Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13/05/2024, 08:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac23d674e8f932016d3f3bf69dac68b0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
ac23d674e8f932016d3f3bf69dac68b0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
ac23d674e8f932016d3f3bf69dac68b0_NeikiAnalytics.exe
-
Size
303KB
-
MD5
ac23d674e8f932016d3f3bf69dac68b0
-
SHA1
04a7d4a29bf91f271f17acf5f7e59b92090954b9
-
SHA256
b1a01a7e192530c19d7245e101832d04ec4138a4f69fa19f2ab25cff97f448d5
-
SHA512
382853086d5dbde7154cf124a19fc9f40865d9daafce03eb1b27336a37f5f455423228e9966ba165a20892b05c6ded0d5ad034df3346e8e2edc7b0a21cc8b2a4
-
SSDEEP
6144:Ks87nY5CPXbo92ynnZlVrtv35CPXbo92ynn8sbeWDSpaH8m34:0QFHRFbeE8mo
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oibpdico.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnpnga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjcip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famaimfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghdiokbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcaafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haemloni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgnjke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pobeao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Domccejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnqjkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmnlhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clfhml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdkhag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmlmpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biiiempl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcoolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgciff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnokahip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdcfoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifbkgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmfklepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abldccka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhqeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcblgbfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcnkhmdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neknki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demaoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dilchhgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jihdnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njeelc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Folfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Domccejd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipmqgmcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaeipfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Manjaldo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhogaamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojfcdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbjkop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfmahkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eopphehb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihfnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgnokgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddmchcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enmnahnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oibpdico.