Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 08:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
acc8542c2986c94200a67459586f9be0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
acc8542c2986c94200a67459586f9be0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
acc8542c2986c94200a67459586f9be0_NeikiAnalytics.exe
-
Size
872KB
-
MD5
acc8542c2986c94200a67459586f9be0
-
SHA1
b4c05ece2ea09f9482a9cb4ad3f9cc9c66e2aa07
-
SHA256
8c2743903ac44da8139677bf46123a96449d0849baca0502e5e4f5440dca6b10
-
SHA512
e30096e95221d451ddee8884ada721f5ca2dc7bf72c54783bf16962497ed09a731ed78c3e6eb5415d960206232a620f6b372b6756f3c310a8415ad7cb4d41ea0
-
SSDEEP
24576:k/HPh2kkkkK4kXkkkkkkkkhLX3a20R0v50+Y:k/XbazR0v
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbfnngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehhdaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioooiack.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfbfkmeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dobgihgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onfoin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmglajcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfognic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onfoin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoojnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdhaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oflpgnld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gefmcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgkhdddo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mccbmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famaimfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Homdhjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcghkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipmqgmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amfognic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihdpbq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfoee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jimdcqom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad acc8542c2986c94200a67459586f9be0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgmpibam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdcpkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkbaci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afliclij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djfdob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djiqdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npjlhcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npjlhcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keqkofno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcfemmna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifampo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhlmmfef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofnpnkgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agglbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcigco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgfdie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnoogbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bigkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncmglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opialpld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plmbkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jibnop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmadbjkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imlhebfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phfoee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbabho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndhlhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofcbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgkfal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eolmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egajnfoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgdibkam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ippdgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocmim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqklqhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcjhmcok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oekjjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfpdkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbdmeoob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkdmfe32.exe -
