Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
30/06/2024, 19:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
12f0d6a7da50091df1582161296839c4d8367f723935215e586dc83440f44fd4_NeikiAnalytics.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
12f0d6a7da50091df1582161296839c4d8367f723935215e586dc83440f44fd4_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
12f0d6a7da50091df1582161296839c4d8367f723935215e586dc83440f44fd4_NeikiAnalytics.exe
-
Size
430KB
-
MD5
e9a18603aa376b29b2c302e77f803fb0
-
SHA1
fc5ac6b42b57e5c413d41667d4428758a922419d
-
SHA256
12f0d6a7da50091df1582161296839c4d8367f723935215e586dc83440f44fd4
-
SHA512
cf9bdbb50439217de5d9595a0f36819c9ad8b248e1af45f93802991dd8030b52b7907c35e7f049c2f4d315ce3e81f44770ef3e51a56afc48ffb4b29eb93f0c4a
-
SSDEEP
3072:Sbz8EVAURfE+HAokWmvEie0RFz3yE2ZwVh16Mz7GFD0AlWsnzj:SEERs+HLlD0rN2ZwVht740Psz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Limfed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llccmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcfdgiid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddgjdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmnhfjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beehencq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okikfagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apimacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gejcjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgimmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahikqd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbkknojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aajpelhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cllpkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kneicieh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abhimnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iajcde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcdbbloa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lojomkdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncahjgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anojbobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlgefh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmdjdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egoife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aalmklfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmekoalh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekklaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdbbloa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmcijcbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mamddf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgpgce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Globlmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pflomnkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalmklfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebgacddo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chbjffad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgnamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbnhng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngfih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amhpnkch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onjgiiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebodiofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqgnokip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkiogn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alpmfdcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmibdlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcbakpdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojnkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgdmmgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nehmdhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmnhfjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgpgce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alnqqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abmbhn32.exe -
Executes dropped EXE 64 IoCs
pid Process 2812 Llccmb32.exe 2968 Lkhpnnej.exe 2692 Lmgmjjdn.exe 2488 Ladeqhjd.exe 2504 Ldcamcih.exe 2468 Mcjkcplm.exe 2532 Meigpkka.exe 1252 Mhgclfje.exe 2780 Mlcple32.exe 2396 Maphdl32.exe 268 Mkhmma32.exe 2376 Mdqafgnf.exe 2220 Mhlmgf32.exe 1800 Magnek32.exe 2216 Mhqfbebj.exe 1456 Npnhlg32.exe 840 Nnbhek32.exe 752 Nqqdag32.exe 2360 Ncoamb32.exe 1764 Nfmmin32.exe 1604 Nlgefh32.exe 848 Njkfpl32.exe 3040 Nmjblg32.exe 780 Nohnhc32.exe 980 Ofbfdmeb.exe 2864 Odegpj32.exe 1792 Omloag32.exe 2000 Ofdcjm32.exe 2684 Odgcfijj.exe 2588 Ogfpbeim.exe 2628 Oomhcbjp.exe 2516 Obkdonic.exe 2960 Oqndkj32.exe 620 Oghlgdgk.exe 2400 Onbddoog.exe 1932 Obnqem32.exe 1784 Ogjimd32.exe 2512 Ojieip32.exe 2024 Pccfge32.exe 1644 Pfbccp32.exe 2280 Pjmodopf.exe 1220 Pmlkpjpj.exe 2008 Pmnhfjmg.exe 2088 Plahag32.exe 1328 Ppmdbe32.exe 468 Pbkpna32.exe 2892 Peiljl32.exe 2228 Pmqdkj32.exe 1888 Pfiidobe.exe 1836 Phjelg32.exe 3032 Pndniaop.exe 2728 Pbpjiphi.exe 2616 Pijbfj32.exe 2720 Qjknnbed.exe 2772 Qnfjna32.exe 1968 Qaefjm32.exe 2544 Qhooggdn.exe 2664 Qnigda32.exe 2804 Qagcpljo.exe 792 Adeplhib.exe 2800 Afdlhchf.exe 532 Ankdiqih.exe 2576 Aajpelhl.exe 1844 Adhlaggp.exe -