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgiobadq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpjngh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfghdcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paocnkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njchfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbjifgcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aicmadmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajnpecbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooabmbbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fennoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eepmlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckndmaad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfglep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfdhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdpfadlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akcomepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfodfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmcfngde.exe -
Executes dropped EXE 64 IoCs
pid Process 2224 Ioooiack.exe 2028 Jbpdeogo.exe 832 Jpjngh32.exe 2756 Jdhgnf32.exe 2576 Klhemhpk.exe 2772 Khabghdl.exe 2412 Lhelbh32.exe 2424 Lqcmmjko.exe 2452 Ljkaeo32.exe 956 Mfglep32.exe 1512 Mndmoaog.exe 1936 Mbbfep32.exe 2168 Nfghdcfj.exe 2328 Nenakoho.exe 852 Oeckfndj.exe 2700 Olophhjd.exe 1928 Oijjka32.exe 2040 Pkifdd32.exe 2264 Plmpblnb.exe 1800 Piqpkpml.exe 1200 Pciddedl.exe 1016 Pejmfqan.exe 2208 Ajnpecbj.exe 2788 Ajqljc32.exe 2936 Aciqcifh.exe 2104 Aihfap32.exe 2164 Amfognic.exe 2204 Beackp32.exe 2236 Bammlq32.exe 2820 Cjgoje32.exe 1896 Ccpcckck.exe 2908 Cpfdhl32.exe 2508 Cmjdaqgi.exe 2644 Cehfkb32.exe 2612 Copjdhib.exe 2400 Dhiomn32.exe 2500 Dmhdkdlg.exe 2356 Dklddhka.exe 1568 Dkqnoh32.exe 1292 Egikjh32.exe 1632 Epbpbnan.exe 1340 Eklqcl32.exe 2364 Eaeipfei.exe 780 Edfbaabj.exe 2944 Folfoj32.exe 2004 Fggkcl32.exe 952 Fcnkhmdp.exe 2256 Fcphnm32.exe 816 Flhmfbim.exe 1972 Ffaaoh32.exe 2844 Gbhbdi32.exe 1248 Gkpfmnlb.exe 2100 Ghdgfbkl.exe 1604 Gonocmbi.exe 940 Goplilpf.exe 2888 Gqahqd32.exe 2524 Gbadjg32.exe 2536 Ggnmbn32.exe 2540 Hebnlb32.exe 1732 Hfcjdkpg.exe 3016 Hfegij32.exe 756 Hmoofdea.exe 1592 Hldlga32.exe 1656 Hemqpf32.exe -
Loads dropped DLL 64 IoCs
pid Process 1152 ac23d674e8f932016d3f3bf69dac68b0_NeikiAnalytics.exe 1152 ac23d674e8f932016d3f3bf69dac68b0_NeikiAnalytics.exe 2224 Ioooiack.exe 2224 Ioooiack.exe 2028 Jbpdeogo.exe 2028 Jbpdeogo.exe 832 Jpjngh32.exe 832 Jpjngh32.exe 2756 Jdhgnf32.exe 2756 Jdhgnf32.exe 2576 Klhemhpk.exe 2576 Klhemhpk.exe 2772 Khabghdl.exe 2772 Khabghdl.exe 2412 Lhelbh32.exe 2412 Lhelbh32.exe 2424 Lqcmmjko.exe 2424 Lqcmmjko.exe 2452 Ljkaeo32.exe 2452 Ljkaeo32.exe 956 Mfglep32.exe 956 Mfglep32.exe 1512 Mndmoaog.exe 1512 Mndmoaog.exe 1936 Mbbfep32.exe 1936 Mbbfep32.exe 2168 Nfghdcfj.exe 2168 Nfghdcfj.exe 2328 Nenakoho.exe 2328 Nenakoho.exe 852 Oeckfndj.exe 852 Oeckfndj.exe 2700 Olophhjd.exe 2700 Olophhjd.exe 1928 Oijjka32.exe 1928 Oijjka32.exe 2040 Pkifdd32.exe 2040 Pkifdd32.exe 2264 Plmpblnb.exe 2264 Plmpblnb.exe 1800 Piqpkpml.exe 1800 Piqpkpml.exe 1200 Pciddedl.exe 1200 Pciddedl.exe 1016 Pejmfqan.exe 1016 Pejmfqan.exe 2208 Ajnpecbj.exe 2208 Ajnpecbj.exe 2788 Ajqljc32.exe 2788 Ajqljc32.exe 2936 Aciqcifh.exe 2936 Aciqcifh.exe 2104 Aihfap32.exe 2104 Aihfap32.exe 2164 Amfognic.exe 2164 Amfognic.exe 1608 Bjbeofpp.exe 1608 Bjbeofpp.exe 2236 Bammlq32.exe 2236 Bammlq32.exe 2820 Cjgoje32.exe 2820 Cjgoje32.exe 1896 Ccpcckck.exe 1896 Ccpcckck.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kglehp32.exe Kncaojfb.exe File created C:\Windows\SysWOW64\Nmkplgnq.exe Mpgobc32.exe File opened for modification C:\Windows\SysWOW64\Icoepohq.exe Hghdjn32.exe File created C:\Windows\SysWOW64\Mfihml32.exe Mffkgl32.exe File created C:\Windows\SysWOW64\Okjejkao.dll Lhcafa32.exe File created C:\Windows\SysWOW64\Igkhjdde.exe Hdjoii32.exe File created C:\Windows\SysWOW64\Fhihab32.dll Ligfakaa.exe File created C:\Windows\SysWOW64\Kaimoj32.dll Nphpng32.exe File created C:\Windows\SysWOW64\Gdflgo32.exe Gddobpbe.exe File