Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
28/06/2024, 17:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a34d227ec33fe644f77f9239e76f77adf7d9cf1eaf604d529ece6e360223f789_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
a34d227ec33fe644f77f9239e76f77adf7d9cf1eaf604d529ece6e360223f789_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
a34d227ec33fe644f77f9239e76f77adf7d9cf1eaf604d529ece6e360223f789_NeikiAnalytics.exe
-
Size
100KB
-
MD5
63cd27c73de8aa28b719bf9b168568c0
-
SHA1
3a46b7279e61e9e926c0ab6f0ba3074104786387
-
SHA256
a34d227ec33fe644f77f9239e76f77adf7d9cf1eaf604d529ece6e360223f789
-
SHA512
9dc32ad3cd5e88e5843dbef93ae471fbfc2765ba6751c8952bfd9ecc41f52eafe14bc67bf1c16bc90f9cdbbdc6b977e0fc56c9001c20aa82423d09be1b7dff9d
-
SSDEEP
3072:T/rqzdXpoekPaMXfTkVjnyVgb3a3+X13XRzT:DrqpZoega+TQDyC7aOl3BzT
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okchhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meagci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pedleg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgagfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knmhgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pipopl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahokfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfadgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afnagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbqecg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpiojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbomfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ollajp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biafnecn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aehboi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpeekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhpiojfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdadnkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpapln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkclhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfoqmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dookgcij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efcfga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qijdocfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjdplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qeohnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqhhknjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djmicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npojdpef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdadamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqjepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pklhlael.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmpkjkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdniqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejkima32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfgebbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baakhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fekpnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lanaiahq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klnjbbdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkdpanhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bppoqeja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlgpgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lanaiahq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncancbha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apomfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igdogl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nolhan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bidjnkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kqqboncb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcmhiojk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppmdbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aekodi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okoomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pigeqkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emhlfmgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkhofjoj.exe -
Executes dropped EXE 64 IoCs
pid Process 2064 Klnjbbdh.exe 2708 Kbhbom32.exe 2664 Klqfhbbe.exe 2788 Koocdnai.exe 2784 Kanopipl.exe 2632 Lhggmchi.exe 2596 Loapim32.exe 2980 Lekhfgfc.exe 2776 Lhjdbcef.exe 2208 Lodlom32.exe 1232 Lpeifeca.exe 1340 Lhlqhb32.exe 2180 Lmiipi32.exe 1296 Ladeqhjd.exe 2876 Lganiohl.exe 2920 Lipjejgp.exe 264 Lpjbad32.exe 584 Lgdjnofi.exe 2388 Llqcfe32.exe 1944 Lplogdmj.exe 3068 Loooca32.exe 1556 Midcpj32.exe 1800 Moalhq32.exe 1956 Mcmhiojk.exe 1692 Mkhmma32.exe 2060 Mochnppo.exe 2812 Menakj32.exe 2612 Mofecpnl.exe 2756 Mnieom32.exe 2668 Mhnjle32.exe 2836 Mgajhbkg.exe 2532 Magnek32.exe 2428 Mdejaf32.exe 1280 Mkobnqan.exe 2828 Nnnojlpa.exe 1320 Ngfcca32.exe 1396 Nlblkhei.exe 1636 Ncmdhb32.exe 2192 Nfkpdn32.exe 2864 Nleiqhcg.exe 2224 Ncoamb32.exe 2232 Njiijlbp.exe 596 Nlgefh32.exe 1256 Ncancbha.exe 1796 Nbdnoo32.exe 1140 Nhnfkigh.exe 844 Nkmbgdfl.exe 1344 Nccjhafn.exe 904 Nbfjdn32.exe 2900 Ohqbqhde.exe 2296 Omloag32.exe 2104 Okoomd32.exe 3064 Onmkio32.exe 2764 Ofdcjm32.exe 2808 Oicpfh32.exe 2760 Okalbc32.exe 2432 Onphoo32.exe 1668 Obkdonic.exe 2716 Oiellh32.exe 1904 Okchhc32.exe 1504 Ojficpfn.exe 2840 Oqqapjnk.exe 2848 Ocomlemo.exe 2244 Okfencna.exe -
