Analysis
-
max time kernel
139s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
13/05/2024, 08:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a86577be993c66d8f03c814a08f4bff0_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
a86577be993c66d8f03c814a08f4bff0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
a86577be993c66d8f03c814a08f4bff0_NeikiAnalytics.exe
-
Size
726KB
-
MD5
a86577be993c66d8f03c814a08f4bff0
-
SHA1
1943f819a8f692ed8592b74b643e6e3b3f10f9fb
-
SHA256
09e5ecb8a8f43c0dd4067ba8e9dc63402fbee95b61a320d0086469ce01f1f741
-
SHA512
bd6ab6de911f9e97115030e5413efa531364b899f9ee3e8f2a879a706609625d9a20f0dbad0d6915bce1d37ac034cd31488eeeb36b33e9293f5fee8b92d0e500
-
SSDEEP
12288:aufkmRm3+wyVMSyPTZXkz8eooHkz8eooS21kz8eoohm3+wyVMSyPTZXkz8eoo:aTOwGOTdkgykgx21kgdOwGOTdkg
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbbkaako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdhdajea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhilfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imihfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Maohkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhidjpqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfcbjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdcjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pemomqcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccgjopal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngpjnkpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nqklmpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clnjjpod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieliebnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acpbbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghklce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qofcff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Epikpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icjmmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhikcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lblaabdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpglnhad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdmga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gimjhafg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjmgfgdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Polppg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Embddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Acfhad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfhqbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bebblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lblaabdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcmpodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhbolp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfdida32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhbgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Likcilhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjnffjkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajdbcano.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfkedibe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghhhcomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijcahd32.exe -
Executes dropped EXE 64 IoCs
pid Process 3528 Dagiil32.exe 5072 Dcfebonm.exe 3424 Dpjflb32.exe 3032 Dchbhn32.exe 1416 Efikji32.exe 792 Epopgbia.exe 1688 Ehjdldfl.exe 392 Ecphimfb.exe 1592 Ebeejijj.exe 3656 Ecdbdl32.exe 60 Ffbnph32.exe 452 Fokbim32.exe 5068 Fqkocpod.exe 4904 Fbllkh32.exe 4076 Fopldmcl.exe 3068 Fihqmb32.exe 2412 Fqohnp32.exe 3512 Fodeolof.exe 2316 Gimjhafg.exe 4932 Gqdbiofi.exe 4576 Gfqjafdq.exe 1256 Gmkbnp32.exe 3248 Goiojk32.exe 2744 Gcekkjcj.exe 1948 Gfcgge32.exe 3324 Gpklpkio.exe 1472 Gbjhlfhb.exe 2272 Gfedle32.exe 3760 Gidphq32.exe 4336 Gmoliohh.exe 3812 Gpnhekgl.exe 1396 Gbldaffp.exe 1664 Gfhqbe32.exe 404 Gifmnpnl.exe 4484 Gameonno.exe 2620 Gppekj32.exe 2168 Hboagf32.exe 4584 Hjfihc32.exe 856 Hihicplj.exe 4420 Hapaemll.exe 4412 Hpbaqj32.exe 2424 Hbanme32.exe 3288 Hfljmdjc.exe 4024 Hikfip32.exe 4812 Habnjm32.exe 620 Hcqjfh32.exe 3776 Hbckbepg.exe 1172 Hjjbcbqj.exe 448 Himcoo32.exe 3716 Hadkpm32.exe 3128 Hccglh32.exe 2584 Hbeghene.exe 1916 Hjmoibog.exe 976 Hmklen32.exe 2112 Haggelfd.exe 2488 Hfcpncdk.exe 2920 Haidklda.exe 5064 Icgqggce.exe 3616 Ibjqcd32.exe 3100 Ijaida32.exe 1428 Impepm32.exe 2932 Iakaql32.exe 1668 Icjmmg32.exe 1776 Ibmmhdhm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Khoana32.dll Process not Found File created C:\Windows\SysWOW64\Kgnbdh32.exe Process not Found File created C:\Windows\SysWOW64\Hnddgjbj.exe Hkehkocf.exe File opened for modification C:\Windows\SysWOW64\Ajcdnd32.exe Agdhbi32.exe File opened for modification C:\Windows\SysWOW64\Gahcmd32.exe Giqkkf32.exe File created C:\Windows\SysWOW64\Knfeeimj.exe Process not Found File created C:\Windows\SysWOW64\Jebiel32.dll Process not Found File created C:\Windows\SysWOW64\Bcgpgh32.dll Fineoi32.exe File opened for modification C:\Windows\SysWOW64\Oeokal32.exe Process not Found File created C:\Windows\SysWOW64\Locfbi32.dll Process not Found File created C:\Windows\SysWOW64\Gfkcaoef.dll Process not Found File created C:\Windows\SysWOW64\Ncnadk32.exe Nqpego32.exe File opened for modification C:\Windows\SysWOW64\Qbgqio32.exe Qgallfcq.exe File opened for modification C:\Windows\SysWOW64\Akhcfe32.exe Ahjgjj32.exe File created C:\Windows\SysWOW64\Cjkoqgjn.dll Process not Found File created C:\Windows\SysWOW64\Bqbijpeo.