Executes dropped EXE 64 IoCs
pid Process 2588 Nmhmlbkk.exe 2512 Oghhfg32.exe 2516 Phpjnnki.exe 2816 Pkacpihj.exe 2432 Pdldnomh.exe 1004 Aboaff32.exe 112 Ajjfkh32.exe 2664 Bbonei32.exe 2700 Cbajkiof.exe 1892 Ckolek32.exe 1744 Comdkipe.exe 2136 Edlfhc32.exe 1436 Endjaief.exe 1740 Eolmip32.exe 524 Ffibkj32.exe 1104 Fhikme32.exe 2952 Ggfnopfg.exe 920 Hfpdkl32.exe 2768 Hnkion32.exe 1832 Hipmmg32.exe 1088 Hbiaemkk.exe 3068 Hhhgcc32.exe 1676 Hmeolj32.exe 2752 Hmglajcd.exe 2812 Ifampo32.exe 2340 Ioooiack.exe 1588 Ihhcbf32.exe 2932 Jenpajfb.exe 2564 Jhlmmfef.exe 2620 Jhafhe32.exe 2556 Jdhgnf32.exe 2696 Jnpkflne.exe 2396 Kjihalag.exe 2836 Kbdmeoob.exe 2716 Kfbfkmeh.exe 1636 Kdhcli32.exe 1904 Lqncaj32.exe 1916 Lgkhdddo.exe 756 Lqcmmjko.exe 2016 Lohjnf32.exe 2476 Lmljgj32.exe 2220 Mmadbjkk.exe 1140 Mbnljqic.exe 832 Mndmoaog.exe 1800 Mccbmh32.exe 960 Nagbgl32.exe 3016 Ndhlhg32.exe 1108 Nbniid32.exe 2888 Olmcchlg.exe 568 Ogiaif32.exe 1164 Ogknoe32.exe 2524 Pilfpqaa.exe 2416 Pcdkif32.exe 2672 Peedka32.exe 2616 Ppkhhjei.exe 2600 Pegqpacp.exe 2544 Pejmfqan.exe 1568 Qgmfchei.exe 1408 Qngopb32.exe 2244 Agpcihcf.exe 1116 Amohfo32.exe 2004 Ajcipc32.exe 3000 Acnjnh32.exe 924 Amfognic.exe -
Loads dropped DLL 64 IoCs
pid Process 2256 acc8542c2986c94200a67459586f9be0_NeikiAnalytics.exe 2256 acc8542c2986c94200a67459586f9be0_NeikiAnalytics.exe 2588 Nmhmlbkk.exe 2588 Nmhmlbkk.exe 2512 Oghhfg32.exe 2512 Oghhfg32.exe 2516 Phpjnnki.exe 2516 Phpjnnki.exe 2816 Pkacpihj.exe 2816 Pkacpihj.exe 2432 Pdldnomh.exe 2432 Pdldnomh.exe 1004 Aboaff32.exe 1004 Aboaff32.exe 112 Ajjfkh32.exe 112 Ajjfkh32.exe 2664 Bbonei32.exe 2664 Bbonei32.exe 2700 Cbajkiof.exe 2700 Cbajkiof.exe 1892 Ckolek32.exe 1892 Ckolek32.exe 1744 Comdkipe.exe 1744 Comdkipe.exe 2136 Edlfhc32.exe 2136 Edlfhc32.exe 1436 Endjaief.exe 1436 Endjaief.exe 1740 Eolmip32.exe 1740 Eolmip32.exe 524 Ffibkj32.exe 524 Ffibkj32.exe 1104 Fhikme32.exe 1104 Fhikme32.exe 2952 Ggfnopfg.exe 2952 Ggfnopfg.exe 920 Hfpdkl32.exe 920 Hfpdkl32.exe 2768 Hnkion32.exe 2768 Hnkion32.exe 1832 Hipmmg32.exe 1832 Hipmmg32.exe 1088 Hbiaemkk.exe 1088 Hbiaemkk.exe 3068 Hhhgcc32.exe 3068 Hhhgcc32.exe 1676 Hmeolj32.exe 1676 Hmeolj32.exe 2752 Hmglajcd.exe 2752 Hmglajcd.exe 2812 Ifampo32.exe 2812 Ifampo32.exe 2340 Ioooiack.exe 2340 Ioooiack.exe 1588 Ihhcbf32.exe 1588 Ihhcbf32.exe 2932 Jenpajfb.exe 2932 Jenpajfb.exe 2564 Jhlmmfef.exe 2564 Jhlmmfef.exe 2620 Jhafhe32.exe 2620 Jhafhe32.exe 2556 Jdhgnf32.exe 2556 Jdhgnf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ibcphc32.exe Ieponofk.exe File opened for modification C:\Windows\SysWOW64\Djiqdb32.exe Djfdob32.exe File created C:\Windows\SysWOW64\Mmccqbpm.exe Mfjkdh32.exe File created C:\Windows\SysWOW64\Hfjckino.dll Ippdgc32.exe File created C:\Windows\SysWOW64\Ipnlibhd.dll Peedka32.exe File opened for modification C:\Windows\SysWOW64\Ieomef32.exe Hpbdmo32.exe File opened for modification C:\Windows\SysWOW64\Llgjaeoj.exe Locjhqpa.exe File created C:\Windows\SysWOW64\Oniebmda.exe Olkifaen.exe File created C:\Windows\SysWOW64\Dejdjfjb.dll Hpbdmo32.exe File opened for modification C:\Windows\SysWOW64\Djfdob32.exe Danpemej.exe File created C:\Windows\SysWOW64\Jdhifooi.exe Jjnhhjjk.exe File opened for modification C:\Windows\SysWOW64\Eopphehb.exe Dinneo32.exe File created C:\Windows\SysWOW64\Oiimgf32.dll Emdmjamj.exe File opened for modification C:\Windows\SysWOW64\Cehfkb32.exe Cbgmigeq.exe File created C:\Windows\SysWOW64\Dphmloih.exe Dhkkbmnp.exe File created C:\Windows\SysWOW64\Eclbcj32.exe Dbifnj32.exe File opened for modification C:\Windows\SysWOW64\Fpoolael.exe Edfbaabj.exe File created C:\Windows\SysWOW64\Nlcgpm32.dll Lhnkffeo.exe File created C:\Windows\SysWOW64\Imdbjp32.dll Nibqqh32.exe File created C:\Windows\SysWOW64\Ppkhhjei.exe Peedka32.exe File created C:\Windows\SysWOW64\Cmfkfa32.exe Bjebdfnn.exe File opened for modification C:\Windows\SysWOW64\Qhilkege.exe Popgboae.exe File created C:\Windows\SysWOW64\Jpjifjdg.exe Jimdcqom.exe File created C:\Windows\SysWOW64\Ckcdknaf.dll