Analysis
-
max time kernel
90s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 22:45
Behavioral task
behavioral1
Sample
7a4a8aa4c3451dd93fa4b2d62938a520_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
7a4a8aa4c3451dd93fa4b2d62938a520_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
7a4a8aa4c3451dd93fa4b2d62938a520_NeikiAnalytics.exe
-
Size
368KB
-
MD5
7a4a8aa4c3451dd93fa4b2d62938a520
-
SHA1
25ed71623144c7b74ffc9cfcb3e731f577fc581b
-
SHA256
6e8b492c0fc0fcfe181270d1564deec618c3fa976497a313833bd9ecee47f7d9
-
SHA512
273ee4d5e505ee5c43efe7df5e567f2411ce3808acb1f3a4dc84cff4d8ce681da1b2511172f75560813bb51eb10e95fe3e088061390ccd9dd0298ec51d456a09
-
SSDEEP
6144:cOc/WMVf7Evlu0ZtE4f9FIUpOVw86CmOJfTo9FIUIhrcflDMxy9FIUpOVw86CmOA:cO4WUD6U0IaAD6RrI1+lDMEAD6Rr2NWL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibojncfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpcfkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Banllbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lppbkgcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlmbfqoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbhoqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jkaqnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kimghn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pefhlaie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdopod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eepjpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgppmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nipekiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjjahe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eaakpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkqeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjlgdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emnbdioi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eplnpeol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Allpejfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iejcji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nepgjaeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dimenegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bebblb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehimanbq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidklf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmkcqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijqmhnko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcllonma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdpkflfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joffnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhhfedil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odnnnnfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qnhahj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbeqmoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oneklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hibljoco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmdina32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000a000000023423-6.dat family_berbew behavioral2/files/0x000700000002342b-14.dat family_berbew behavioral2/files/0x000700000002342e-17.dat family_berbew behavioral2/files/0x000700000002342e-22.dat family_berbew behavioral2/files/0x0007000000023430-30.dat family_berbew behavioral2/files/0x0007000000023432-38.dat family_berbew behavioral2/files/0x0007000000023434-46.dat family_berbew behavioral2/files/0x0007000000023436-54.dat family_berbew behavioral2/files/0x0007000000023438-57.dat family_berbew behavioral2/files/0x0007000000023438-64.dat family_berbew behavioral2/files/0x000700000002343a-70.dat family_berbew behavioral2/files/0x000700000002343c-80.dat family_berbew behavioral2/files/0x000700000002343e-86.dat family_berbew behavioral2/files/0x0007000000023440-95.dat family_berbew behavioral2/files/0x0007000000023442-102.dat family_berbew behavioral2/files/0x0007000000023446-119.dat family_berbew behavioral2/files/0x0007000000023448-127.dat family_berbew behavioral2/files/0x0007000000023444-111.dat family_berbew behavioral2/files/0x000700000002344b-136.dat family_berbew behavioral2/files/0x0008000000023428-142.dat family_berbew behavioral2/files/0x000700000002344e-150.dat family_berbew behavioral2/files/0x0007000000023450-158.dat family_berbew behavioral2/files/0x000d00000002338a-167.dat family_berbew behavioral2/files/0x0007000000023453-174.dat family_berbew behavioral2/files/0x0007000000023455-182.dat family_berbew behavioral2/files/0x0007000000023457-190.dat family_berbew behavioral2/files/0x0007000000023459-193.dat family_berbew behavioral2/files/0x0007000000023459-198.dat family_berbew behavioral2/files/0x000700000002345b-206.dat family_berbew behavioral2/files/0x000700000002345f-217.dat family_berbew behavioral2/files/0x000700000002345d-215.dat family_berbew behavioral2/files/0x0007000000023463-238.dat family_berbew behavioral2/files/0x0007000000023461-231.dat family_berbew behavioral2/files/0x000900000002338b-246.dat family_berbew behavioral2/files/0x0007000000023466-256.dat family_berbew behavioral2/files/0x000700000002347a-311.dat