Loads dropped DLL 64 IoCs
pid Process 1600 12f0d6a7da50091df1582161296839c4d8367f723935215e586dc83440f44fd4_NeikiAnalytics.exe 1600 12f0d6a7da50091df1582161296839c4d8367f723935215e586dc83440f44fd4_NeikiAnalytics.exe 2812 Llccmb32.exe 2812 Llccmb32.exe 2968 Lkhpnnej.exe 2968 Lkhpnnej.exe 2692 Lmgmjjdn.exe 2692 Lmgmjjdn.exe 2488 Ladeqhjd.exe 2488 Ladeqhjd.exe 2504 Ldcamcih.exe 2504 Ldcamcih.exe 2468 Mcjkcplm.exe 2468 Mcjkcplm.exe 2532 Meigpkka.exe 2532 Meigpkka.exe 1252 Mhgclfje.exe 1252 Mhgclfje.exe 2780 Mlcple32.exe 2780 Mlcple32.exe 2396 Maphdl32.exe 2396 Maphdl32.exe 268 Mkhmma32.exe 268 Mkhmma32.exe 2376 Mdqafgnf.exe 2376 Mdqafgnf.exe 2220 Mhlmgf32.exe 2220 Mhlmgf32.exe 1800 Magnek32.exe 1800 Magnek32.exe 2216 Mhqfbebj.exe 2216 Mhqfbebj.exe 1456 Npnhlg32.exe 1456 Npnhlg32.exe 840 Nnbhek32.exe 840 Nnbhek32.exe 752 Nqqdag32.exe 752 Nqqdag32.exe 2360 Ncoamb32.exe 2360 Ncoamb32.exe 1764 Nfmmin32.exe 1764 Nfmmin32.exe 1604 Nlgefh32.exe 1604 Nlgefh32.exe 848 Njkfpl32.exe 848 Njkfpl32.exe 3040 Nmjblg32.exe 3040 Nmjblg32.exe 780 Nohnhc32.exe 780 Nohnhc32.exe 980 Ofbfdmeb.exe 980 Ofbfdmeb.exe 2864 Odegpj32.exe 2864 Odegpj32.exe 1792 Omloag32.exe 1792 Omloag32.exe 2000 Ofdcjm32.exe 2000 Ofdcjm32.exe 2684 Odgcfijj.exe 2684 Odgcfijj.exe 2588 Ogfpbeim.exe 2588 Ogfpbeim.exe 2628 Oomhcbjp.exe 2628 Oomhcbjp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bjlcgibn.dll Inqcif32.exe File created C:\Windows\SysWOW64\Mmahdggc.exe Ldidkbpb.exe File created C:\Windows\SysWOW64\Abmibdlh.exe Adjigg32.exe File opened for modification C:\Windows\SysWOW64\Pqkmjh32.exe Pnlqnl32.exe File opened for modification C:\Windows\SysWOW64\Aipddi32.exe Qfahhm32.exe File created C:\Windows\SysWOW64\Cdikkg32.exe Caknol32.exe File opened for modification C:\Windows\SysWOW64\Ddgjdk32.exe Dfdjhndl.exe File created C:\Windows\SysWOW64\Egllae32.exe Ecqqpgli.exe File opened for modification C:\Windows\SysWOW64\Icbimi32.exe Hkkalk32.exe File opened for modification C:\Windows\SysWOW64\Hjhhocjj.exe Hgilchkf.exe File created C:\Windows\SysWOW64\Mbcjffka.dll Mkeimlfm.exe File created C:\Windows\SysWOW64\Bocolb32.exe Bhigphio.exe File opened for modification C:\Windows\SysWOW64\Dliijipn.exe Dhnmij32.exe File created C:\Windows\SysWOW64\Ejkima32.exe Egllae32.exe File opened for modification C:\Windows\SysWOW64\Hgbebiao.exe Gddifnbk.exe File opened for modification C:\Windows\SysWOW64\Apcfahio.exe Aiinen32.exe File created C:\Windows\SysWOW64\Bnpmipql.exe Bkaqmeah.exe File created C:\Windows\SysWOW64\Hjlanqkq.dll Cjndop32.exe File created C:\Windows\SysWOW64\Hgilchkf.exe Hcnpbi32.exe File opened for modification C:\Windows\SysWOW64\Jkbcln32.exe Jmocpado.exe File opened for modification C:\Windows\SysWOW64\Kgnnln32.exe Kcbakpdo.exe File created C:\Windows\SysWOW64\Fjaonpnn.exe Effcma32.exe File created C:\Windows\SysWOW64\Qhooggdn.exe Qaefjm32.exe File created C:\Windows\SysWOW64\Maodqp32.dll Jbgbni32.exe File created C:\Windows\SysWOW64\Ehkdaf32.dll Pbfpik32.exe File created C:\Windows\SysWOW64\Ebodiofk.exe Ejhlgaeh.exe File created C:\Windows\SysWOW64\Bcmkhb32.dll Iqalka32.exe File created C:\Windows\SysWOW64\Onbddoog.exe Oghlgdgk.exe File created C:\Windows\SysWOW64\Nkiogn32.exe Ngnbgplj.exe File opened for modification C:\Windows\SysWOW64\Lkhpnnej.exe Llccmb32.exe File created C:\Windows\SysWOW64\Hgdbhi32.exe Hcifgjgc.exe File created C:\Windows\SysWOW64\Heldepab.dll Ofjfhk32.exe File opened for modification C:\Windows\SysWOW64\Iakdqgfi.dll Qfahhm32.exe File created C:\Windows\SysWOW64\Caknol32.exe Cgejac32.exe File created C:\Windows\SysWOW64\Ddgjdk32.exe Dfdjhndl.exe File created C:\Windows\SysWOW64\Bgpokk32.dll Pmqdkj32.exe File created C:\Windows\SysWOW64\Gobgcg32.exe Gldkfl32.exe File opened for modification C:\Windows\SysWOW64\Hcifgjgc.exe Hpkjko32.exe File created C:\Windows\SysWOW64\Lmcijcbe.exe Lihmjejl.exe File opened for modification C:\Windows\SysWOW64\Lijjoe32.exe Lflmci32.exe File created C:\Windows\SysWOW64\Nmpipp32.dll Lbcnhjnj.exe File created C:\Windows\SysWOW64\Abmbhn32.exe Ajejgp32.exe File created C:\Windows\SysWOW64\Anccmo32.exe Alegac32.exe File created C:\Windows\SysWOW64\Pijbfj32.exe Pbpjiphi.exe File created C:\Windows\SysWOW64\Mfacfkje.dll Dndlim32.exe File created C:\Windows\SysWOW64\Jneohcll.dll Anccmo32.exe File created C:\Windows\SysWOW64\Dkkpbgli.exe