Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
21/05/2024, 11:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3f48116a04f06b2a08f91f41826e785fe1fd6c7d3a56ff2f157b923650b4a158_NeikiAnalytics.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
3f48116a04f06b2a08f91f41826e785fe1fd6c7d3a56ff2f157b923650b4a158_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
3f48116a04f06b2a08f91f41826e785fe1fd6c7d3a56ff2f157b923650b4a158_NeikiAnalytics.exe
-
Size
62KB
-
MD5
dda32672dc7db6473035eb32b4ba0090
-
SHA1
fdbb365c9833f7c5e5daa455799c05a0eb409502
-
SHA256
3f48116a04f06b2a08f91f41826e785fe1fd6c7d3a56ff2f157b923650b4a158
-
SHA512
7d74492025cfdce6623597ff02a6989c653400c1f9f2c1d9ee771f790325944a653ea74a118ab9f7c8cb14f322ed62edf2592983ec4e2ff5f430bb256a733ba9
-
SSDEEP
1536:s1tY/qRE8C/1gEVmABMgTPCLK+m9fRycve8Cy:etI9/1gEVmA7RfRtve8
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhhcgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aalmklfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdapak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnpmipql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjndop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcmgfkeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omgaek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njiijlbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlblkhei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankdiqih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baildokg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdjefj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhcmgnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnojdcfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kebepion.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbflib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgilchkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgaek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmqdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhcdaibd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebgacddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiekid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojieip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgaek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgobhcac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lplogdmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Copfbfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gegfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bebkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egamfkdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elmigj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqhhknjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahokfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chhjkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndbcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laplei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijbfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgbdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfgmhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbfeimng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkmmhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnneja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeempocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llnfaffc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ealnephf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohqbqhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qljkhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adeplhib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfcgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmkmecg.exe -
Executes dropped EXE 64 IoCs
pid Process 1980 Kebepion.exe 2612 Kllmmc32.exe 1344 Kbfeimng.exe 2432 Khcnad32.exe 2420 Kbhbom32.exe 1964 Kegnkh32.exe 2664 Kjcgco32.exe 2772 Kbkodl32.exe 1616 Llccmb32.exe 1796 Loapim32.exe 1464 Laplei32.exe 852 Lfmdnp32.exe 2076 Labhkh32.exe 2744 Ldqegd32.exe 588 Ladeqhjd.exe 668 Ldcamcih.exe 1300 Lipjejgp.exe 2972 Llnfaffc.exe 2376 Ldenbcge.exe 692 Lgdjnofi.exe 1276 Lmnbkinf.exe 2364 Lplogdmj.exe 1072 Mcjkcplm.exe 2264 Meigpkka.exe 1752 Mpolmdkg.exe 2596 Moalhq32.exe 2556 Maphdl32.exe 2564 Mlelaeqk.exe 2480 Mkhmma32.exe 2468 Mdqafgnf.exe 2692 Mofecpnl.exe 2760 Madapkmp.exe 1744 Mdcnlglc.exe 404 Magnek32.exe 2444 Mdejaf32.exe 2160 Njbcim32.exe 1220 Nnnojlpa.exe 2116 Nplkfgoe.exe 2212 Ndgggf32.exe 604 Nkaocp32.exe 792 Njdpomfe.exe 1724 Nlblkhei.exe 1716 Ndjdlffl.exe 3056 Ncmdhb32.exe 1520 Nfkpdn32.exe 924 Nnbhek32.exe 1632 Nqqdag32.exe 328 Nocemcbj.exe 3004 Ncoamb32.exe 1536 Nfmmin32.exe 2568 Njiijlbp.exe 2404 Nhlifi32.exe 1992 Nqcagfim.exe 304 Nofabc32.exe 2180 Nfpjomgd.exe 1620 Njkfpl32.exe 1696 Nmjblg32.exe 1256 Nohnhc32.exe 1488 Nbfjdn32.exe 1952 Odegpj32.exe 2200 Ohqbqhde.exe 788 Okoomd32.exe 1236 Onmkio32.exe 2060 Ofdcjm32.exe -