Loads dropped DLL 64 IoCs
pid Process 1748 a34d227ec33fe644f77f9239e76f77adf7d9cf1eaf604d529ece6e360223f789_NeikiAnalytics.exe 1748 a34d227ec33fe644f77f9239e76f77adf7d9cf1eaf604d529ece6e360223f789_NeikiAnalytics.exe 2064 Klnjbbdh.exe 2064 Klnjbbdh.exe 2708 Kbhbom32.exe 2708 Kbhbom32.exe 2664 Klqfhbbe.exe 2664 Klqfhbbe.exe 2788 Koocdnai.exe 2788 Koocdnai.exe 2784 Kanopipl.exe 2784 Kanopipl.exe 2632 Lhggmchi.exe 2632 Lhggmchi.exe 2596 Loapim32.exe 2596 Loapim32.exe 2980 Lekhfgfc.exe 2980 Lekhfgfc.exe 2776 Lhjdbcef.exe 2776 Lhjdbcef.exe 2208 Lodlom32.exe 2208 Lodlom32.exe 1232 Lpeifeca.exe 1232 Lpeifeca.exe 1340 Lhlqhb32.exe 1340 Lhlqhb32.exe 2180 Lmiipi32.exe 2180 Lmiipi32.exe 1296 Ladeqhjd.exe 1296 Ladeqhjd.exe 2876 Lganiohl.exe 2876 Lganiohl.exe 2920 Lipjejgp.exe 2920 Lipjejgp.exe 264 Lpjbad32.exe 264 Lpjbad32.exe 584 Lgdjnofi.exe 584 Lgdjnofi.exe 2388 Llqcfe32.exe 2388 Llqcfe32.exe 1944 Lplogdmj.exe 1944 Lplogdmj.exe 3068 Loooca32.exe 3068 Loooca32.exe 1556 Midcpj32.exe 1556 Midcpj32.exe 1800 Moalhq32.exe 1800 Moalhq32.exe 1956 Mcmhiojk.exe 1956 Mcmhiojk.exe 1692 Mkhmma32.exe 1692 Mkhmma32.exe 2060 Mochnppo.exe 2060 Mochnppo.exe 2812 Menakj32.exe 2812 Menakj32.exe 2612 Mofecpnl.exe 2612 Mofecpnl.exe 2756 Mnieom32.exe 2756 Mnieom32.exe 2668 Mhnjle32.exe 2668 Mhnjle32.exe 2836 Mgajhbkg.exe 2836 Mgajhbkg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lbeknj32.exe Lojomkdn.exe File opened for modification C:\Windows\SysWOW64\Bdbhke32.exe Bpgljfbl.exe File opened for modification C:\Windows\SysWOW64\Aeqabgoj.exe Afnagk32.exe File created C:\Windows\SysWOW64\Pnbacbac.exe Ppoqge32.exe File created C:\Windows\SysWOW64\Ojhcelga.dll Hkkalk32.exe File created C:\Windows\SysWOW64\Jfojbj32.dll Icpigm32.exe File opened for modification C:\Windows\SysWOW64\Nkbhgojk.exe Nhdlkdkg.exe File opened for modification C:\Windows\SysWOW64\Lfnjef32.dll Eqbddk32.exe File created C:\Windows\SysWOW64\Mmldme32.exe Mkmhaj32.exe File opened for modification C:\Windows\SysWOW64\Bhajdblk.exe Becnhgmg.exe File opened for modification C:\Windows\SysWOW64\Jgnamk32.exe Jcbellac.exe File opened for modification C:\Windows\SysWOW64\Pjadmnic.exe Pkndaa32.exe File created C:\Windows\SysWOW64\Ckgkkllh.dll Dlnbeh32.exe File opened for modification C:\Windows\SysWOW64\Fepiimfg.exe Fbamma32.exe File created C:\Windows\SysWOW64\Igchlf32.exe Ichllgfb.exe File opened for modification C:\Windows\SysWOW64\Ljmlbfhi.exe Lbfdaigg.exe File created C:\Windows\SysWOW64\Pphjgfqq.exe Paejki32.exe File created C:\Windows\SysWOW64\Cdgneh32.exe Cpkbdiqb.exe File created C:\Windows\SysWOW64\Fjongcbl.exe Fllnlg32.exe File created C:\Windows\SysWOW64\Aliolp32.dll Oopfakpa.exe File created C:\Windows\SysWOW64\Gooqhm32.dll Okoomd32.exe File created C:\Windows\SysWOW64\Jamfqeie.dll Epdkli32.exe File created C:\Windows\SysWOW64\Jeccgbbh.dll Filldb32.exe File created C:\Windows\SysWOW64\Ifnechbj.exe Icpigm32.exe File created C:\Windows\SysWOW64\Eiiddiab.dll Jnicmdli.exe File opened for modification C:\Windows\SysWOW64\Ajbggjfq.exe Afgkfl32.exe File created C:\Windows\SysWOW64\Klealkpf.dll Lekhfgfc.exe File opened for modification C:\Windows\SysWOW64\Hgilchkf.exe Hcnpbi32.exe File opened for modification C:\Windows\SysWOW64\Qcpofbjl.exe Qpecfc32.exe File opened for modification C:\Windows\SysWOW64\Dfdjhndl.exe Dbhnhp32.exe File opened for modification C:\Windows\SysWOW64\Fhneehek.exe Fikejl32.exe File created C:\Windows\SysWOW64\Effqclic.dll Mlcbenjb.exe File created C:\Windows\SysWOW64\Ioijbj32.exe Ilknfn32.exe File opened for modification C:\Windows\SysWOW64\Nceclqan.exe Njlockkm.exe File created C:\Windows\SysWOW64\Bdgafdfp.exe Blpjegfm.exe File created C:\Windows\SysWOW64\Kbmnmk32.dll Jfcnngnd.exe File created C:\Windows\SysWOW64\Fenmdm32.exe Fbopgb32.exe File created C:\Windows\SysWOW64\Jneohcll.dll Anccmo32.exe File created C:\Windows\SysWOW64\Ceodnl32.exe Cadhnmnm.exe File created C:\Windows\SysWOW64\Qjknnbed.exe Qlhnbf32.exe File opened for modification C:\Windows\SysWOW64\Cgpgce32.exe Ccdlbf32.exe File created C:\Windows\SysWOW64\Cfgaiaci.exe Cciemedf.exe File created C:\Windows\SysWOW64\Flcnijgi.dll Dfgmhd32.exe File created C:\Windows\SysWOW64\Kaaijdgn.exe Jnclnihj.exe File opened for modification C:\Windows\SysWOW64\Mkclhl32.exe Mhdplq32.exe File opened for modification C:\Windows\SysWOW64\Ejhlgaeh.exe