Eeaepd32.exe File created C:\Windows\SysWOW64\Boogmgkl.exe Bgcbhd32.exe File opened for modification C:\Windows\SysWOW64\Jacfidem.exe Jpajbl32.exe File opened for modification C:\Windows\SysWOW64\Qkghgpfi.exe Qhilkege.exe File created C:\Windows\SysWOW64\Cbdmhnfl.dll Iamfdo32.exe File created C:\Windows\SysWOW64\Ifhckf32.dll Mcjhmcok.exe File created C:\Windows\SysWOW64\Fgfdie32.exe Fibcoalf.exe File created C:\Windows\SysWOW64\Klbdgb32.exe Jpigma32.exe File created C:\Windows\SysWOW64\Aamhcmdo.dll Bfabnl32.exe File created C:\Windows\SysWOW64\Hipmmg32.exe Hnkion32.exe File created C:\Windows\SysWOW64\Peedka32.exe Pcdkif32.exe File opened for modification C:\Windows\SysWOW64\Ehjqgjmp.exe Emdmjamj.exe File created C:\Windows\SysWOW64\Jjipagod.dll Ehjqgjmp.exe File created C:\Windows\SysWOW64\Nkmggbfb.dll Ghlfjq32.exe File opened for modification C:\Windows\SysWOW64\Eogolc32.exe Eikfdl32.exe File created C:\Windows\SysWOW64\Kdfkqifa.dll Mmadbjkk.exe File created C:\Windows\SysWOW64\Ckbjaopk.dll Bckjhl32.exe File opened for modification C:\Windows\SysWOW64\Ckbpqe32.exe Cehhdkjf.exe File opened for modification C:\Windows\SysWOW64\Hipmmg32.exe Hnkion32.exe File created C:\Windows\SysWOW64\Mahildbb.dll Popgboae.exe File opened for modification C:\Windows\SysWOW64\Amohfo32.exe Agpcihcf.exe File created C:\Windows\SysWOW64\Elipgofb.exe Eoepnk32.exe File opened for modification C:\Windows\SysWOW64\Kbmome32.exe Jnofgg32.exe File created C:\Windows\SysWOW64\Nmhmlbkk.exe acc8542c2986c94200a67459586f9be0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Lnpfoc32.dll Qgmfchei.exe File created C:\Windows\SysWOW64\Jmgghnmp.dll Oeindm32.exe File created C:\Windows\SysWOW64\Aljcpg32.dll Gpjkeoha.exe File created C:\Windows\SysWOW64\Jkbaci32.exe Jdhifooi.exe File created C:\Windows\SysWOW64\Qgmfchei.exe Pejmfqan.exe File created C:\Windows\SysWOW64\Nihqegkl.dll Agpcihcf.exe File created C:\Windows\SysWOW64\Kcjjof32.dll Eclbcj32.exe File created C:\Windows\SysWOW64\Ghlfjq32.exe Gconbj32.exe File created C:\Windows\SysWOW64\Jmiajbpa.dll Hmglajcd.exe File created C:\Windows\SysWOW64\Amfognic.exe Acnjnh32.exe File opened for modification C:\Windows\SysWOW64\Inlkik32.exe Iedfqeka.exe File created C:\Windows\SysWOW64\Ahebaiac.exe Achjibcl.exe File created C:\Windows\SysWOW64\Ifkmqd32.dll Jpjifjdg.exe File created C:\Windows\SysWOW64\Knpkmqgb.dll Bbonei32.exe File created C:\Windows\SysWOW64\Mccbmh32.exe Mndmoaog.exe File created C:\Windows\SysWOW64\Mbchni32.exe Mdogedmh.exe File created C:\Windows\SysWOW64\Colpld32.exe Coicfd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1612 3736 WerFault.exe 342 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbagipfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcghkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghoka32.dll" Klecfkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knqcbd32.dll" Mcqombic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apkgpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odifibfn.dll" Fhgifgnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbpqjma.dll" Gefmcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieomef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fffgkhmc.dll" Mqklqhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaiqn32.dll" Olebgfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgojdj32.dll" Fepjea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inbnhihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oejcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfanmogq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cehhdkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niidma32.dll" Lqcmmjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iakino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmkcil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hahnac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpgffe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Locjhqpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egajnfoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eakhdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhafhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbgkbdb.dll" Mccbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfncpcoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbqmhnbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmlkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbieeo32.dll" Kofcbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plmbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcikef32.dll" Lmljgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbklamb.dll" Ahebaiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khnapkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajjfkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldmopa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbhccm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cogfqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkddco32.dll" Iakino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hneebcff.dll" Jbqmhnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coacbfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nppofado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocimkc32.dll" Cjjnhnbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amfognic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfbdci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdmckc32.dll" Goqnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojojafnk.dll" Inlkik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imlhebfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jibnop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgbfnngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopjqipp.dll" Olmcchlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpafapbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node acc8542c2986c94200a67459586f9be0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipmqgmcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eolmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aebmjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahebaiac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pegqpacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gobdahei.dll" Kpgffe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inlkik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajjfkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkhhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhcool32.dll" Dcdkef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmfenoo.dll" Fmfocnjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jimdcqom.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2256 wrote to memory of 2588 2256 acc8542c2986c94200a67459586f9be0_NeikiAnalytics.exe 28 PID 2256 wrote to memory of 2588 2256 acc8542c2986c94200a67459586f9be0_NeikiAnalytics.exe 28 PID 2256 wrote to memory of 2588 2256 acc8542c2986c94200a67459586f9be0_NeikiAnalytics.exe 28 PID 2256 wrote to memory of 2588 2256 acc8542c2986c94200a67459586f9be0_NeikiAnalytics.exe 28 PID 2588 wrote to memory of 2512 2588 Nmhmlbkk.exe 29 PID 2588 wrote to memory of 2512 2588 Nmhmlbkk.exe 29 PID 2588 wrote to memory of 2512 2588 Nmhmlbkk.exe 29 PID 2588 wrote to memory of 2512 2588 Nmhmlbkk.exe 29 PID 2512 wrote to memory of 2516 2512 Oghhfg32.exe 30 PID 2512 wrote to memory of 2516 2512 Oghhfg32.exe 30 PID 2512 wrote to memory of 2516 2512 Oghhfg32.exe 30 PID 2512 wrote to memory of 2516 2512 Oghhfg32.exe 30 PID 2516 wrote to memory of 2816 2516 Phpjnnki.exe 31 PID 2516 wrote to memory of 2816 2516 Phpjnnki.exe 31 PID 2516 wrote to memory of 2816 2516 Phpjnnki.exe 31 PID 2516 wrote to memory of 2816 2516 Phpjnnki.exe 31 PID 2816 wrote to memory of 2432 2816 Pkacpihj.exe 32 PID 2816 wrote to memory of 2432 2816 Pkacpihj.exe 32 PID 2816 wrote to memory of 2432 2816 Pkacpihj.exe 32 PID 2816 wrote to memory of 2432 2816 Pkacpihj.exe 32 PID 2432 wrote to memory of 1004 2432 Pdldnomh.exe 33 PID 2432 wrote to memory of 1004 2432 Pdldnomh.exe 33 PID 2432 wrote to memory of 1004 2432 Pdldnomh.exe 33 PID 2432 wrote to memory of 1004 2432 Pdldnomh.exe 33 PID 1004 wrote to memory of 112 1004 Aboaff32.exe 34 PID 1004 wrote to memory of 112 1004 Aboaff32.exe 34 PID 1004 wrote to memory of 112 1004 Aboaff32.exe 34 PID 1004 wrote to memory of 112 1004 Aboaff32.exe 34 PID 112 wrote to memory of 2664 112 Ajjfkh32.exe 35 PID 112 wrote to memory of 2664 112 