created C:\Windows\SysWOW64\Qdofep32.exe Qfkelkkd.exe File opened for modification C:\Windows\SysWOW64\Kijmbnpo.exe Klfmijae.exe File created C:\Windows\SysWOW64\Nomklqkm.dll Jcfgoadd.exe File opened for modification C:\Windows\SysWOW64\Mpnngi32.exe Mgfiocfl.exe File opened for modification C:\Windows\SysWOW64\Clkicbfa.exe Cjmmffgn.exe File opened for modification C:\Windows\SysWOW64\Mgfiocfl.exe Meemgk32.exe File created C:\Windows\SysWOW64\Agiidifg.dll Iaobkf32.exe File created C:\Windows\SysWOW64\Elookl32.dll Cbcfbege.exe File opened for modification C:\Windows\SysWOW64\Blkjkflb.exe Bcbfbp32.exe File created C:\Windows\SysWOW64\Nhpfip32.dll Gonale32.exe File created C:\Windows\SysWOW64\Igceej32.exe Ibfmmb32.exe File created C:\Windows\SysWOW64\Hkbkpcpd.exe Hlmnogkl.exe File created C:\Windows\SysWOW64\Ghoijebj.exe Gmidlmcd.exe File opened for modification C:\Windows\SysWOW64\Dhgccbhp.exe Dbmkfh32.exe File opened for modification C:\Windows\SysWOW64\Lmlnjcgg.exe Kdqifajl.exe File opened for modification C:\Windows\SysWOW64\Agccbenc.exe Acejlfhl.exe File opened for modification C:\Windows\SysWOW64\Fnoiocfj.exe Fbiijb32.exe File created C:\Windows\SysWOW64\Ofoabofe.dll Iaegpaao.exe File created C:\Windows\SysWOW64\Mlbblc32.dll Ijnkifgp.exe File created C:\Windows\SysWOW64\Kbmafngi.exe Keiqlihp.exe File created C:\Windows\SysWOW64\Oomjng32.exe Onkmfofg.exe File created C:\Windows\SysWOW64\Kfodfh32.exe Kablnadm.exe File created C:\Windows\SysWOW64\Ofehob32.dll Epbpbnan.exe File opened for modification C:\Windows\SysWOW64\Kncaojfb.exe Jehlkhig.exe File created C:\Windows\SysWOW64\Kklkcn32.exe Kadfkhkf.exe File created C:\Windows\SysWOW64\Ojeobm32.exe Onnnml32.exe File created C:\Windows\SysWOW64\Ecinnn32.dll Padhdm32.exe File created C:\Windows\SysWOW64\Egjeoijn.dll Bdfooh32.exe File opened for modification C:\Windows\SysWOW64\Anecfgdc.exe Qbobaf32.exe File created C:\Windows\SysWOW64\Ockbdebl.exe Oomjng32.exe File opened for modification C:\Windows\SysWOW64\Bhjpnj32.exe Bjfpdf32.exe File created C:\Windows\SysWOW64\Qfdkaj32.dll Akkokc32.exe File created C:\Windows\SysWOW64\Bleppqce.dll Dgiomabc.exe File created C:\Windows\SysWOW64\Dgklibdj.dll Hlmnogkl.exe File created C:\Windows\SysWOW64\Fjjdbf32.dll Anjnnk32.exe File created C:\Windows\SysWOW64\Igbnok32.dll Djjjga32.exe File opened for modification C:\Windows\SysWOW64\Klcgpkhh.exe Jibnop32.exe File opened for modification C:\Windows\SysWOW64\Aphcppmo.exe Abdbflnf.exe File created C:\Windows\SysWOW64\Idkpganf.exe Iamdkfnc.exe File opened for modification C:\Windows\SysWOW64\Jondnnbk.exe Jefpeh32.exe File created C:\Windows\SysWOW64\Binbknik.dll Afffenbp.exe File opened for modification C:\Windows\SysWOW64\Nabopjmj.exe Nhjjgd32.exe File created C:\Windows\SysWOW64\Phoogg32.dll Apmcefmf.exe File created C:\Windows\SysWOW64\Dlijkoid.dll Mgnfji32.exe File opened for modification C:\Windows\SysWOW64\Ocdnloph.exe Oiljcj32.exe File opened for modification C:\Windows\SysWOW64\Bejiehfi.exe Aehmoh32.exe File created C:\Windows\SysWOW64\Nnokahip.exe Nhbciaki.exe File created C:\Windows\SysWOW64\Hganjo32.exe Gkedjo32.exe File created C:\Windows\SysWOW64\Hghdjn32.exe Hehhqk32.exe File created C:\Windows\SysWOW64\Oiljcj32.exe Omeini32.exe File created C:\Windows\SysWOW64\Eaeipfei.exe Eklqcl32.exe File created C:\Windows\SysWOW64\Chilje32.dll Pdkhag32.exe File created C:\Windows\SysWOW64\Pobeao32.exe Panehkaj.exe File created C:\Windows\SysWOW64\Pngbcldl.exe Plffkc32.exe File created C:\Windows\SysWOW64\Dglfle32.dll Ljkaeo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4192 1416 WerFault.exe 775 