Loads dropped DLL 64 IoCs
pid Process 1664 3f48116a04f06b2a08f91f41826e785fe1fd6c7d3a56ff2f157b923650b4a158_NeikiAnalytics.exe 1664 3f48116a04f06b2a08f91f41826e785fe1fd6c7d3a56ff2f157b923650b4a158_NeikiAnalytics.exe 1980 Kebepion.exe 1980 Kebepion.exe 2612 Kllmmc32.exe 2612 Kllmmc32.exe 1344 Kbfeimng.exe 1344 Kbfeimng.exe 2432 Khcnad32.exe 2432 Khcnad32.exe 2420 Kbhbom32.exe 2420 Kbhbom32.exe 1964 Kegnkh32.exe 1964 Kegnkh32.exe 2664 Kjcgco32.exe 2664 Kjcgco32.exe 2772 Kbkodl32.exe 2772 Kbkodl32.exe 1616 Llccmb32.exe 1616 Llccmb32.exe 1796 Loapim32.exe 1796 Loapim32.exe 1464 Laplei32.exe 1464 Laplei32.exe 852 Lfmdnp32.exe 852 Lfmdnp32.exe 2076 Labhkh32.exe 2076 Labhkh32.exe 2744 Ldqegd32.exe 2744 Ldqegd32.exe 588 Ladeqhjd.exe 588 Ladeqhjd.exe 668 Ldcamcih.exe 668 Ldcamcih.exe 1300 Lipjejgp.exe 1300 Lipjejgp.exe 2972 Llnfaffc.exe 2972 Llnfaffc.exe 2376 Ldenbcge.exe 2376 Ldenbcge.exe 692 Lgdjnofi.exe 692 Lgdjnofi.exe 1276 Lmnbkinf.exe 1276 Lmnbkinf.exe 2364 Lplogdmj.exe 2364 Lplogdmj.exe 1072 Mcjkcplm.exe 1072 Mcjkcplm.exe 2264 Meigpkka.exe 2264 Meigpkka.exe 1752 Mpolmdkg.exe 1752 Mpolmdkg.exe 2596 Moalhq32.exe 2596 Moalhq32.exe 2556 Maphdl32.exe 2556 Maphdl32.exe 2564 Mlelaeqk.exe 2564 Mlelaeqk.exe 2480 Mkhmma32.exe 2480 Mkhmma32.exe 2468 Mdqafgnf.exe 2468 Mdqafgnf.exe 2692 Mofecpnl.exe 2692 Mofecpnl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mjccnjpk.dll Aajpelhl.exe File created C:\Windows\SysWOW64\Ghqknigk.dll Ffpmnf32.exe File opened for modification C:\Windows\SysWOW64\Pbkpna32.exe Pchpbded.exe File created C:\Windows\SysWOW64\Bmeohn32.dll Bpcbqk32.exe File created C:\Windows\SysWOW64\Cfeddafl.exe Cgbdhd32.exe File created C:\Windows\SysWOW64\Lanfmb32.dll Efppoc32.exe File opened for modification C:\Windows\SysWOW64\Enkece32.exe Elmigj32.exe File created C:\Windows\SysWOW64\Eqpofkjo.dll Ihoafpmp.exe File created C:\Windows\SysWOW64\Ppmdbe32.exe Pmnhfjmg.exe File created C:\Windows\SysWOW64\Efppoc32.exe Ebedndfa.exe File created C:\Windows\SysWOW64\Fiaeoang.exe Feeiob32.exe File opened for modification C:\Windows\SysWOW64\Dialipcb.dll Pmnhfjmg.exe File created C:\Windows\SysWOW64\Phjelg32.exe Pelipl32.exe File opened for modification C:\Windows\SysWOW64\Ahchbf32.exe Adhlaggp.exe File created C:\Windows\SysWOW64\Accikb32.dll Bcaomf32.exe File created C:\Windows\SysWOW64\Ojjljknn.dll Kbhbom32.exe File created C:\Windows\SysWOW64\Qefpjhef.dll Cfeddafl.exe File opened for modification C:\Windows\SysWOW64\Hobcak32.exe Hpocfncj.exe File opened for modification C:\Windows\SysWOW64\Ofpfnqjp.exe Ocajbekl.exe File opened for modification C:\Windows\SysWOW64\Ppamme32.exe Phjelg32.exe File created C:\Windows\SysWOW64\Ecmkghcl.exe Epaogi32.exe File opened for modification C:\Windows\SysWOW64\Iaeiieeb.exe Icbimi32.exe File created C:\Windows\SysWOW64\Effdfo32.dll Lmnbkinf.exe File created C:\Windows\SysWOW64\Mmlblm32.dll Qmlgonbe.exe File created C:\Windows\SysWOW64\Oockje32.dll Chemfl32.exe File created C:\Windows\SysWOW64\Ldenbcge.exe Llnfaffc.exe File opened for modification C:\Windows\SysWOW64\Bhcdaibd.exe Bdhhqk32.exe File opened for modification C:\Windows\SysWOW64\Gaemjbcg.exe Gmjaic32.exe File created C:\Windows\SysWOW64\Enlbgc32.dll Hiekid32.exe File created C:\Windows\SysWOW64\Kllmmc32.exe Kebepion.exe File created C:\Windows\SysWOW64\Kegnkh32.exe Kbhbom32.exe File created C:\Windows\SysWOW64\Coeidfmm.dll Labhkh32.exe File opened for modification C:\Windows\SysWOW64\Ikeelnol.dll Omgaek32.exe File created C:\Windows\SysWOW64\Afdlhchf.exe Adeplhib.exe File created C:\Windows\SysWOW64\Ocjcidbb.dll Gfefiemq.exe File created C:\Windows\SysWOW64\Iagfoe32.exe Ioijbj32.exe File opened for modification C:\Windows\SysWOW64\Kbfeimng.exe Kllmmc32.exe File created C:\Windows\SysWOW64\Dgdfmnkb.dll Bbflib32.exe File created C:\Windows\SysWOW64\Cakqnc32.dll Fioija32.exe File opened for modification C:\Windows\SysWOW64\Ghfbqn32.exe Gegfdb32.exe File opened for modification C:\Windows\SysWOW64\Hgilchkf.exe Hobcak32.exe File created C:\Windows\SysWOW64\Ikbifehk.dll Baildokg.exe File opened for modification C:\Windows\SysWOW64\Dbehoa32.exe Dnilobkm.exe File opened for modification C:\Windows\SysWOW64\Gpknlk32.exe Fmlapp32.exe File created C:\Windows\SysWOW64\Aifone32.dll Aljgfioc.exe File opened for modification C:\Windows\SysWOW64\Dqelenlc.exe Dbbkja32.exe File created C:\Windows\SysWOW64\Gfedefbi.dll Dchali32.exe File opened for modification