Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 20:22
Behavioral task
behavioral1
Sample
ebf40f084bec019aedcef8615e5daeb0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
ebf40f084bec019aedcef8615e5daeb0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
ebf40f084bec019aedcef8615e5daeb0_NeikiAnalytics.exe
-
Size
94KB
-
MD5
ebf40f084bec019aedcef8615e5daeb0
-
SHA1
7e274c28400c62e1118672f18a3c9b6fbe5fca75
-
SHA256
064769443b61f10848549b1c20c5b4e8593ba71f1141b6d53d042d05e8ab57d9
-
SHA512
45a604690741b95430e76d96c2e376695230b16c9c13d543c20c570a95ad396186b7e7fba103de7d6da67bfb1783d2515125fa6995309e6d6a5e23b728ef7473
-
SSDEEP
1536:NnMoVYM7fksB3svI1oJTZGKiy70B2L4aIZTJ+7LhkiB0MPiKeEAgv:NnHr7fkq3svdZiy70a4aMU7uihJ5v
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieliebnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcahmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojnko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmdhcddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeaoab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcklgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfckahdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfifmnij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgpogili.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccqkigkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbcilkjg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdeqhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncdgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkmhlekj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meiaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nknobkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pclneicb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pclgkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dejacond.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hninbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famjkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giinpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oocddono.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqpbglno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhcjq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchhggno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odkjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqmidndd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkdcbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgppmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lphfpbdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhidjpqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldohebqh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppmcdq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpcmga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdafnpqh.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000c000000023370-7.dat family_berbew behavioral2/files/0x00070000000233f5-16.dat family_berbew behavioral2/files/0x00070000000233f7-23.dat family_berbew behavioral2/files/0x00070000000233f9-32.dat family_berbew behavioral2/files/0x00070000000233fb-39.dat family_berbew behavioral2/files/0x00070000000233fd-47.dat family_berbew behavioral2/files/0x00070000000233ff-55.dat family_berbew behavioral2/files/0x0007000000023401-63.dat family_berbew behavioral2/files/0x0007000000023403-71.dat family_berbew behavioral2/files/0x0007000000023405-80.dat family_berbew behavioral2/files/0x0007000000023407-88.dat family_berbew behavioral2/files/0x0007000000023409-97.dat family_berbew behavioral2/files/0x000700000002340b-106.dat family_berbew behavioral2/files/0x000700000002340d-115.dat family_berbew behavioral2/files/0x000700000002340f-125.dat family_berbew behavioral2/files/0x0007000000023411-133.dat family_berbew behavioral2/files/0x0007000000023413-143.dat family_berbew behavioral2/files/0x0007000000023415-152.dat family_berbew behavioral2/files/0x0007000000023417-160.dat family_berbew behavioral2/files/0x0007000000023419-164.dat family_berbew behavioral2/files/0x000700000002341b-178.dat family_berbew behavioral2/files/0x00090000000233f2-187.dat family_berbew behavioral2/files/0x000700000002341e-191.dat family_berbew behavioral2/files/0x0007000000023420-206.dat family_berbew behavioral2/files/0x0007000000023422-214.dat family_berbew behavioral2/files/0x0008000000023424-224.dat family_berbew behavioral2/files/0x0007000000023427-233.dat family_berbew behavioral2/files/0x0008000000023429-241.dat family_berbew behavioral2/files/0x000700000002342c-250.dat family_berbew behavioral2/files/0x000700000002342e-259.dat family_berbew behavioral2/files/0x0007000000023430-268.dat family_berbew behavioral2/files/0x0007000000023432-277.dat family_berbew behavioral2/files/0x0007000000023438-295.dat family_berbew behavioral2/files/0x0007000000023442-327.dat family_berbew behavioral2/files/0x000700000002347b-523.dat family_berbew behavioral2/files/0x00070000000234a2-668.dat family_berbew behavioral2/files/0x00070000000234ca-806.dat