Dgodbh32.exe File created C:\Windows\SysWOW64\Doobajme.exe Djbiicon.exe File created C:\Windows\SysWOW64\Codpklfq.dll Hahjpbad.exe File created C:\Windows\SysWOW64\Mgimmm32.exe Mdkqqa32.exe File opened for modification C:\Windows\SysWOW64\Alpmfdcb.exe Aibajhdn.exe File opened for modification C:\Windows\SysWOW64\Anojbobe.exe Aplifb32.exe File created C:\Windows\SysWOW64\Cbolpc32.dll Dkhcmgnl.exe File created C:\Windows\SysWOW64\Kleiio32.dll Gfefiemq.exe File created C:\Windows\SysWOW64\Pqiqnfej.dll Icbimi32.exe File opened for modification C:\Windows\SysWOW64\Pgeefbhm.exe Pqkmjh32.exe File opened for modification C:\Windows\SysWOW64\Fpfdalii.exe Fmhheqje.exe File created C:\Windows\SysWOW64\Ghqknigk.dll Ffpmnf32.exe File opened for modification C:\Windows\SysWOW64\Lojomkdn.exe Lhpfqama.exe File created C:\Windows\SysWOW64\Oincig32.dll Mcbjgn32.exe File created C:\Windows\SysWOW64\Qfahhm32.exe Qbelgood.exe File created C:\Windows\SysWOW64\Dolnad32.exe Dkqbaecc.exe File created C:\Windows\SysWOW64\Plahag32.exe Pmnhfjmg.exe File created C:\Windows\SysWOW64\Idklfpon.exe Iqopea32.exe -
Program crash 1 IoCs
pid pid_target Process 5672 5640 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igkdgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmjjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bahbme32.dll" Jcdbbloa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjodeppm.dll" Ldidkbpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bemgilhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkhmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icaooali.dll" Mdqafgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkebie32.dll" Beehencq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbepi32.dll" Fmhheqje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lecgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coelaaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhdclk32.dll" Odegpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmlkpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll" Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcnpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfgdhjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oomhcbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmoado32.dll" Incpoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nialog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohfeog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aadloj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecejkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anojbobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boqbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckblig32.dll" Cfeddafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jicgpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiccofna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjp32.dll" Lpphap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lckdanld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcbjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bocolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaegglem.dll" Dfmdho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obnqem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinika32.dll" Qagcpljo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lflmci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heldepab.dll" Ofjfhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcjkcplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glamna32.dll" Ofdcjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbgmbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boqbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcknbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkgfckcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nefpnhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmdjdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geiiogja.dll" Bmkmdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oikojfgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqpgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Globlmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll" Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkbcln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Immfnjan.dll" Kfgdhjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgoboqcm.dll" Ojolhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oopnlacm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehgppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dinhacjp.dll" Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhcecp32.dll" Adjigg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdooajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfmdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjfho32.dll" Dbhnhp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1600 