Ajjfkh32.exe 35 PID 112 wrote to memory of 2664 112 Ajjfkh32.exe 35 PID 112 wrote to memory of 2664 112 Ajjfkh32.exe 35 PID 2664 wrote to memory of 2700 2664 Bbonei32.exe 36 PID 2664 wrote to memory of 2700 2664 Bbonei32.exe 36 PID 2664 wrote to memory of 2700 2664 Bbonei32.exe 36 PID 2664 wrote to memory of 2700 2664 Bbonei32.exe 36 PID 2700 wrote to memory of 1892 2700 Cbajkiof.exe 37 PID 2700 wrote to memory of 1892 2700 Cbajkiof.exe 37 PID 2700 wrote to memory of 1892 2700 Cbajkiof.exe 37 PID 2700 wrote to memory of 1892 2700 Cbajkiof.exe 37 PID 1892 wrote to memory of 1744 1892 Ckolek32.exe 38 PID 1892 wrote to memory of 1744 1892 Ckolek32.exe 38 PID 1892 wrote to memory of 1744 1892 Ckolek32.exe 38 PID 1892 wrote to memory of 1744 1892 Ckolek32.exe 38 PID 1744 wrote to memory of 2136 1744 Comdkipe.exe 39 PID 1744 wrote to memory of 2136 1744 Comdkipe.exe 39 PID 1744 wrote to memory of 2136 1744 Comdkipe.exe 39 PID 1744 wrote to memory of 2136 1744 Comdkipe.exe 39 PID 2136 wrote to memory of 1436 2136 Edlfhc32.exe 40 PID 2136 wrote to memory of 1436 2136 Edlfhc32.exe 40 PID 2136 wrote to memory of 1436 2136 Edlfhc32.exe 40 PID 2136 wrote to memory of 1436 2136 Edlfhc32.exe 40 PID 1436 wrote to memory of 1740 1436 Endjaief.exe 41 PID 1436 wrote to memory of 1740 1436 Endjaief.exe 41 PID 1436 wrote to memory of 1740 1436 Endjaief.exe 41 PID 1436 wrote to memory of 1740 1436 Endjaief.exe 41 PID 1740 wrote to memory of 524 1740 Eolmip32.exe 42 PID 1740 wrote to memory of 524 1740 Eolmip32.exe 42 PID 1740 wrote to memory of 524 1740 Eolmip32.exe 42 PID 1740 wrote to memory of 524 1740 Eolmip32.exe 42 PID 524 wrote to memory of 1104 524 Ffibkj32.exe 43 PID 524 wrote to memory of 1104 524 Ffibkj32.exe 43 PID 524 wrote to memory of 1104 524 Ffibkj32.exe 43 PID 524 wrote to memory of 1104 524 Ffibkj32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\acc8542c2986c94200a67459586f9be0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\acc8542c2986c94200a67459586f9be0_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Nmhmlbkk.exeC:\Windows\system32\Nmhmlbkk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Phpjnnki.exeC:\Windows\system32\Phpjnnki.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Pkacpihj.exeC:\Windows\system32\Pkacpihj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Ajjfkh32.exeC:\Windows\system32\Ajjfkh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Endjaief.exeC:\Windows\system32\Endjaief.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1104 -
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2952 -
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1832 -
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe33⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe34⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe37⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe38⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Lohjnf32.exeC:\Windows\system32\Lohjnf32.exe41⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe44⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Mndmoaog.exeC:\Windows\system32\Mndmoaog.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Mccbmh32.exeC:\Windows\system32\Mccbmh32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe47⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe49⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Olmcchlg.exeC:\Windows\system32\Olmcchlg.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe51⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe52⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Pcbncfjd.exeC:\Windows\system32\Pcbncfjd.exe53⤵PID:1156
-
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe54⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe57⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Qngopb32.exeC:\Windows\system32\Qngopb32.exe61⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe63⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe64⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Acnjnh32.exeC:\Windows\system32\Acnjnh32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Amfognic.exeC:\Windows\system32\Amfognic.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Bfncpcoc.exeC:\Windows\system32\Bfncpcoc.exe67⤵