family_berbew behavioral2/files/0x00070000000234d4-841.dat family_berbew behavioral2/files/0x00070000000234d8-854.dat family_berbew behavioral2/files/0x00070000000234dc-868.dat family_berbew behavioral2/files/0x00070000000234e0-882.dat family_berbew behavioral2/files/0x00070000000234e4-896.dat family_berbew behavioral2/files/0x00070000000234ec-924.dat family_berbew behavioral2/files/0x00070000000234f6-959.dat family_berbew behavioral2/files/0x00070000000234fa-973.dat family_berbew behavioral2/files/0x0007000000023508-1021.dat family_berbew behavioral2/files/0x0007000000023512-1056.dat family_berbew behavioral2/files/0x000700000002351c-1091.dat family_berbew behavioral2/files/0x0007000000023524-1119.dat family_berbew behavioral2/files/0x000700000002352a-1140.dat family_berbew behavioral2/files/0x0007000000023534-1175.dat family_berbew behavioral2/files/0x000700000002353c-1203.dat family_berbew behavioral2/files/0x0007000000023544-1231.dat family_berbew behavioral2/files/0x0007000000023552-1280.dat family_berbew behavioral2/files/0x0007000000023558-1301.dat family_berbew behavioral2/files/0x000700000002355c-1315.dat family_berbew behavioral2/files/0x000700000002355e-1323.dat family_berbew behavioral2/files/0x0007000000023566-1350.dat family_berbew behavioral2/files/0x000700000002356c-1371.dat family_berbew behavioral2/files/0x0007000000023570-1385.dat family_berbew behavioral2/files/0x0007000000023578-1412.dat family_berbew behavioral2/files/0x0007000000023580-1441.dat family_berbew behavioral2/files/0x0007000000023586-1461.dat family_berbew behavioral2/files/0x0007000000023592-1503.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2116 Lkdggmlj.exe 3660 Lpappc32.exe 3008 Ldmlpbbj.exe 1804 Lijdhiaa.exe 2420 Ldohebqh.exe 4484 Lcbiao32.exe 4996 Lilanioo.exe 3448 Ldaeka32.exe 1988 Lgpagm32.exe 1824 Ljnnch32.exe 512 Lphfpbdi.exe 3920 Lknjmkdo.exe 1452 Mahbje32.exe 4168 Mdfofakp.exe 2100 Mjcgohig.exe 4472 Mpmokb32.exe 4720 Mcklgm32.exe 4960 Mkbchk32.exe 4056 Mjhqjg32.exe 4852 Mpaifalo.exe 5020 Mcpebmkb.exe 2876 Mjjmog32.exe 2180 Mdpalp32.exe 2164 Mgnnhk32.exe 2060 Nqfbaq32.exe 1876 Nklfoi32.exe 4224 Nnjbke32.exe 2692 Nddkgonp.exe 4628 Njacpf32.exe 4712 Nqklmpdd.exe 4900 Nkqpjidj.exe 1196 Nnolfdcn.exe 4504 Ncldnkae.exe 3972 Nnaikd32.exe 2216 Nqpego32.exe 3464 Ncnadk32.exe 4548 Okeieh32.exe 4608 Ondeac32.exe 1912 Oqbamo32.exe 2284 Odnnnnfe.exe 2240 Ojjffddl.exe 4256 Obangb32.exe 2860 Occkojkm.exe 4680 Ojmcld32.exe 1096 Odbgim32.exe 332 Okloegjl.exe 5100 Oqihnn32.exe 444 Ocgdji32.exe 4488 Okolkg32.exe 2244 Odgqdlnj.exe 2004 Pgemphmn.exe 2008 Pclneicb.exe 2752 Pkceffcd.exe 4476 Pqpnombl.exe 3980 Pcojkhap.exe 2936 Pkfblfab.exe 4468 Pjhbgb32.exe 932 Pbpjhp32.exe 1268 Pabkdmpi.exe 3000 Pcagphom.exe 2356 Pgmcqggf.exe 4788 Pkhoae32.exe 4676 Pnfkma32.exe 1900 Paegjl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pnfdcjkg.exe Pgllfp32.exe File created C:\Windows\SysWOW64\Ldlghq32.dll Hoogfnnb.exe File created C:\Windows\SysWOW64\Ipgocj32.dll Qhakoa32.exe File created C:\Windows\SysWOW64\Inagcf32.dll Lbpdblmo.exe File created C:\Windows\SysWOW64\Hiacfqch.dll Jlkipgpe.exe File created C:\Windows\SysWOW64\Maiccajf.exe Process not Found File created C:\Windows\SysWOW64\Qemhbj32.exe Process not Found File created C:\Windows\SysWOW64\Dikngm32.dll Pgemphmn.exe File opened for modification C:\Windows\SysWOW64\Affikdfn.exe Process not Found File created C:\Windows\SysWOW64\Olekop32.dll Process not Found File created C:\Windows\SysWOW64\Heomgj32.dll Fojlngce.exe File created C:\Windows\SysWOW64\Gdbqla32.dll Emehdh32.exe File created C:\Windows\SysWOW64\Ihbponja.exe Process not Found File created C:\Windows\SysWOW64\Paegjl32.exe Pnfkma32.exe File created C:\Windows\SysWOW64\Ncjginjn.exe Nplkmckj.exe File created C:\Windows\SysWOW64\Ioopml32.exe Iiehpahb.exe File opened for modification C:\Windows\SysWOW64\Eonehbjg.exe Eggmge32.exe File created C:\Windows\SysWOW64\Gbemad32.dll Gijekg32.exe File created C:\Windows\SysWOW64\Oohgdhfn.exe Oiknlagg.exe File opened for modification C:\Windows\SysWOW64\Caqpkjcl.exe Process not Found File created C:\Windows\SysWOW64\Enoogcin.dll Hijooifk.exe File created C:\Windows\SysWOW64\Nhmkghpm.dll Qecppkdm.exe File opened for modification C:\Windows\SysWOW64\Kjjbjd32.exe Process not Found File created C:\Windows\SysWOW64\Bhkhop32.dll Process not Found File created C:\Windows\SysWOW64\Odgqdlnj.exe Okolkg32.exe File created C:\Windows\SysWOW64\Ifndpaoq.dll Njqmepik.exe File created C:\Windows\SysWOW64\Lgpjggdi.dll Ghipne32.exe File opened for modification C:\Windows\SysWOW64\Lomqcjie.exe Process not Found File created C:\Windows\SysWOW64\Ekjded32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Adcmmeog.exe Aaepqjpd.exe File opened for modification C:\Windows\SysWOW64\Cfcqpa32.exe Cpihcgoa.exe File created C:\Windows\SysWOW64\Eemfmoce.dll Jhndljll.exe File opened for modification C:\Windows\SysWOW64\Aomifecf.exe Alnmjjdb.exe File opened for modification C:\Windows\SysWOW64\Dhbebj32.exe Process not Found File created C:\Windows\SysWOW64\Odaodc32.dll