family_berbew behavioral2/files/0x0007000000023480-335.dat family_berbew behavioral2/files/0x0007000000023490-383.dat family_berbew behavioral2/files/0x000700000002349a-413.dat family_berbew behavioral2/files/0x00070000000234a0-431.dat family_berbew behavioral2/files/0x00070000000234a4-443.dat family_berbew behavioral2/files/0x00070000000234a8-455.dat family_berbew behavioral2/files/0x00070000000234ae-473.dat family_berbew behavioral2/files/0x00070000000234b0-480.dat family_berbew behavioral2/files/0x00070000000234b6-497.dat family_berbew behavioral2/files/0x00070000000234c8-553.dat family_berbew behavioral2/files/0x00070000000234e5-649.dat family_berbew behavioral2/files/0x00070000000234ed-676.dat family_berbew behavioral2/files/0x0007000000023509-771.dat family_berbew behavioral2/files/0x000700000002351d-837.dat family_berbew behavioral2/files/0x0007000000023523-857.dat family_berbew behavioral2/files/0x0007000000023529-879.dat family_berbew behavioral2/files/0x0007000000023531-905.dat family_berbew behavioral2/files/0x0007000000023539-933.dat family_berbew behavioral2/files/0x000700000002353d-947.dat family_berbew behavioral2/files/0x0007000000023541-960.dat family_berbew behavioral2/files/0x0007000000023549-987.dat family_berbew behavioral2/files/0x000700000002354f-1007.dat family_berbew behavioral2/files/0x0007000000023562-1069.dat family_berbew behavioral2/files/0x0007000000023578-1145.dat family_berbew behavioral2/files/0x0007000000023580-1172.dat family_berbew behavioral2/files/0x0007000000023584-1185.dat family_berbew behavioral2/files/0x0007000000023588-1198.dat family_berbew behavioral2/files/0x0007000000023590-1223.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3104 Hboagf32.exe 552 Hjfihc32.exe 2012 Hbanme32.exe 3088 Hjhfnccl.exe 916 Hbckbepg.exe 5036 Himcoo32.exe 844 Hfachc32.exe 3300 Hcedaheh.exe 3128 Hibljoco.exe 4908 Ipldfi32.exe 2932 Iffmccbi.exe 1856 Iakaql32.exe 4772 Ibmmhdhm.exe 2352 Ijdeiaio.exe 2240 Ibojncfj.exe 3380 Ijfboafl.exe 1220 Ipegmg32.exe 4160 Ibccic32.exe 3252 Ijkljp32.exe 3212 Jfaloa32.exe 3812 Jpjqhgol.exe 1524 Jbhmdbnp.exe 4404 Jibeql32.exe 3344 Jbkjjblm.exe 3604 Jdjfcecp.exe 4412 Jigollag.exe 3324 Jangmibi.exe 2656 Jdmcidam.exe 2032 Kdopod32.exe 4992 Kgmlkp32.exe 4456 Kdaldd32.exe 716 Kkkdan32.exe 1440 Kmjqmi32.exe 1520 Kphmie32.exe 4044 Kgbefoji.exe 1888 Kipabjil.exe 3256 Kpjjod32.exe 4936 Kdffocib.exe 448 Kkpnlm32.exe 4764 Kmnjhioc.exe 2588 Kpmfddnf.exe 4056 Kdhbec32.exe 4704 Kgfoan32.exe 4068 Lmqgnhmp.exe 5080 Ldkojb32.exe 2724 Lgikfn32.exe 4636 Liggbi32.exe 4864 Laopdgcg.exe 2664 Lcpllo32.exe 4228 Lkgdml32.exe 3488 Lnepih32.exe 3800 Lpcmec32.exe 3924 Lgneampk.exe 1896 Lilanioo.exe 4220 Ldaeka32.exe 668 Lklnhlfb.exe 2516 Lnjjdgee.exe 4464 Lddbqa32.exe 1724 Mjqjih32.exe 1304 Mdfofakp.exe 3544 Mgekbljc.exe 1196 Mpmokb32.exe 4904 Mcklgm32.exe 1528 Mjeddggd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gbpedjnb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Niojoeel.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fnckpmql.exe Fkeodaai.exe File created C:\Windows\SysWOW64\Keojhkpc.dll Fnckpmql.exe File opened for modification C:\Windows\SysWOW64\Gahjgj32.exe Gkobjpin.exe File created C:\Windows\SysWOW64\Pjdhhc32.dll Process not Found File created C:\Windows\SysWOW64\Cnfkdb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jigollag.exe Jdjfcecp.exe File created C:\Windows\SysWOW64\Fknicb32.exe Fgbmccpg.exe File created C:\Windows\SysWOW64\Hfegkoem.dll Qljjjqlc.exe File opened for modification C:\Windows\SysWOW64\Kgdpni32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hecjke32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Medgncoe.exe Mgagbf32.exe File created C:\Windows\SysWOW64\Qfcfml32.exe Qceiaa32.exe File created C:\Windows\SysWOW64\Molelb32.exe Mhbmphjm.exe File created C:\Windows\SysWOW64\Iahici32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bfolacnc.exe Process not Found File created C:\Windows\SysWOW64\Pkjnpq32.dll Pnfkma32.exe File created C:\Windows\SysWOW64\Ppamophb.exe Phjenbhp.exe File opened for modification C:\Windows\SysWOW64\Bdickcpo.exe Process not Found File created C:\Windows\SysWOW64\Kbhmbdle.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fgppmd32.exe Fdbdah32.exe File created C:\Windows\SysWOW64\Cpbponhh.dll Llipehgk.exe File opened for modification C:\Windows\SysWOW64\Afjeceml.exe Ackigjmh.exe File opened for modification C:\Windows\SysWOW64\Jklinohd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kbhmbdle.exe Process not Found File created C:\Windows\SysWOW64\Hpkknmgd.exe Process not Found File created C:\Windows\SysWOW64\Lepncd32.exe Lpcfkm32.exe File created C:\Windows\SysWOW64\Dfljoa32.dll Ajqgidij.exe File opened for modification C:\Windows\SysWOW64\Lelchgne.exe Lbngllob.exe File created C:\Windows\SysWOW64\Pefabkej.exe Process not Found File created C:\Windows\SysWOW64\Amjillkj.exe Process not Found File created C:\Windows\SysWOW64\Efjbcakl.exe Process not Found File created C:\Windows\SysWOW64\Hlepcdoa.exe Process not Found File created C:\Windows\SysWOW64\Modgdicm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pkhoae32.exe