wrote to memory of 2812 1600 12f0d6a7da50091df1582161296839c4d8367f723935215e586dc83440f44fd4_NeikiAnalytics.exe 28 PID 1600 wrote to memory of 2812 1600 12f0d6a7da50091df1582161296839c4d8367f723935215e586dc83440f44fd4_NeikiAnalytics.exe 28 PID 1600 wrote to memory of 2812 1600 12f0d6a7da50091df1582161296839c4d8367f723935215e586dc83440f44fd4_NeikiAnalytics.exe 28 PID 1600 wrote to memory of 2812 1600 12f0d6a7da50091df1582161296839c4d8367f723935215e586dc83440f44fd4_NeikiAnalytics.exe 28 PID 2812 wrote to memory of 2968 2812 Llccmb32.exe 29 PID 2812 wrote to memory of 2968 2812 Llccmb32.exe 29 PID 2812 wrote to memory of 2968 2812 Llccmb32.exe 29 PID 2812 wrote to memory of 2968 2812 Llccmb32.exe 29 PID 2968 wrote to memory of 2692 2968 Lkhpnnej.exe 30 PID 2968 wrote to memory of 2692 2968 Lkhpnnej.exe 30 PID 2968 wrote to memory of 2692 2968 Lkhpnnej.exe 30 PID 2968 wrote to memory of 2692 2968 Lkhpnnej.exe 30 PID 2692 wrote to memory of 2488 2692 Lmgmjjdn.exe 31 PID 2692 wrote to memory of 2488 2692 Lmgmjjdn.exe 31 PID 2692 wrote to memory of 2488 2692 Lmgmjjdn.exe 31 PID 2692 wrote to memory of 2488 2692 Lmgmjjdn.exe 31 PID 2488 wrote to memory of 2504 2488 Ladeqhjd.exe 32 PID 2488 wrote to memory of 2504 2488 Ladeqhjd.exe 32 PID 2488 wrote to memory of 2504 2488 Ladeqhjd.exe 32 PID 2488 wrote to memory of 2504 2488 Ladeqhjd.exe 32 PID 2504 wrote to memory of 2468 2504 Ldcamcih.exe 33 PID 2504 wrote to memory of 2468 2504 Ldcamcih.exe 33 PID 2504 wrote to memory of 2468 2504 Ldcamcih.exe 33 PID 2504 wrote to memory of 2468 2504 Ldcamcih.exe 33 PID 2468 wrote to memory of 2532 2468 Mcjkcplm.exe 34 PID 2468 wrote to memory of 2532 2468 Mcjkcplm.exe 34 PID 2468 wrote to memory of 2532 2468 Mcjkcplm.exe 34 PID 2468 wrote to memory of 2532 2468 Mcjkcplm.exe 34 PID 2532 wrote to memory of 1252 2532 Meigpkka.exe 35 PID 2532 wrote to memory of 1252 2532 Meigpkka.exe 35 PID 2532 wrote to memory of 1252 2532 Meigpkka.exe 35 PID 2532 wrote to memory of 1252 2532 Meigpkka.exe 35 PID 1252 wrote to memory of 2780 1252 Mhgclfje.exe 36 PID 1252 wrote to memory of 2780 1252 Mhgclfje.exe 36 PID 1252 wrote to memory of 2780 1252 Mhgclfje.exe 36 PID 1252 wrote to memory of 2780 1252 Mhgclfje.exe 36 PID 2780 wrote to memory of 2396 2780 Mlcple32.exe 37 PID 2780 wrote to memory of 2396 2780 Mlcple32.exe 37 PID 2780 wrote to memory of 2396 2780 Mlcple32.exe 37 PID 2780 wrote to memory of 2396 2780 Mlcple32.exe 37 PID 2396 wrote to memory of 268 2396 Maphdl32.exe 38 PID 2396 wrote to memory of 268 2396 Maphdl32.exe 38 PID 2396 wrote to memory of 268 2396 Maphdl32.exe 38 PID 2396 wrote to memory of 268 2396 Maphdl32.exe 38 PID 268 wrote to memory of 2376 268 Mkhmma32.exe 39 PID 268 wrote to memory of 2376 268 Mkhmma32.exe 39 PID 268 wrote to memory of 2376 268 Mkhmma32.exe 39 PID 268 wrote to memory of 2376 268 Mkhmma32.exe 39 PID 2376 wrote to memory of 2220 2376 Mdqafgnf.exe 40 PID 2376 wrote to memory of 2220 2376 Mdqafgnf.exe 40 PID 2376 wrote to memory of 2220 2376 Mdqafgnf.exe 40 PID 2376 wrote to memory of 2220 2376 Mdqafgnf.exe 40 PID 2220 wrote to memory of 1800 2220 Mhlmgf32.exe 41 PID 2220 wrote to memory of 1800 2220 Mhlmgf32.exe 41 PID 2220 wrote to memory of 1800 2220 Mhlmgf32.exe 41 PID 2220 wrote to memory of 1800 2220 Mhlmgf32.exe 41 PID 1800 wrote to memory of 2216 1800 Magnek32.exe 42 PID 1800 wrote to memory of 2216 1800 Magnek32.exe 42 PID 1800 wrote to memory of 2216 1800 Magnek32.exe 42 PID 1800 wrote to memory of 2216 1800 Magnek32.exe 42 PID 2216 wrote to memory of 1456 2216 Mhqfbebj.exe 43 PID 2216 wrote to memory of 1456 2216 Mhqfbebj.exe 43 PID 2216 wrote to memory of 1456 2216 Mhqfbebj.exe 43 PID 2216 wrote to memory of 1456 2216 Mhqfbebj.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\12f0d6a7da50091df1582161296839c4d8367f723935215e586dc83440f44fd4_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\12f0d6a7da50091df1582161296839c4d8367f723935215e586dc83440f44fd4_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1456 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:752 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:848 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:780 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:980 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe33⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe34⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:620 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe36⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe38⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe39⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe40⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe41⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe42⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1220 