Process not Found File created C:\Windows\SysWOW64\Cpihcgoa.exe Cmklglpn.exe File opened for modification C:\Windows\SysWOW64\Pofjpl32.exe Phlacbfm.exe File created C:\Windows\SysWOW64\Fkffog32.exe Fbnafb32.exe File created C:\Windows\SysWOW64\Pcpopjlq.dll Bhkhibmc.exe File created C:\Windows\SysWOW64\Pognhd32.dll Meamcg32.exe File created C:\Windows\SysWOW64\Hmkigh32.exe Process not Found File created C:\Windows\SysWOW64\Ickglm32.exe Process not Found File created C:\Windows\SysWOW64\Klcekpdo.exe Process not Found File created C:\Windows\SysWOW64\Mfchlbfd.exe Process not Found File created C:\Windows\SysWOW64\Mfenglqf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ldmlpbbj.exe Lpappc32.exe File created C:\Windows\SysWOW64\Nepgjaeg.exe Ncbknfed.exe File opened for modification C:\Windows\SysWOW64\Cajjjk32.exe Process not Found File created C:\Windows\SysWOW64\Cajcbgml.exe Colffknh.exe File created C:\Windows\SysWOW64\Eagaoh32.exe Eipinkib.exe File opened for modification C:\Windows\SysWOW64\Ikejgf32.exe Ihgnkkbd.exe File created C:\Windows\SysWOW64\Cfnqklgh.exe Ccpdoqgd.exe File created C:\Windows\SysWOW64\Ahbohd32.dll Process not Found File created C:\Windows\SysWOW64\Pmjqhl32.dll Pcagphom.exe File created C:\Windows\SysWOW64\Inpocg32.dll Kedoge32.exe File created C:\Windows\SysWOW64\Fmjkjk32.dll Cjmgfgdf.exe File opened for modification C:\Windows\SysWOW64\Indfca32.exe Ikejgf32.exe File opened for modification C:\Windows\SysWOW64\Pdhbmh32.exe Process not Found File created C:\Windows\SysWOW64\Icbcjhfb.dll Process not Found File created C:\Windows\SysWOW64\Abfdpfaj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ahmlgd32.exe Aeopki32.exe File opened for modification C:\Windows\SysWOW64\Nplkmckj.exe Nheble32.exe File created C:\Windows\SysWOW64\Nemmoe32.exe Nbnpcj32.exe File created C:\Windows\SysWOW64\Afmfkjol.dll Achegd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5492 16068 Process not Found 1814 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poajkgnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll" Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll" Cjmgfgdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lihfcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbackgod.dll" Cjaifp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efmmmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnjejjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhidjpqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhielqhi.dll" Jbkbpoog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkhoae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cegjejoc.dll" Dboigi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfameb32.dll" Mhicpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kninjc32.dll" Edjgfcec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdinljnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kioodcbn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inojnf32.dll" Llbidimc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgnkhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phedhmhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Golneb32.dll" Gmiclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkmhlekj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdqejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhgfkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfjgaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opngmi32.dll" Cjecpkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djiono32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faoiogei.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdlndj32.dll" Fehfljca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llipehgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eafbac32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oemnpgle.dll" Oldamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcagphom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alabgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqdeld32.dll" Kimnbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Megdccmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kghlhg32.dll" Indmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idmdhm32.dll" Lbjelc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aplpihjd.dll" Dakacjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehfjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlbkap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obafpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjfdocc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddgkpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihdpk32.dll" Nchjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbddfmgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkamodje.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngckdnpn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcklgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kadcjkfm.dll" Cfnqklgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmbai32.