C:\Windows\SysWOW64\Oiellh32.exe Odjpkihg.exe File opened for modification C:\Windows\SysWOW64\Ongnonkb.exe Ojkboo32.exe File created C:\Windows\SysWOW64\Elmigj32.exe Egamfkdh.exe File created C:\Windows\SysWOW64\Fmekoalh.exe Fjgoce32.exe File created C:\Windows\SysWOW64\Eaepofcm.dll Mdejaf32.exe File created C:\Windows\SysWOW64\Qonlfkdd.dll Pbkpna32.exe File created C:\Windows\SysWOW64\Epgnljad.dll Dcfdgiid.exe File created C:\Windows\SysWOW64\Cqmnhocj.dll Fmcoja32.exe File created C:\Windows\SysWOW64\Claifkkf.exe Chemfl32.exe File opened for modification C:\Windows\SysWOW64\Eilpeooq.exe Efncicpm.exe File created C:\Windows\SysWOW64\Fmlapp32.exe Fiaeoang.exe File created C:\Windows\SysWOW64\Gkhqdcam.dll Nbfjdn32.exe File created C:\Windows\SysWOW64\Ffakeiib.dll Cgmkmecg.exe File opened for modification C:\Windows\SysWOW64\Fjdbnf32.exe Fhffaj32.exe File created C:\Windows\SysWOW64\Ikkbnm32.dll Fdoclk32.exe File opened for modification C:\Windows\SysWOW64\Gkihhhnm.exe Glfhll32.exe File created C:\Windows\SysWOW64\Pgobhcac.exe Pccfge32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4176 4144 WerFault.exe 366 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfeddafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpenlb32.dll" Ckffgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaepofcm.dll" Mdejaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfgaiaci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dchali32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poaljn32.dll" Odgcfijj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bopicc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcaomf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebinic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njdpomfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjcibje.dll" Ebgacddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmjhbal.dll" Ebinic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gegfdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enkece32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gieojq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbkodl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbhkgk32.dll" Moalhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haobqm32.dll" Mdcnlglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpnnmjg.dll" Nofabc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aigaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcmiimi.dll" Dnilobkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkkemh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 3f48116a04f06b2a08f91f41826e785fe1fd6c7d3a56ff2f157b923650b4a158_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll" Iaeiieeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll" Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkahhbbj.dll" Dqhhknjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egamfkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lonkjenl.dll" Eajaoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fioija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclomp32.dll" Djefobmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojficpfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimcgn32.dll" Afdlhchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fglhobmg.dll" Dbbkja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faokjpfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndjdlffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnigda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gclcefmh.dll" Ccdlbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdmei32.dll" Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmnhfjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cibgai32.dll" Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cllpkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbolpc32.dll" Dkhcmgnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnilobkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnagjbdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaeiieeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanfmb32.dll" Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlelaeqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkiklhim.dll" Magnek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekchhcnp.dll" Pphjgfqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhebk32.dll" Pelipl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjlgiqbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecpgmhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojjljknn.dll" Kbhbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enihmc32.dll" Ldenbcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkhqdcam.dll" Nbfjdn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1664 