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obobnb32.dll" Jeclebja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjbmll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hganjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhapocoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bafkookd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffkncf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppfgdd32.dll" Pdcgeejf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkpfmnlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njjcip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcdhgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdobdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpnjfa32.dll" Iijfoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgkbfcck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fppmcmah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogoicfml.dll" Kfopdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agdlfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioooiack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pojecajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feembf32.dll" Nhbciaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mehpga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjmmffgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpfdhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hemqpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccfkja32.dll" Chlgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iaobkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbbmmhm.dll" Hhogaamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmlnjcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madikm32.dll" Nljjqbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iindag32.dll" Qgfmlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acejlfhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blodefdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neknki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djiqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dociji32.dll" Oioipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haemloni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpohhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaghki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll" Bieopm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdjoii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efpmmn32.dll" Mlolnllf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjhhm32.dll" Oomjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjpmh32.dll" Nenakoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofglaipf.dll" Mfjkdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpoaheja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpqfpd32.dll" Lmhdph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acbnggjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclpkjad.dll" Domccejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aemgfj32.dll" Qhkipdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lijiaabk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhqeka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paafmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdamao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfmhch32.dll" Ajqljc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oemgplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkjphcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efdmgc32.dll" Glnhjjml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmaefik.dll" Aepbmhpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kafano32.dll" Icoepohq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdnjkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqbaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akeaja32.dll" Djeljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckecpjdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehaja32.dll" Efjpkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hehhqk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1152 