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4440 wrote to memory of 2116 4440 ebf40f084bec019aedcef8615e5daeb0_NeikiAnalytics.exe 81 PID 4440 wrote to memory of 2116 4440 ebf40f084bec019aedcef8615e5daeb0_NeikiAnalytics.exe 81 PID 4440 wrote to memory of 2116 4440 ebf40f084bec019aedcef8615e5daeb0_NeikiAnalytics.exe 81 PID 2116 wrote to memory of 3660 2116 Lkdggmlj.exe 82 PID 2116 wrote to memory of 3660 2116 Lkdggmlj.exe 82 PID 2116 wrote to memory of 3660 2116 Lkdggmlj.exe 82 PID 3660 wrote to memory of 3008 3660 Lpappc32.exe 84 PID 3660 wrote to memory of 3008 3660 Lpappc32.exe 84 PID 3660 wrote to memory of 3008 3660 Lpappc32.exe 84 PID 3008 wrote to memory of 1804 3008 Ldmlpbbj.exe 85 PID 3008 wrote to memory of 1804 3008 Ldmlpbbj.exe 85 PID 3008 wrote to memory of 1804 3008 Ldmlpbbj.exe 85 PID 1804 wrote to memory of 2420 1804 Lijdhiaa.exe 87 PID 1804 wrote to memory of 2420 1804 Lijdhiaa.exe 87 PID 1804 wrote to memory of 2420 1804 Lijdhiaa.exe 87 PID 2420 wrote to memory of 4484 2420 Ldohebqh.exe 88 PID 2420 wrote to memory of 4484 2420 Ldohebqh.exe 88 PID 2420 wrote to memory of 4484 2420 Ldohebqh.exe 88 PID 4484 wrote to memory of 4996 4484 Lcbiao32.exe 90 PID 4484 wrote to memory of 4996 4484 Lcbiao32.exe 90 PID 4484 wrote to memory of 4996 4484 Lcbiao32.exe 90 PID 4996 wrote to memory of 3448 4996 Lilanioo.exe 91 PID 4996 wrote to memory of 3448 4996 Lilanioo.exe 91 PID 4996 wrote to memory of 3448 4996 Lilanioo.exe 91 PID 3448 wrote to memory of 1988 3448 Ldaeka32.exe 92 PID 3448 wrote to memory of 1988 3448 Ldaeka32.exe 92 PID 3448 wrote to memory of 1988 3448 Ldaeka32.exe 92 PID 1988 wrote to memory of 1824 1988 Lgpagm32.exe 93 PID 1988 wrote to memory of 1824 1988 Lgpagm32.exe 93 PID 1988 wrote to memory of 1824 1988 Lgpagm32.exe 93 PID 1824 wrote to memory of 512 1824 Ljnnch32.exe 94 PID 1824 wrote to memory of 512 1824 Ljnnch32.exe 94 PID 1824 wrote to memory of 512 1824 Ljnnch32.exe 94 PID 512 wrote to memory of 3920 512 Lphfpbdi.exe 95 PID 512 wrote to memory of 3920 512 Lphfpbdi.exe 95 PID 512 wrote to memory of 3920 512 Lphfpbdi.exe 95 PID 3920 wrote to memory of 1452 3920 Lknjmkdo.exe 96 PID 3920 wrote to memory of 1452 3920 Lknjmkdo.exe 96 PID 3920 wrote to memory of 1452 3920 Lknjmkdo.exe 96 PID 1452 wrote to memory of 4168 1452 Mahbje32.exe 97 PID 1452 wrote to memory of 4168 1452 Mahbje32.exe 97 PID 1452 wrote to memory of 4168 1452 Mahbje32.exe 97 PID 4168 wrote to memory of 2100 4168 Mdfofakp.exe 98 PID 4168 wrote to memory of 2100 4168 Mdfofakp.exe 98 PID 4168 wrote to memory of 2100 4168 Mdfofakp.exe 98 PID 2100 wrote to memory of 4472 2100 Mjcgohig.exe 99 PID 2100 wrote to memory of 4472 2100 Mjcgohig.exe 99 PID 2100 wrote to memory of 4472 2100 Mjcgohig.exe 99 PID 4472 wrote to memory of 4720 4472 Mpmokb32.exe 100 PID 4472 wrote to memory of 4720 4472 Mpmokb32.exe 100 PID 4472 wrote to memory of 4720 4472 Mpmokb32.exe 100 PID 4720 wrote to memory of 4960 4720 Mcklgm32.exe 101 PID 4720 wrote to memory of 4960 4720 Mcklgm32.exe 101 PID 4720 wrote to memory of 4960 4720 Mcklgm32.exe 101 PID 4960 wrote to memory of 4056 4960 Mkbchk32.exe 102 PID 4960 wrote to memory of 4056 4960 Mkbchk32.exe 102 PID 4960 wrote to memory of 4056 4960 Mkbchk32.exe 102 PID 4056 wrote to memory of 4852 4056 Mjhqjg32.exe 103 PID 4056 wrote to memory of 4852 4056 Mjhqjg32.exe 103 PID 4056 wrote to memory of 4852 4056 Mjhqjg32.exe 103 PID 4852 wrote to memory of 5020 4852 Mpaifalo.exe 104 PID 4852 wrote to memory of 5020 4852 Mpaifalo.exe 104 PID 4852 wrote to memory of 5020 4852 Mpaifalo.exe 104 PID 5020 wrote to memory of 2876 5020 Mcpebmkb.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebf40f084bec019aedcef8615e5daeb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ebf40f084bec019aedcef8615e5daeb0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe23⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe24⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe25⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe26⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe27⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:4224 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe29⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe30⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe31⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe32⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe33⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe34⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe35⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe36⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe37⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe38⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe39⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Oqbamo32.exeC:\Windows\system32\Oqbamo32.exe40⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe41⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe42⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe43⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe44⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe45⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe46⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe47⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe48⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe49⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4488 