Ekelld32.exe File created C:\Windows\SysWOW64\Eccmffjf.exe Eqdajkkb.exe File created C:\Windows\SysWOW64\Afcklihm.dll Ichllgfb.exe File created C:\Windows\SysWOW64\Ikhjki32.exe Ihjnom32.exe File created C:\Windows\SysWOW64\Ookmfk32.exe Okoafmkm.exe File opened for modification C:\Windows\SysWOW64\Hpkjko32.exe Hmlnoc32.exe File opened for modification C:\Windows\SysWOW64\Llnofpcg.exe Ldfgebbe.exe File opened for modification C:\Windows\SysWOW64\Chnqkg32.exe Ceodnl32.exe File created C:\Windows\SysWOW64\Blkepk32.dll Oohqqlei.exe File opened for modification C:\Windows\SysWOW64\Qkhpkoen.exe Qijdocfj.exe File created C:\Windows\SysWOW64\Fcihoc32.dll Ngfflj32.exe File created C:\Windows\SysWOW64\Fekagf32.dll Agfgqo32.exe File opened for modification C:\Windows\SysWOW64\Okchhc32.exe Oiellh32.exe File created C:\Windows\SysWOW64\Fioija32.exe Fjlhneio.exe File created C:\Windows\SysWOW64\Hpkjko32.exe Hmlnoc32.exe File created C:\Windows\SysWOW64\Bdbhke32.exe Bpgljfbl.exe File created C:\Windows\SysWOW64\Kkmgjljo.dll Iamimc32.exe File opened for modification C:\Windows\SysWOW64\Iapebchh.exe Icmegf32.exe File created C:\Windows\SysWOW64\Bkglameg.exe Bfkpqn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9296 9260 WerFault.exe 1028 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglpkenb.dll" Cghggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dggcffhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdjfphi.dll" Lckdanld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kneicieh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignpade.dll" Bjbcfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iajcde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bakbapml.dll" Nondgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Doehqead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eimofi32.dll" Gdniqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbgkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmeohn32.dll" Bpcbqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmmiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbkdjjal.dll" Paggai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inngcfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qedhdjnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pokieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Piekcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanfmb32.dll" Eecqjpee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmhmpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfeho32.dll" Ehgppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpehocqo.dll" Hakphqja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbpgggol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbgnak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahgnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfoqmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpiddoma.dll" Cohigamf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mabgcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdkgocpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpmlkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghfbqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnjmhe32.dll" Ijeghgoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jqfffqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kokbpahm.dll" Kgbggnhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckccgane.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emnndlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkkgcp32.dll" Bdlblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnippoha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Migbnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkfceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgpeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eloemi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnqphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpgfki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knklagmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hanedg32.dll" Nljddpfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemkjqde.dll" Lijjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loinmo32.dll" Cppkph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqdgapkm.dll" Jqilooij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhgoi32.dll" Jkoplhip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbhhkda.dll" Pgpeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napoohch.dll" Aeenochi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll" Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Loeebl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gegfdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gopkmhjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inkaippf.dll" Ofhick32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eqdajkkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccfcekqe.dll" Jjpcbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqpnhgek.dll" Oqqapjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhhcgj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1748 