp32.exe 40 PID 2844 wrote to memory of 1544 2844 Ollajp32.exe 40 PID 1544 wrote to memory of 2084 1544 Oalfhf32.exe 41 PID 1544 wrote to memory of 2084 1544 Oalfhf32.exe 41 PID 1544 wrote to memory of 2084 1544 Oalfhf32.exe 41 PID 1544 wrote to memory of 2084 1544 Oalfhf32.exe 41 PID 2084 wrote to memory of 2248 2084 Ocalkn32.exe 42 PID 2084 wrote to memory of 2248 2084 Ocalkn32.exe 42 PID 2084 wrote to memory of 2248 2084 Ocalkn32.exe 42 PID 2084 wrote to memory of 2248 2084 Ocalkn32.exe 42 PID 2248 wrote to memory of 2024 2248 Pngphgbf.exe 43 PID 2248 wrote to memory of 2024 2248 Pngphgbf.exe 43 PID 2248 wrote to memory of 2024 2248 Pngphgbf.exe 43 PID 2248 wrote to memory of 2024 2248 Pngphgbf.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\351789ab20058da3e8a4d712f838386990c4299be89b0f204740f27351575d29_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\351789ab20058da3e8a4d712f838386990c4299be89b0f204740f27351575d29_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Lmlhnagm.exeC:\Windows\system32\Lmlhnagm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Mffimglk.exeC:\Windows\system32\Mffimglk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Mponel32.exeC:\Windows\system32\Mponel32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Melfncqb.exeC:\Windows\system32\Melfncqb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Mdacop32.exeC:\Windows\system32\Mdacop32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Moidahcn.exeC:\Windows\system32\Moidahcn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Nibebfpl.exeC:\Windows\system32\Nibebfpl.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Ndjfeo32.exeC:\Windows\system32\Ndjfeo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Npagjpcd.exeC:\Windows\system32\Npagjpcd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Nhllob32.exeC:\Windows\system32\Nhllob32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Ocdmaj32.exeC:\Windows\system32\Ocdmaj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Ollajp32.exeC:\Windows\system32\Ollajp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Oalfhf32.exeC:\Windows\system32\Oalfhf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Ocalkn32.exeC:\Windows\system32\Ocalkn32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Pngphgbf.exeC:\Windows\system32\Pngphgbf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Pnimnfpc.exeC:\Windows\system32\Pnimnfpc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Pjpnbg32.exeC:\Windows\system32\Pjpnbg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Piekcd32.exeC:\Windows\system32\Piekcd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:752 -
C:\Windows\SysWOW64\Pbnoliap.exeC:\Windows\system32\Pbnoliap.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1008 -
C:\Windows\SysWOW64\Poapfn32.exeC:\Windows\system32\Poapfn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\Qkkmqnck.exeC:\Windows\system32\Qkkmqnck.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Akmjfn32.exeC:\Windows\system32\Akmjfn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1392 -
C:\Windows\SysWOW64\Aaloddnn.exeC:\Windows\system32\Aaloddnn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Amcpie32.exeC:\Windows\system32\Amcpie32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Alhmjbhj.exeC:\Windows\system32\Alhmjbhj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Becnhgmg.exeC:\Windows\system32\Becnhgmg.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Beejng32.exeC:\Windows\system32\Beejng32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Bjbcfn32.exeC:\Windows\system32\Bjbcfn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Bhfcpb32.exeC:\Windows\system32\Bhfcpb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Bejdiffp.exeC:\Windows\system32\Bejdiffp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Chkmkacq.exeC:\Windows\system32\Chkmkacq.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:472 -