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe51⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe54⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe55⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe56⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe57⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe58⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe59⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe60⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe62⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:4788 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4676 -
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe65⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe66⤵PID:804
-
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe67⤵PID:1808
-
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe68⤵PID:1648
-
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe69⤵PID:4016
-
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe70⤵PID:2200
-
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe71⤵
- Drops file in System32 directory
PID:4824 -
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe72⤵PID:2796
-
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe74⤵PID:1408
-
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe75⤵PID:3868
-
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe76⤵PID:2128
-
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe77⤵PID:1892
-
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe78⤵PID:3656
-
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe79⤵PID:4568
-
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe80⤵PID:3184
-
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe81⤵
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe82⤵PID:4304
-
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe83⤵PID:4848
-
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe84⤵PID:4944
-
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe85⤵PID:3700
-
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe86⤵PID:2652
-
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe87⤵PID:1140
-
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe88⤵PID:868
-
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe89⤵PID:4932
-
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe90⤵PID:4028
-
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe91⤵PID:1732
-
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe92⤵PID:3856
-
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe93⤵PID:2416
-
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe94⤵
- Drops file in System32 directory
PID:3676 -
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe95⤵PID:1612
-
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe96⤵PID:608
-
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe97⤵PID:1536
-
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe98⤵
- Drops file in System32 directory
PID:4756 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe99⤵PID:3396
-
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe100⤵PID:2144
-
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe101⤵PID:3048
-
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe102⤵PID:3816
-
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe103⤵PID:544
-
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe104⤵PID:5140
-
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe105⤵PID:5184
-
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe106⤵PID:5228
-
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe107⤵PID:5272
-
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe108⤵PID:5316
-
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe109⤵PID:5360
-
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe110⤵PID:5404
-
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe111⤵PID:5448
-
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe112⤵PID:5492
-
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe113⤵PID:5536
-
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe114⤵PID:5580
-
C:\Windows\SysWOW64\Bobcpmfc.exeC:\Windows\system32\Bobcpmfc.exe115⤵PID:5624
-
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe116⤵PID:5668
-
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe117⤵
- Drops file in System32 directory
PID:5708 -
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe118⤵PID:5752
-
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe119⤵PID:5796
-
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe120⤵PID:5840
-
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5884
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-