Pcagphom.exe File opened for modification C:\Windows\SysWOW64\Ccchof32.exe Cpglnhad.exe File created C:\Windows\SysWOW64\Hobipl32.dll Oidhlb32.exe File created C:\Windows\SysWOW64\Fbhpch32.exe Flngfn32.exe File opened for modification C:\Windows\SysWOW64\Mkhapk32.exe Process not Found File created C:\Windows\SysWOW64\Aehojk32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Iemppiab.exe Imakkfdg.exe File created C:\Windows\SysWOW64\Cajdjn32.dll Process not Found File created C:\Windows\SysWOW64\Okhbek32.dll Process not Found File created C:\Windows\SysWOW64\Jhbejblj.dll Process not Found File created C:\Windows\SysWOW64\Ldkojb32.exe Lmqgnhmp.exe File opened for modification C:\Windows\SysWOW64\Hbgmcnhf.exe Hecmijim.exe File created C:\Windows\SysWOW64\Hhmkaf32.dll Mlopkm32.exe File created C:\Windows\SysWOW64\Faenpf32.exe Fineoi32.exe File opened for modification C:\Windows\SysWOW64\Hehdfdek.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oiccje32.exe Process not Found File created C:\Windows\SysWOW64\Bgdnaigp.dll Hcedaheh.exe File created C:\Windows\SysWOW64\Jfaedkdp.exe Jcbihpel.exe File created C:\Windows\SysWOW64\Loglacfo.exe Llipehgk.exe File created C:\Windows\SysWOW64\Hbmhabha.dll Cjjlkk32.exe File opened for modification C:\Windows\SysWOW64\Fibhpbea.exe Fbhpch32.exe File opened for modification C:\Windows\SysWOW64\Dkpjdo32.exe Process not Found File created C:\Windows\SysWOW64\Hbckbepg.exe Hjhfnccl.exe File created C:\Windows\SysWOW64\Ooagno32.exe Olckbd32.exe File opened for modification C:\Windows\SysWOW64\Phjenbhp.exe Pgihfj32.exe File created C:\Windows\SysWOW64\Pahpfc32.exe Pkogiikb.exe File created C:\Windows\SysWOW64\Pninea32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gppcmeem.exe Process not Found File created C:\Windows\SysWOW64\Lbmolo32.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 16604 16832 Process not Found 1993 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdigjdia.dll" Kgopidgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndhqgbm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkhkjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibilnj32.dll" Hbanme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eofbch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmiciaaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lfjjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffangg32.dll" Pedbahod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfljoa32.dll" Ajqgidij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglmfnhm.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibqpimpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jeqbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaadlo32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfningai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djklmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Famcfn32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knghil32.dll" Emnbdioi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghjnkpdc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhaljido.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccoecbmi.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmmqg32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcmgbngb.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdhfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eobocb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jilnqqbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaejbl32.dll" Kjmmepfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Acmobchj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmanjof.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdfmlhna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ikaggmii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Piijno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aanjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hbeqmoji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egijmegb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qljjjqlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qcaofebg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfnoiid.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pdfjifjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Inkjhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgqqdeod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpengmlg.dll" Qcbfakec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Acfhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdiphhpk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oboaabga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmcojh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1908 wrote to memory of 3104 1908 7a4a8aa4c3451dd93fa4b2d62938a520_NeikiAnalytics.exe 82 PID 1908 wrote to memory of 3104 1908 7a4a8aa4c3451dd93fa4b2d62938a520_NeikiAnalytics.exe 82 PID 1908 wrote to memory of 3104 1908 7a4a8aa4c3451dd93fa4b2d62938a520_NeikiAnalytics.exe 82 PID 3104 wrote to memory of 552 3104 Hboagf32.exe 83 PID 3104 wrote to memory of 552 3104 Hboagf32.exe 