wrote to memory of 1980 1664 3f48116a04f06b2a08f91f41826e785fe1fd6c7d3a56ff2f157b923650b4a158_NeikiAnalytics.exe 28 PID 1664 wrote to memory of 1980 1664 3f48116a04f06b2a08f91f41826e785fe1fd6c7d3a56ff2f157b923650b4a158_NeikiAnalytics.exe 28 PID 1664 wrote to memory of 1980 1664 3f48116a04f06b2a08f91f41826e785fe1fd6c7d3a56ff2f157b923650b4a158_NeikiAnalytics.exe 28 PID 1664 wrote to memory of 1980 1664 3f48116a04f06b2a08f91f41826e785fe1fd6c7d3a56ff2f157b923650b4a158_NeikiAnalytics.exe 28 PID 1980 wrote to memory of 2612 1980 Kebepion.exe 29 PID 1980 wrote to memory of 2612 1980 Kebepion.exe 29 PID 1980 wrote to memory of 2612 1980 Kebepion.exe 29 PID 1980 wrote to memory of 2612 1980 Kebepion.exe 29 PID 2612 wrote to memory of 1344 2612 Kllmmc32.exe 30 PID 2612 wrote to memory of 1344 2612 Kllmmc32.exe 30 PID 2612 wrote to memory of 1344 2612 Kllmmc32.exe 30 PID 2612 wrote to memory of 1344 2612 Kllmmc32.exe 30 PID 1344 wrote to memory of 2432 1344 Kbfeimng.exe 31 PID 1344 wrote to memory of 2432 1344 Kbfeimng.exe 31 PID 1344 wrote to memory of 2432 1344 Kbfeimng.exe 31 PID 1344 wrote to memory of 2432 1344 Kbfeimng.exe 31 PID 2432 wrote to memory of 2420 2432 Khcnad32.exe 32 PID 2432 wrote to memory of 2420 2432 Khcnad32.exe 32 PID 2432 wrote to memory of 2420 2432 Khcnad32.exe 32 PID 2432 wrote to memory of 2420 2432 Khcnad32.exe 32 PID 2420 wrote to memory of 1964 2420 Kbhbom32.exe 33 PID 2420 wrote to memory of 1964 2420 Kbhbom32.exe 33 PID 2420 wrote to memory of 1964 2420 Kbhbom32.exe 33 PID 2420 wrote to memory of 1964 2420 Kbhbom32.exe 33 PID 1964 wrote to memory of 2664 1964 Kegnkh32.exe 34 PID 1964 wrote to memory of 2664 1964 Kegnkh32.exe 34 PID 1964 wrote to memory of 2664 1964 Kegnkh32.exe 34 PID 1964 wrote to memory of 2664 1964 Kegnkh32.exe 34 PID 2664 wrote to memory of 2772 2664 Kjcgco32.exe 35 PID 2664 wrote to memory of 2772 2664 Kjcgco32.exe 35 PID 2664 wrote to memory of 2772 2664 Kjcgco32.exe 35 PID 2664 wrote to memory of 2772 2664 Kjcgco32.exe 35 PID 2772 wrote to memory of 1616 2772 Kbkodl32.exe 36 PID 2772 wrote to memory of 1616 2772 Kbkodl32.exe 36 PID 2772 wrote to memory of 1616 2772 Kbkodl32.exe 36 PID 2772 wrote to memory of 1616 2772 Kbkodl32.exe 36 PID 1616 wrote to memory of 1796 1616 Llccmb32.exe 37 PID 1616 wrote to memory of 1796 1616 Llccmb32.exe 37 PID 1616 wrote to memory of 1796 1616 Llccmb32.exe 37 PID 1616 wrote to memory of 1796 1616 Llccmb32.exe 37 PID 1796 wrote to memory of 1464 1796 Loapim32.exe 38 PID 1796 wrote to memory of 1464 1796 Loapim32.exe 38 PID 1796 wrote to memory of 1464 1796 Loapim32.exe 38 PID 1796 wrote to memory of 1464 1796 Loapim32.exe 38 PID 1464 wrote to memory of 852 1464 Laplei32.exe 39 PID 1464 wrote to memory of 852 1464 Laplei32.exe 39 PID 1464 wrote to memory of 852 1464 Laplei32.exe 39 PID 1464 wrote to memory of 852 1464 Laplei32.exe 39 PID 852 wrote to memory of 2076 852 Lfmdnp32.exe 40 PID 852 wrote to memory of 2076 852 Lfmdnp32.exe 40 PID 852 wrote to memory of 2076 852 Lfmdnp32.exe 40 PID 852 wrote to memory of 2076 852 Lfmdnp32.exe 40 PID 2076 wrote to memory of 2744 2076 Labhkh32.exe 41 PID 2076 wrote to memory of 2744 2076 Labhkh32.exe 41 PID 2076 wrote to memory of 2744 2076 Labhkh32.exe 41 PID 2076 wrote to memory of 2744 2076 Labhkh32.exe 41 PID 2744 wrote to memory of 588 2744 Ldqegd32.exe 42 PID 2744 wrote to memory of 588 2744 Ldqegd32.exe 42 PID 2744 wrote to memory of 588 2744 Ldqegd32.exe 42 PID 2744 wrote to memory of 588 2744 Ldqegd32.exe 42 PID 588 wrote to memory of 668 588 Ladeqhjd.exe 43 PID 588 wrote to memory of 668 588 Ladeqhjd.exe 43 PID 588 wrote to memory of 668 588 Ladeqhjd.exe 43 PID 588 wrote to memory of 668 588 Ladeqhjd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f48116a04f06b2a08f91f41826e785fe1fd6c7d3a56ff2f157b923650b4a158_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3f48116a04f06b2a08f91f41826e785fe1fd6c7d3a56ff2f157b923650b4a158_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Kllmmc32.exeC:\Windows\system32\Kllmmc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:668 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:692 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1072 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2480 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe33⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:404 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe37⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe38⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe39⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe40⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe41⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:792 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe45⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe46⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe47⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe48⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe49⤵