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe45⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe46⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe47⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe48⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe50⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe51⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe52⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe54⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe55⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe56⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe58⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe59⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe61⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe62⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe63⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe65⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe66⤵PID:1316
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:908 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:1412 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:476 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe70⤵PID:2028
-
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe71⤵PID:2016
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe72⤵PID:3036
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe73⤵PID:3024
-
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe74⤵PID:2336
-
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe75⤵
- Drops file in System32 directory
PID:1460 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe76⤵PID:2536
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe77⤵PID:2120
-
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe78⤵PID:656
-
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe79⤵PID:2796
-
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe80⤵PID:2508
-
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe81⤵PID:2788
-
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe82⤵PID:2756
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe84⤵PID:2916
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe85⤵
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe86⤵PID:2724
-
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe87⤵PID:448
-
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe88⤵PID:2288
-
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe89⤵PID:2744
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe90⤵PID:1976
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe91⤵PID:2652
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe92⤵PID:1740
-
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe93⤵PID:1648
-
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe94⤵
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe95⤵PID:2012
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe96⤵PID:1936
-
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe97⤵PID:2856
-
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1216 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe99⤵
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1476 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe101⤵
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1588 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe103⤵PID:1596
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe104⤵PID:2840
-
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe105⤵PID:760
-
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe106⤵PID:284
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe107⤵PID:2500
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe108⤵PID:2548
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe109⤵PID:1108
-
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe110⤵
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe111⤵PID:2472
-
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe112⤵PID:2340
-
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe113⤵
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe114⤵PID:2992
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe115⤵PID:2912
-
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2828 -
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe117⤵PID:2936
-
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe118⤵PID:296
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe119⤵PID:756
-
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2380 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe121⤵
- Drops file in System32 directory
PID:1560
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-