83 PID 3104 wrote to memory of 552 3104 Hboagf32.exe 83 PID 552 wrote to memory of 2012 552 Hjfihc32.exe 84 PID 552 wrote to memory of 2012 552 Hjfihc32.exe 84 PID 552 wrote to memory of 2012 552 Hjfihc32.exe 84 PID 2012 wrote to memory of 3088 2012 Hbanme32.exe 85 PID 2012 wrote to memory of 3088 2012 Hbanme32.exe 85 PID 2012 wrote to memory of 3088 2012 Hbanme32.exe 85 PID 3088 wrote to memory of 916 3088 Hjhfnccl.exe 86 PID 3088 wrote to memory of 916 3088 Hjhfnccl.exe 86 PID 3088 wrote to memory of 916 3088 Hjhfnccl.exe 86 PID 916 wrote to memory of 5036 916 Hbckbepg.exe 87 PID 916 wrote to memory of 5036 916 Hbckbepg.exe 87 PID 916 wrote to memory of 5036 916 Hbckbepg.exe 87 PID 5036 wrote to memory of 844 5036 Himcoo32.exe 89 PID 5036 wrote to memory of 844 5036 Himcoo32.exe 89 PID 5036 wrote to memory of 844 5036 Himcoo32.exe 89 PID 844 wrote to memory of 3300 844 Hfachc32.exe 90 PID 844 wrote to memory of 3300 844 Hfachc32.exe 90 PID 844 wrote to memory of 3300 844 Hfachc32.exe 90 PID 3300 wrote to memory of 3128 3300 Hcedaheh.exe 92 PID 3300 wrote to memory of 3128 3300 Hcedaheh.exe 92 PID 3300 wrote to memory of 3128 3300 Hcedaheh.exe 92 PID 3128 wrote to memory of 4908 3128 Hibljoco.exe 93 PID 3128 wrote to memory of 4908 3128 Hibljoco.exe 93 PID 3128 wrote to memory of 4908 3128 Hibljoco.exe 93 PID 4908 wrote to memory of 2932 4908 Ipldfi32.exe 94 PID 4908 wrote to memory of 2932 4908 Ipldfi32.exe 94 PID 4908 wrote to memory of 2932 4908 Ipldfi32.exe 94 PID 2932 wrote to memory of 1856 2932 Iffmccbi.exe 96 PID 2932 wrote to memory of 1856 2932 Iffmccbi.exe 96 PID 2932 wrote to memory of 1856 2932 Iffmccbi.exe 96 PID 1856 wrote to memory of 4772 1856 Iakaql32.exe 97 PID 1856 wrote to memory of 4772 1856 Iakaql32.exe 97 PID 1856 wrote to memory of 4772 1856 Iakaql32.exe 97 PID 4772 wrote to memory of 2352 4772 Ibmmhdhm.exe 98 PID 4772 wrote to memory of 2352 4772 Ibmmhdhm.exe 98 PID 4772 wrote to memory of 2352 4772 Ibmmhdhm.exe 98 PID 2352 wrote to memory of 2240 2352 Ijdeiaio.exe 99 PID 2352 wrote to memory of 2240 2352 Ijdeiaio.exe 99 PID 2352 wrote to memory of 2240 2352 Ijdeiaio.exe 99 PID 2240 wrote to memory of 3380 2240 Ibojncfj.exe 100 PID 2240 wrote to memory of 3380 2240 Ibojncfj.exe 100 PID 2240 wrote to memory of 3380 2240 Ibojncfj.exe 100 PID 3380 wrote to memory of 1220 3380 Ijfboafl.exe 101 PID 3380 wrote to memory of 1220 3380 Ijfboafl.exe 101 PID 3380 wrote to memory of 1220 3380 Ijfboafl.exe 101 PID 1220 wrote to memory of 4160 1220 Ipegmg32.exe 102 PID 1220 wrote to memory of 4160 1220 Ipegmg32.exe 102 PID 1220 wrote to memory of 4160 1220 Ipegmg32.exe 102 PID 4160 wrote to memory of 3252 4160 Ibccic32.exe 103 PID 4160 wrote to memory of 3252 4160 Ibccic32.exe 103 PID 4160 wrote to memory of 3252 4160 Ibccic32.exe 103 PID 3252 wrote to memory of 3212 3252 Ijkljp32.exe 104 PID 3252 wrote to memory of 3212 3252 Ijkljp32.exe 104 PID 3252 wrote to memory of 3212 3252 Ijkljp32.exe 104 PID 3212 wrote to memory of 3812 3212 Jfaloa32.exe 105 PID 3212 wrote to memory of 3812 3212 Jfaloa32.exe 105 PID 3212 wrote to memory of 3812 3212 Jfaloa32.exe 105 PID 3812 wrote to memory of 1524 3812 Jpjqhgol.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a4a8aa4c3451dd93fa4b2d62938a520_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7a4a8aa4c3451dd93fa4b2d62938a520_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\Hjfihc32.exeC:\Windows\system32\Hjfihc32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Ijdeiaio.exeC:\Windows\system32\Ijdeiaio.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Ibojncfj.exeC:\Windows\system32\Ibojncfj.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\Ipegmg32.exeC:\Windows\system32\Ipegmg32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Ibccic32.exeC:\Windows\system32\Ibccic32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe23⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe24⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe25⤵
- Executes dropped EXE
PID:3344 -
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3604 -
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe27⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe28⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe29⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe31⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe32⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe33⤵
- Executes dropped EXE
PID:716 -
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe34⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe35⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe36⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe37⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe38⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe39⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe40⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe41⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe42⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe43⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe44⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4068 -