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Bnldjekl.exeC:\Windows\system32\Bnldjekl.exe68⤵PID:2928
-
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1524 -
C:\Windows\SysWOW64\Bckjhl32.exeC:\Windows\system32\Bckjhl32.exe70⤵
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe71⤵
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe72⤵PID:1684
-
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2052 -
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe74⤵
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe75⤵PID:3044
-
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe76⤵PID:2668
-
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1144 -
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe78⤵
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Dphmloih.exeC:\Windows\system32\Dphmloih.exe79⤵PID:1608
-
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe80⤵PID:2456
-
C:\Windows\SysWOW64\Dbifnj32.exeC:\Windows\system32\Dbifnj32.exe81⤵
- Drops file in System32 directory
PID:1260 -
C:\Windows\SysWOW64\Eclbcj32.exeC:\Windows\system32\Eclbcj32.exe82⤵
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe83⤵
- Drops file in System32 directory
PID:792 -
C:\Windows\SysWOW64\Elipgofb.exeC:\Windows\system32\Elipgofb.exe84⤵PID:3020
-
C:\Windows\SysWOW64\Eeaepd32.exeC:\Windows\system32\Eeaepd32.exe85⤵
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe86⤵
- Drops file in System32 directory
PID:776 -
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe87⤵PID:540
-
C:\Windows\SysWOW64\Fjhcegll.exeC:\Windows\system32\Fjhcegll.exe88⤵PID:2976
-
C:\Windows\SysWOW64\Fogibnha.exeC:\Windows\system32\Fogibnha.exe89⤵PID:2628
-
C:\Windows\SysWOW64\Goiehm32.exeC:\Windows\system32\Goiehm32.exe90⤵PID:1560
-
C:\Windows\SysWOW64\Gfcnegnk.exeC:\Windows\system32\Gfcnegnk.exe91⤵PID:2148
-
C:\Windows\SysWOW64\Gnaooi32.exeC:\Windows\system32\Gnaooi32.exe92⤵PID:2500
-
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe93⤵PID:2568
-
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe94⤵PID:2208
-
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe95⤵
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Hgbfnngi.exeC:\Windows\system32\Hgbfnngi.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2156 -
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe98⤵
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Ieomef32.exeC:\Windows\system32\Ieomef32.exe99⤵
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Injndk32.exeC:\Windows\system32\Injndk32.exe100⤵PID:2312
-
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe101⤵
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe102⤵
- Modifies registry class
PID:752 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2800 -
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe105⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe106⤵PID:936
-
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe107⤵
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Klbdgb32.exeC:\Windows\system32\Klbdgb32.exe108⤵PID:2808
-
C:\Windows\SysWOW64\Kdnild32.exeC:\Windows\system32\Kdnild32.exe109⤵PID:2284
-
C:\Windows\SysWOW64\Kocmim32.exeC:\Windows\system32\Kocmim32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2804 -
C:\Windows\SysWOW64\Khkbbc32.exeC:\Windows\system32\Khkbbc32.exe111⤵PID:1268
-
C:\Windows\SysWOW64\Kpgffe32.exeC:\Windows\system32\Kpgffe32.exe112⤵
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Lcjlnpmo.exeC:\Windows\system32\Lcjlnpmo.exe113⤵PID:2240
-
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe114⤵PID:2040
-
C:\Windows\SysWOW64\Lboiol32.exeC:\Windows\system32\Lboiol32.exe115⤵PID:2116
-
C:\Windows\SysWOW64\Locjhqpa.exeC:\Windows\system32\Locjhqpa.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Llgjaeoj.exeC:\Windows\system32\Llgjaeoj.exe117⤵PID:1340
-
C:\Windows\SysWOW64\Lhnkffeo.exeC:\Windows\system32\Lhnkffeo.exe118⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Mqklqhpg.exeC:\Windows\system32\Mqklqhpg.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Mcjhmcok.exeC:\Windows\system32\Mcjhmcok.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Mnomjl32.exeC:\Windows\system32\Mnomjl32.exe121⤵PID:2360
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-