wrote to memory of 2224 1152 ac23d674e8f932016d3f3bf69dac68b0_NeikiAnalytics.exe 28 PID 1152 wrote to memory of 2224 1152 ac23d674e8f932016d3f3bf69dac68b0_NeikiAnalytics.exe 28 PID 1152 wrote to memory of 2224 1152 ac23d674e8f932016d3f3bf69dac68b0_NeikiAnalytics.exe 28 PID 1152 wrote to memory of 2224 1152 ac23d674e8f932016d3f3bf69dac68b0_NeikiAnalytics.exe 28 PID 2224 wrote to memory of 2028 2224 Ioooiack.exe 29 PID 2224 wrote to memory of 2028 2224 Ioooiack.exe 29 PID 2224 wrote to memory of 2028 2224 Ioooiack.exe 29 PID 2224 wrote to memory of 2028 2224 Ioooiack.exe 29 PID 2028 wrote to memory of 832 2028 Jbpdeogo.exe 30 PID 2028 wrote to memory of 832 2028 Jbpdeogo.exe 30 PID 2028 wrote to memory of 832 2028 Jbpdeogo.exe 30 PID 2028 wrote to memory of 832 2028 Jbpdeogo.exe 30 PID 832 wrote to memory of 2756 832 Jpjngh32.exe 31 PID 832 wrote to memory of 2756 832 Jpjngh32.exe 31 PID 832 wrote to memory of 2756 832 Jpjngh32.exe 31 PID 832 wrote to memory of 2756 832 Jpjngh32.exe 31 PID 2756 wrote to memory of 2576 2756 Jdhgnf32.exe 32 PID 2756 wrote to memory of 2576 2756 Jdhgnf32.exe 32 PID 2756 wrote to memory of 2576 2756 Jdhgnf32.exe 32 PID 2756 wrote to memory of 2576 2756 Jdhgnf32.exe 32 PID 2576 wrote to memory of 2772 2576 Klhemhpk.exe 33 PID 2576 wrote to memory of 2772 2576 Klhemhpk.exe 33 PID 2576 wrote to memory of 2772 2576 Klhemhpk.exe 33 PID 2576 wrote to memory of 2772 2576 Klhemhpk.exe 33 PID 2772 wrote to memory of 2412 2772 Khabghdl.exe 34 PID 2772 wrote to memory of 2412 2772 Khabghdl.exe 34 PID 2772 wrote to memory of 2412 2772 Khabghdl.exe 34 PID 2772 wrote to memory of 2412 2772 Khabghdl.exe 34 PID 2412 wrote to memory of 2424 2412 Lhelbh32.exe 35 PID 2412 wrote to memory of 2424 2412 Lhelbh32.exe 35 PID 2412 wrote to memory of 2424 2412 Lhelbh32.exe 35 PID 2412 wrote to memory of 2424 2412 Lhelbh32.exe 35 PID 2424 wrote to memory of 2452 2424 Lqcmmjko.exe 36 PID 2424 wrote to memory of 2452 2424 Lqcmmjko.exe 36 PID 2424 wrote to memory of 2452 2424 Lqcmmjko.exe 36 PID 2424 wrote to memory of 2452 2424 Lqcmmjko.exe 36 PID 2452 wrote to memory of 956 2452 Ljkaeo32.exe 37 PID 2452 wrote to memory of 956 2452 Ljkaeo32.exe 37 PID 2452 wrote to memory of 956 2452 Ljkaeo32.exe 37 PID 2452 wrote to memory of 956 2452 Ljkaeo32.exe 37 PID 956 wrote to memory of 1512 956 Mfglep32.exe 38 PID 956 wrote to memory of 1512 956 Mfglep32.exe 38 PID 956 wrote to memory of 1512 956 Mfglep32.exe 38 PID 956 wrote to memory of 1512 956 Mfglep32.exe 38 PID 1512 wrote to memory of 1936 1512 Mndmoaog.exe 39 PID 1512 wrote to memory of 1936 1512 Mndmoaog.exe 39 PID 1512 wrote to memory of 1936 1512 Mndmoaog.exe 39 PID 1512 wrote to memory of 1936 1512 Mndmoaog.exe 39 PID 1936 wrote to memory of 2168 1936 Mbbfep32.exe 40 PID 1936 wrote to memory of 2168 1936 Mbbfep32.exe 40 PID 1936 wrote to memory of 2168 1936 Mbbfep32.exe 40 PID 1936 wrote to memory of 2168 1936 Mbbfep32.exe 40 PID 2168 wrote to memory of 2328 2168 Nfghdcfj.exe 41 PID 2168 wrote to memory of 2328 2168 Nfghdcfj.exe 41 PID 2168 wrote to memory of 2328 2168 Nfghdcfj.exe 41 PID 2168 wrote to memory of 2328 2168 Nfghdcfj.exe 41 PID 2328 wrote to memory of 852 2328 Nenakoho.exe 42 PID 2328 wrote to memory of 852 2328 Nenakoho.exe 42 PID 2328 wrote to memory of 852 2328 Nenakoho.exe 42 PID 2328 wrote to memory of 852 2328 Nenakoho.exe 42 PID 852 wrote to memory of 2700 852 Oeckfndj.exe 43 PID 852 wrote to memory of 2700 852 Oeckfndj.exe 43 PID 852 wrote to memory of 2700 852 Oeckfndj.exe 43 PID 852 wrote to memory of 2700 852 Oeckfndj.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac23d674e8f932016d3f3bf69dac68b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ac23d674e8f932016d3f3bf69dac68b0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Mndmoaog.exeC:\Windows\system32\Mndmoaog.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1200 -