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe46⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe47⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe48⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe49⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe50⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe51⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe52⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe53⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe54⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe55⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe56⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe57⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe58⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe59⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe60⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe61⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe62⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe63⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe64⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe65⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe66⤵PID:2304
-
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe67⤵PID:1592
-
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe68⤵PID:4632
-
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe69⤵PID:4880
-
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe70⤵PID:4876
-
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe71⤵PID:5032
-
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe72⤵PID:3296
-
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe73⤵PID:4328
-
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe74⤵PID:2496
-
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe75⤵PID:3704
-
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe76⤵PID:1820
-
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe77⤵PID:3084
-
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe78⤵PID:5044
-
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe79⤵PID:4424
-
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe80⤵PID:1792
-
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe81⤵PID:816
-
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe82⤵PID:652
-
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe83⤵PID:5076
-
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe84⤵PID:3608
-
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe85⤵
- Modifies registry class
PID:4768 -
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1532 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe87⤵PID:4080
-
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe88⤵PID:4592
-
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe89⤵PID:2084
-
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe90⤵PID:1372
-
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe91⤵PID:3244
-
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe92⤵PID:208
-
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe93⤵PID:3504
-
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe94⤵PID:5148
-
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe95⤵PID:5212
-
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe96⤵PID:5264
-
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe97⤵PID:5328
-
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe98⤵PID:5388
-
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe99⤵PID:5436
-
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe100⤵PID:5480
-
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe101⤵PID:5520
-
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe102⤵PID:5568
-
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe103⤵PID:5608
-
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe104⤵PID:5668
-
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe105⤵PID:5712
-
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe106⤵PID:5756
-
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe107⤵PID:5800
-
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe108⤵PID:5844
-
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe109⤵PID:5888
-
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe110⤵
- Drops file in System32 directory
PID:5928 -
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe111⤵PID:5972
-
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe112⤵
- Drops file in System32 directory
PID:6016 -
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe113⤵PID:6056
-
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe114⤵PID:6100
-
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe115⤵PID:3356
-
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe116⤵PID:5204
-
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe117⤵PID:5316
-
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe118⤵PID:5376
-
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe119⤵PID:5476
-
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe120⤵PID:5556
-
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe121⤵PID:5592
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-