wrote to memory of 2064 1748 a34d227ec33fe644f77f9239e76f77adf7d9cf1eaf604d529ece6e360223f789_NeikiAnalytics.exe 28 PID 1748 wrote to memory of 2064 1748 a34d227ec33fe644f77f9239e76f77adf7d9cf1eaf604d529ece6e360223f789_NeikiAnalytics.exe 28 PID 1748 wrote to memory of 2064 1748 a34d227ec33fe644f77f9239e76f77adf7d9cf1eaf604d529ece6e360223f789_NeikiAnalytics.exe 28 PID 1748 wrote to memory of 2064 1748 a34d227ec33fe644f77f9239e76f77adf7d9cf1eaf604d529ece6e360223f789_NeikiAnalytics.exe 28 PID 2064 wrote to memory of 2708 2064 Klnjbbdh.exe 29 PID 2064 wrote to memory of 2708 2064 Klnjbbdh.exe 29 PID 2064 wrote to memory of 2708 2064 Klnjbbdh.exe 29 PID 2064 wrote to memory of 2708 2064 Klnjbbdh.exe 29 PID 2708 wrote to memory of 2664 2708 Kbhbom32.exe 30 PID 2708 wrote to memory of 2664 2708 Kbhbom32.exe 30 PID 2708 wrote to memory of 2664 2708 Kbhbom32.exe 30 PID 2708 wrote to memory of 2664 2708 Kbhbom32.exe 30 PID 2664 wrote to memory of 2788 2664 Klqfhbbe.exe 31 PID 2664 wrote to memory of 2788 2664 Klqfhbbe.exe 31 PID 2664 wrote to memory of 2788 2664 Klqfhbbe.exe 31 PID 2664 wrote to memory of 2788 2664 Klqfhbbe.exe 31 PID 2788 wrote to memory of 2784 2788 Koocdnai.exe 32 PID 2788 wrote to memory of 2784 2788 Koocdnai.exe 32 PID 2788 wrote to memory of 2784 2788 Koocdnai.exe 32 PID 2788 wrote to memory of 2784 2788 Koocdnai.exe 32 PID 2784 wrote to memory of 2632 2784 Kanopipl.exe 33 PID 2784 wrote to memory of 2632 2784 Kanopipl.exe 33 PID 2784 wrote to memory of 2632 2784 Kanopipl.exe 33 PID 2784 wrote to memory of 2632 2784 Kanopipl.exe 33 PID 2632 wrote to memory of 2596 2632 Lhggmchi.exe 34 PID 2632 wrote to memory of 2596 2632 Lhggmchi.exe 34 PID 2632 wrote to memory of 2596 2632 Lhggmchi.exe 34 PID 2632 wrote to memory of 2596 2632 Lhggmchi.exe 34 PID 2596 wrote to memory of 2980 2596 Loapim32.exe 35 PID 2596 wrote to memory of 2980 2596 Loapim32.exe 35 PID 2596 wrote to memory of 2980 2596 Loapim32.exe 35 PID 2596 wrote to memory of 2980 2596 Loapim32.exe 35 PID 2980 wrote to memory of 2776 2980 Lekhfgfc.exe 36 PID 2980 wrote to memory of 2776 2980 Lekhfgfc.exe 36 PID 2980 wrote to memory of 2776 2980 Lekhfgfc.exe 36 PID 2980 wrote to memory of 2776 2980 Lekhfgfc.exe 36 PID 2776 wrote to memory of 2208 2776 Lhjdbcef.exe 37 PID 2776 wrote to memory of 2208 2776 Lhjdbcef.exe 37 PID 2776 wrote to memory of 2208 2776 Lhjdbcef.exe 37 PID 2776 wrote to memory of 2208 2776 Lhjdbcef.exe 37 PID 2208 wrote to memory of 1232 2208 Lodlom32.exe 38 PID 2208 wrote to memory of 1232 2208 Lodlom32.exe 38 PID 2208 wrote to memory of 1232 2208 Lodlom32.exe 38 PID 2208 wrote to memory of 1232 2208 Lodlom32.exe 38 PID 1232 wrote to memory of 1340 1232 Lpeifeca.exe 39 PID 1232 wrote to memory of 1340 1232 Lpeifeca.exe 39 PID 1232 wrote to memory of 1340 1232 Lpeifeca.exe 39 PID 1232 wrote to memory of 1340 1232 Lpeifeca.exe 39 PID 1340 wrote to memory of 2180 1340 Lhlqhb32.exe 40 PID 1340 wrote to memory of 2180 1340 Lhlqhb32.exe 40 PID 1340 wrote to memory of 2180 1340 Lhlqhb32.exe 40 PID 1340 wrote to memory of 2180 1340 Lhlqhb32.exe 40 PID 2180 wrote to memory of 1296 2180 Lmiipi32.exe 41 PID 2180 wrote to memory of 1296 2180 Lmiipi32.exe 41 PID 2180 wrote to memory of 1296 2180 Lmiipi32.exe 41 PID 2180 wrote to memory of 1296 2180 Lmiipi32.exe 41 PID 1296 wrote to memory of 2876 1296 Ladeqhjd.exe 42 PID 1296 wrote to memory of 2876 1296 Ladeqhjd.exe 42 PID 1296 wrote to memory of 2876 1296 Ladeqhjd.exe 42 PID 1296 wrote to memory of 2876 1296 Ladeqhjd.exe 42 PID 2876 wrote to memory of 2920 2876 Lganiohl.exe 43 PID 2876 wrote to memory of 2920 2876 Lganiohl.exe 43 PID 2876 wrote to memory of 2920 2876 Lganiohl.exe 43 PID 2876 wrote to memory of 2920 2876 Lganiohl.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a34d227ec33fe644f77f9239e76f77adf7d9cf1eaf604d529ece6e360223f789_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a34d227ec33fe644f77f9239e76f77adf7d9cf1eaf604d529ece6e360223f789_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:264 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:584 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe33⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe34⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe35⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe36⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe37⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe38⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe39⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe40⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe41⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe42⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe43⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe44⤵