C:\Windows\SysWOW64\Cgpjlnhh.exeC:\Windows\system32\Cgpjlnhh.exe33⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Cphndc32.exeC:\Windows\system32\Cphndc32.exe34⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Cmlong32.exeC:\Windows\system32\Cmlong32.exe35⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Cgdcgm32.exeC:\Windows\system32\Cgdcgm32.exe36⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Dnjngk32.exeC:\Windows\system32\Dnjngk32.exe37⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Dknoaoaj.exeC:\Windows\system32\Dknoaoaj.exe38⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Dciceaoe.exeC:\Windows\system32\Dciceaoe.exe39⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Dnnhbjnk.exeC:\Windows\system32\Dnnhbjnk.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Ddhpod32.exeC:\Windows\system32\Ddhpod32.exe41⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Enqdhj32.exeC:\Windows\system32\Enqdhj32.exe42⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Eobapbbg.exeC:\Windows\system32\Eobapbbg.exe43⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Ejgemkbm.exeC:\Windows\system32\Ejgemkbm.exe44⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Eqamje32.exeC:\Windows\system32\Eqamje32.exe45⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Ejjbbkpj.exeC:\Windows\system32\Ejjbbkpj.exe46⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Ebefgm32.exeC:\Windows\system32\Ebefgm32.exe47⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Emkkdf32.exeC:\Windows\system32\Emkkdf32.exe48⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Ebgclm32.exeC:\Windows\system32\Ebgclm32.exe49⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Egdlec32.exeC:\Windows\system32\Egdlec32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Fidhof32.exeC:\Windows\system32\Fidhof32.exe51⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Fqomci32.exeC:\Windows\system32\Fqomci32.exe52⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Fkdaqa32.exeC:\Windows\system32\Fkdaqa32.exe53⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Fqajihle.exeC:\Windows\system32\Fqajihle.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Ffnbaojm.exeC:\Windows\system32\Ffnbaojm.exe55⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Fpffje32.exeC:\Windows\system32\Fpffje32.exe56⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Ffqofohj.exeC:\Windows\system32\Ffqofohj.exe57⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Fafcdh32.exeC:\Windows\system32\Fafcdh32.exe58⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Giahhj32.exeC:\Windows\system32\Giahhj32.exe59⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Gfehan32.exeC:\Windows\system32\Gfehan32.exe60⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Gmoqnhla.exeC:\Windows\system32\Gmoqnhla.exe61⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Gfgegnbb.exeC:\Windows\system32\Gfgegnbb.exe62⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Gppipc32.exeC:\Windows\system32\Gppipc32.exe63⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Gembhj32.exeC:\Windows\system32\Gembhj32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Glgjednf.exeC:\Windows\system32\Glgjednf.exe65⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Geoonjeg.exeC:\Windows\system32\Geoonjeg.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:432 -
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe67⤵PID:2108
-
C:\Windows\SysWOW64\Hfbhkb32.exeC:\Windows\system32\Hfbhkb32.exe68⤵
- Drops file in System32 directory
PID:1360 -
C:\Windows\SysWOW64\Hahlhkhi.exeC:\Windows\system32\Hahlhkhi.exe69⤵PID:1808
-
C:\Windows\SysWOW64\Hjqqap32.exeC:\Windows\system32\Hjqqap32.exe70⤵PID:976
-
C:\Windows\SysWOW64\Hdiejfej.exeC:\Windows\system32\Hdiejfej.exe71⤵PID:2208
-
C:\Windows\SysWOW64\Hifmbmda.exeC:\Windows\system32\Hifmbmda.exe72⤵PID:1100
-