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1016 -
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Ajqljc32.exeC:\Windows\system32\Ajqljc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Aihfap32.exeC:\Windows\system32\Aihfap32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Amfognic.exeC:\Windows\system32\Amfognic.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe29⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe30⤵
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236 -
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1896 -
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe35⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe36⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe37⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe38⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe39⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe40⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Dkqnoh32.exeC:\Windows\system32\Dkqnoh32.exe41⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Egikjh32.exeC:\Windows\system32\Egikjh32.exe42⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Epbpbnan.exeC:\Windows\system32\Epbpbnan.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe46⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Fggkcl32.exeC:\Windows\system32\Fggkcl32.exe48⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Fcnkhmdp.exeC:\Windows\system32\Fcnkhmdp.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Fcphnm32.exeC:\Windows\system32\Fcphnm32.exe50⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Flhmfbim.exeC:\Windows\system32\Flhmfbim.exe51⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Ffaaoh32.exeC:\Windows\system32\Ffaaoh32.exe52⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe53⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Ghdgfbkl.exeC:\Windows\system32\Ghdgfbkl.exe55⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe56⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe57⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe58⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe59⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe60⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe61⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Hfcjdkpg.exeC:\Windows\system32\Hfcjdkpg.exe62⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe63⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe64⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe65⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Hemqpf32.exeC:\Windows\system32\Hemqpf32.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe67⤵PID:1528
-
C:\Windows\SysWOW64\Ihniaa32.exeC:\Windows\system32\Ihniaa32.exe68⤵PID:612
-
C:\Windows\SysWOW64\Inhanl32.exeC:\Windows\system32\Inhanl32.exe69⤵PID:1948
-
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe70⤵PID:272
-
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe71⤵
- Drops file in System32 directory
PID:960 -
C:\Windows\SysWOW64\Idkpganf.exeC:\Windows\system32\Idkpganf.exe72⤵PID:1620
-
C:\Windows\SysWOW64\Jpbalb32.exeC:\Windows\system32\Jpbalb32.exe73⤵PID:2688
-
C:\Windows\SysWOW64\Jkhejkcq.exeC:\Windows\system32\Jkhejkcq.exe74⤵PID:2964
-
C:\Windows\SysWOW64\Jbcjnnpl.exeC:\Windows\system32\Jbcjnnpl.exe75⤵PID:2924
-
C:\Windows\SysWOW64\Jpgjgboe.exeC:\Windows\system32\Jpgjgboe.exe76⤵PID:2960
-