- Executes dropped EXE
PID:596 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe46⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe47⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe48⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe49⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe50⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe51⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe52⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe54⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe55⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe56⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe57⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe58⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe59⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe62⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe64⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe65⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe66⤵PID:2412
-
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe67⤵PID:1096
-
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe68⤵PID:1080
-
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe69⤵PID:1584
-
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe70⤵PID:1968
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe71⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe72⤵PID:892
-
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe73⤵PID:2292
-
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe74⤵PID:2748
-
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2636 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe76⤵
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe77⤵PID:2688
-
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe78⤵PID:1852
-
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe79⤵PID:2824
-
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe80⤵PID:1656
-
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1028 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe82⤵PID:2120
-
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe83⤵PID:2228
-
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe84⤵PID:708
-
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe85⤵
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe86⤵PID:2324
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe87⤵PID:324
-
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1576 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe89⤵PID:3024
-
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe90⤵PID:2528
-
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe91⤵PID:2656
-
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe92⤵PID:860
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe93⤵
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe94⤵PID:2196
-
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe95⤵PID:1912
-
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe96⤵PID:764
-
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe97⤵PID:2376
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe98⤵PID:2396
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe99⤵PID:2240
-
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe100⤵PID:1084
-
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe101⤵PID:836
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe102⤵PID:2476
-
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe103⤵PID:1716
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe104⤵PID:3040
-
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe105⤵PID:2768
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe106⤵PID:2576
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe107⤵PID:2968
-
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2200 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe109⤵PID:1436
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe111⤵PID:472
-
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe112⤵PID:1536
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe113⤵PID:1400
-
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe114⤵PID:2052
-
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe115⤵PID:1244
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe116⤵PID:2556
-
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe117⤵PID:2564
-
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe118⤵PID:2204
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe119⤵PID:812
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1756 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe121⤵PID:1480
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-