C:\Windows\SysWOW64\Hppfog32.exeC:\Windows\system32\Hppfog32.exe73⤵PID:2536
-
C:\Windows\SysWOW64\Helngnie.exeC:\Windows\system32\Helngnie.exe74⤵PID:2196
-
C:\Windows\SysWOW64\Hpbbdfik.exeC:\Windows\system32\Hpbbdfik.exe75⤵PID:2584
-
C:\Windows\SysWOW64\Heokmmgb.exeC:\Windows\system32\Heokmmgb.exe76⤵PID:2608
-
C:\Windows\SysWOW64\Ipdojfgh.exeC:\Windows\system32\Ipdojfgh.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2908 -
C:\Windows\SysWOW64\Ilkpogmm.exeC:\Windows\system32\Ilkpogmm.exe78⤵PID:2368
-
C:\Windows\SysWOW64\Iahhgnkd.exeC:\Windows\system32\Iahhgnkd.exe79⤵
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Ilnmdgkj.exeC:\Windows\system32\Ilnmdgkj.exe80⤵
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Ioliqbjn.exeC:\Windows\system32\Ioliqbjn.exe81⤵PID:2936
-
C:\Windows\SysWOW64\Ihdmihpn.exeC:\Windows\system32\Ihdmihpn.exe82⤵PID:1596
-
C:\Windows\SysWOW64\Ionefb32.exeC:\Windows\system32\Ionefb32.exe83⤵PID:2120
-
C:\Windows\SysWOW64\Igijkd32.exeC:\Windows\system32\Igijkd32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1420 -
C:\Windows\SysWOW64\Iaonhm32.exeC:\Windows\system32\Iaonhm32.exe85⤵PID:1692
-
C:\Windows\SysWOW64\Jkgcab32.exeC:\Windows\system32\Jkgcab32.exe86⤵PID:2380
-
C:\Windows\SysWOW64\Jpdkii32.exeC:\Windows\system32\Jpdkii32.exe87⤵PID:2060
-
C:\Windows\SysWOW64\Jgncfcaa.exeC:\Windows\system32\Jgncfcaa.exe88⤵PID:2232
-
C:\Windows\SysWOW64\Jnhlbn32.exeC:\Windows\system32\Jnhlbn32.exe89⤵PID:2296
-
C:\Windows\SysWOW64\Jcedkd32.exeC:\Windows\system32\Jcedkd32.exe90⤵PID:1016
-
C:\Windows\SysWOW64\Jhamckel.exeC:\Windows\system32\Jhamckel.exe91⤵PID:1096
-
C:\Windows\SysWOW64\Jolepe32.exeC:\Windows\system32\Jolepe32.exe92⤵
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Jhdihkcj.exeC:\Windows\system32\Jhdihkcj.exe93⤵PID:2400
-
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe94⤵PID:2860
-
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe95⤵
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Jlbboiip.exeC:\Windows\system32\Jlbboiip.exe96⤵PID:2152
-
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe97⤵PID:2520
-
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe98⤵PID:1556
-
C:\Windows\SysWOW64\Kbaglpee.exeC:\Windows\system32\Kbaglpee.exe99⤵PID:2528
-
C:\Windows\SysWOW64\Kgnpeg32.exeC:\Windows\system32\Kgnpeg32.exe100⤵PID:1700
-
C:\Windows\SysWOW64\Kjllab32.exeC:\Windows\system32\Kjllab32.exe101⤵PID:2772
-
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe102⤵PID:696
-
C:\Windows\SysWOW64\Knjegqif.exeC:\Windows\system32\Knjegqif.exe103⤵PID:2804
-
C:\Windows\SysWOW64\Kgbipf32.exeC:\Windows\system32\Kgbipf32.exe104⤵PID:2972
-
C:\Windows\SysWOW64\Knmamp32.exeC:\Windows\system32\Knmamp32.exe105⤵PID:768
-
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe106⤵PID:1084
-
C:\Windows\SysWOW64\Ljcbaamh.exeC:\Windows\system32\Ljcbaamh.exe107⤵PID:2324
-
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe108⤵PID:2224
-
C:\Windows\SysWOW64\Lihobnap.exeC:\Windows\system32\Lihobnap.exe109⤵PID:2740
-
C:\Windows\SysWOW64\Lobgoh32.exeC:\Windows\system32\Lobgoh32.exe110⤵PID:2472
-
C:\Windows\SysWOW64\Lbackc32.exeC:\Windows\system32\Lbackc32.exe111⤵PID:2828
-
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe112⤵PID:632
-
C:\Windows\SysWOW64\Liminmmk.exeC:\Windows\system32\Liminmmk.exe113⤵PID:1468
-
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe114⤵PID:2516
-
C:\Windows\SysWOW64\Lgbeoibb.exeC:\Windows\system32\Lgbeoibb.exe115⤵PID:1608
-
C:\Windows\SysWOW64\Mfllkece.exeC:\Windows\system32\Mfllkece.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:824 -
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe117⤵PID:2220
-
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe118⤵PID:2444
-
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe119⤵PID:1080
-
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe120⤵PID:2580
-
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe121⤵PID:1892
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-