C:\Windows\SysWOW64\Jlnklcej.exeC:\Windows\system32\Jlnklcej.exe77⤵PID:1988
-
C:\Windows\SysWOW64\Jefpeh32.exeC:\Windows\system32\Jefpeh32.exe78⤵
- Drops file in System32 directory
PID:1844 -
C:\Windows\SysWOW64\Jondnnbk.exeC:\Windows\system32\Jondnnbk.exe79⤵PID:2912
-
C:\Windows\SysWOW64\Jehlkhig.exeC:\Windows\system32\Jehlkhig.exe80⤵
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Kncaojfb.exeC:\Windows\system32\Kncaojfb.exe81⤵
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Kglehp32.exeC:\Windows\system32\Kglehp32.exe82⤵PID:2868
-
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe84⤵
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Kklkcn32.exeC:\Windows\system32\Kklkcn32.exe85⤵PID:1432
-
C:\Windows\SysWOW64\Klngkfge.exeC:\Windows\system32\Klngkfge.exe86⤵PID:944
-
C:\Windows\SysWOW64\Kgclio32.exeC:\Windows\system32\Kgclio32.exe87⤵PID:1696
-
C:\Windows\SysWOW64\Klpdaf32.exeC:\Windows\system32\Klpdaf32.exe88⤵PID:476
-
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe89⤵PID:2088
-
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe90⤵PID:1684
-
C:\Windows\SysWOW64\Lldmleam.exeC:\Windows\system32\Lldmleam.exe91⤵PID:1700
-
C:\Windows\SysWOW64\Lfmbek32.exeC:\Windows\system32\Lfmbek32.exe92⤵PID:1204
-
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe93⤵PID:904
-
C:\Windows\SysWOW64\Lohccp32.exeC:\Windows\system32\Lohccp32.exe94⤵PID:2144
-
C:\Windows\SysWOW64\Lhpglecl.exeC:\Windows\system32\Lhpglecl.exe95⤵PID:2252
-
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe96⤵PID:2276
-
C:\Windows\SysWOW64\Mgedmb32.exeC:\Windows\system32\Mgedmb32.exe97⤵PID:2464
-
C:\Windows\SysWOW64\Mfjann32.exeC:\Windows\system32\Mfjann32.exe98⤵PID:2564
-
C:\Windows\SysWOW64\Mgjnhaco.exeC:\Windows\system32\Mgjnhaco.exe99⤵PID:2436
-
C:\Windows\SysWOW64\Mqbbagjo.exeC:\Windows\system32\Mqbbagjo.exe100⤵PID:1668
-
C:\Windows\SysWOW64\Mjkgjl32.exeC:\Windows\system32\Mjkgjl32.exe101⤵PID:1084
-
C:\Windows\SysWOW64\Mpgobc32.exeC:\Windows\system32\Mpgobc32.exe102⤵
- Drops file in System32 directory
PID:1452 -
C:\Windows\SysWOW64\Nmkplgnq.exeC:\Windows\system32\Nmkplgnq.exe103⤵PID:1760
-
C:\Windows\SysWOW64\Nfdddm32.exeC:\Windows\system32\Nfdddm32.exe104⤵PID:1976
-
C:\Windows\SysWOW64\Nlqmmd32.exeC:\Windows\system32\Nlqmmd32.exe105⤵PID:2616
-
C:\Windows\SysWOW64\Neiaeiii.exeC:\Windows\system32\Neiaeiii.exe106⤵PID:1224
-
C:\Windows\SysWOW64\Nnafnopi.exeC:\Windows\system32\Nnafnopi.exe107⤵PID:276
-
C:\Windows\SysWOW64\Neknki32.exeC:\Windows\system32\Neknki32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1268 -
C:\Windows\SysWOW64\Nhjjgd32.exeC:\Windows\system32\Nhjjgd32.exe109⤵
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Nabopjmj.exeC:\Windows\system32\Nabopjmj.exe110⤵PID:2800
-
C:\Windows\SysWOW64\Njjcip32.exeC:\Windows\system32\Njjcip32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Opglafab.exeC:\Windows\system32\Opglafab.exe112⤵PID:3000
-
C:\Windows\SysWOW64\Ohncbdbd.exeC:\Windows\system32\Ohncbdbd.exe113⤵PID:2588
-
C:\Windows\SysWOW64\Oaghki32.exeC:\Windows\system32\Oaghki32.exe114⤵
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Oibmpl32.exeC:\Windows\system32\Oibmpl32.exe115⤵PID:2380
-
C:\Windows\SysWOW64\Oeindm32.exeC:\Windows\system32\Oeindm32.exe116⤵PID:2396
-
C:\Windows\SysWOW64\Ooabmbbe.exeC:\Windows\system32\Ooabmbbe.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1904 -
C:\Windows\SysWOW64\Oekjjl32.exeC:\Windows\system32\Oekjjl32.exe118⤵PID:1836
-
C:\Windows\SysWOW64\Olebgfao.exeC:\Windows\system32\Olebgfao.exe119⤵PID:580
-
C:\Windows\SysWOW64\Oemgplgo.exeC:\Windows\system32\Oemgplgo.exe120⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Pkjphcff.exeC:\Windows\system32\Pkjphcff.exe121⤵
- Modifies registry class
PID:1960
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-