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe50⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe51⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe53⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe54⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:304 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe56⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe57⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe58⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe59⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe61⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe63⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe64⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe65⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe66⤵
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe67⤵PID:1556
-
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe68⤵PID:1232
-
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe69⤵PID:2224
-
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe70⤵PID:1960
-
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe71⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe72⤵PID:2516
-
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe73⤵PID:2708
-
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe74⤵
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe75⤵PID:2464
-
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe76⤵PID:2668
-
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe77⤵PID:1820
-
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe78⤵PID:1816
-
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1444 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2808 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe82⤵
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe83⤵PID:1740
-
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe84⤵
- Drops file in System32 directory
PID:580 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe85⤵PID:2968
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe86⤵PID:1492
-
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe87⤵
- Modifies registry class
PID:380 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe88⤵
- Drops file in System32 directory
PID:292 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1576 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe90⤵PID:2544
-
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe91⤵PID:2736
-
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe92⤵PID:2644
-
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe93⤵PID:2456
-
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe94⤵PID:2588
-
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe96⤵
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe97⤵PID:1808
-
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe98⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe99⤵
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe100⤵PID:1436
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:652 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe102⤵PID:1424
-
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe103⤵PID:3060
-
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe104⤵PID:1944
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:572 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe106⤵
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe107⤵PID:2716
-
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe108⤵PID:1788
-
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe109⤵PID:2696
-
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1908 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe111⤵PID:296
-
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe112⤵PID:2764
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe113⤵PID:2052
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe114⤵PID:540
-
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2276 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe116⤵
- Modifies registry class
PID:344 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe118⤵PID:2536
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe120⤵
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2504
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-