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lqbncb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oaqbkn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Njogjfoj.exe Ngpjnkpf.exe File created C:\Windows\SysWOW64\Dahode32.exe Dojcgi32.exe File created C:\Windows\SysWOW64\Flnlhk32.exe Fdgdgnbm.exe File created C:\Windows\SysWOW64\Mlpeff32.exe Mibijk32.exe File opened for modification C:\Windows\SysWOW64\Qemhbj32.exe Process not Found File created C:\Windows\SysWOW64\Kjonng32.dll Pkhjph32.exe File created C:\Windows\SysWOW64\Jfdida32.exe Jagqlj32.exe File created C:\Windows\SysWOW64\Ljfemn32.dll Nbhkac32.exe File created C:\Windows\SysWOW64\Keajjc32.dll Hioiji32.exe File created C:\Windows\SysWOW64\Fnmnbf32.dll Ddonekbl.exe File created C:\Windows\SysWOW64\Knnckk32.dll Ghipne32.exe File created C:\Windows\SysWOW64\Ffobhg32.exe Fdqfll32.exe File created C:\Windows\SysWOW64\Ahoemi32.dll Process not Found File created C:\Windows\SysWOW64\Bbnpqk32.exe Bjghpn32.exe File created C:\Windows\SysWOW64\Bgempgqo.dll Bbnpqk32.exe File opened for modification C:\Windows\SysWOW64\Hmcojh32.exe Hihbijhn.exe File opened for modification C:\Windows\SysWOW64\Hhlejcpm.exe Hfningai.exe File created C:\Windows\SysWOW64\Gakiqbgc.dll Dmoohe32.exe File opened for modification C:\Windows\SysWOW64\Knippe32.exe Khpgckkb.exe File opened for modification C:\Windows\SysWOW64\Cjnffjkl.exe Cfcjfk32.exe File opened for modification C:\Windows\SysWOW64\Ljobpiql.exe Process not Found File opened for modification C:\Windows\SysWOW64\Alkijdci.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ceoibflm.exe Cbqlfkmi.exe File opened for modification C:\Windows\SysWOW64\Jmhale32.exe Icplcpgo.exe File created C:\Windows\SysWOW64\Dcpmen32.exe Dikihe32.exe File opened for modification C:\Windows\SysWOW64\Jdmgfedl.exe Process not Found File created C:\Windows\SysWOW64\Nfmifiap.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mgimcebb.exe Mpoefk32.exe File created C:\Windows\SysWOW64\Pleaoa32.exe Pflibgil.exe File opened for modification C:\Windows\SysWOW64\Dgejpd32.exe Dpnbog32.exe File created C:\Windows\SysWOW64\Chfegk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mbhamajc.exe Mlnipg32.exe File created C:\Windows\SysWOW64\Hammhcij.exe Hnaqgd32.exe File created C:\Windows\SysWOW64\Bchign32.dll Process not Found File created C:\Windows\SysWOW64\Peeafpaf.dll Gqdbiofi.exe File created C:\Windows\SysWOW64\Famjkl32.exe Fnaokmco.exe File opened for modification C:\Windows\SysWOW64\Meiioonj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qdaniq32.exe Process not Found File created C:\Windows\SysWOW64\Kkkdan32.exe Kbdmpqcb.exe File opened for modification C:\Windows\SysWOW64\Iijaka32.exe Ifleoe32.exe File opened for modification C:\Windows\SysWOW64\Kflnfcgg.exe Knefeffd.exe File created C:\Windows\SysWOW64\Jlmfeg32.exe Process not Found File created C:\Windows\SysWOW64\Hhhdjbno.dll Process not Found File created C:\Windows\SysWOW64\Cnkkjh32.exe Process not Found File created C:\Windows\SysWOW64\Ahdpjn32.exe Process not Found File created C:\Windows\SysWOW64\Cilkoi32.dll Cbqlfkmi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14860 13444 Process not Found 1593 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngiehn32.dll" Fodeolof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Meiaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncfmno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefekh32.dll" Fdhcgaic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjnafk32.dll" Mbighjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpghll32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lflgmqhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhcjqinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhghaf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll" Iikopmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmamoe32.dll" Jfcbjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgcmjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjmmepfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hmklen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ogogoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgnnai32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcjkaiib.dll" Andgoobc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mibijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bckkca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqhimici.dll" Ehnglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbbfdfkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dimenegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll" Liggbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnlgjdd.dll" Mpghkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jnkldqkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkljb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mnocof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll" Bmpcfdmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfiafg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ogmijllo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllbndih.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll" Kipabjil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kcifkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll" Maohkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afgacokc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bggnof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeedjegm.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gimjhafg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckedalaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jiokfpph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bpnihiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfmjef32.dll" Pibdmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifclaeem.dll" Oqbamo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hchcofhp.dll" Ocqnij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jmpgldhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkpcjeml.dll" Dmbbhkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkfkfohj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dleglm32.dll" Pgbbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Edhakj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oenlqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fboqkn32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bcfahbpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2156 wrote to memory of 3528 2156 a86577be993c66d8f03c814a08f4bff0_NeikiAnalytics.exe 82 PID 2156 wrote to memory of 3528 2156 a86577be993c66d8f03c814a08f4bff0_NeikiAnalytics.exe 82 PID 2156 wrote to memory of 3528 2156 a86577be993c66d8f03c814a08f4bff0_NeikiAnalytics.exe 82 PID 3528 wrote to memory of 5072 3528 Dagiil32.exe 83 PID 3528 wrote to memory of 5072 3528 Dagiil32.exe 83 PID 3528 wrote to memory of 5072 3528 Dagiil32.exe 83 PID 5072 wrote to memory of 3424 5072 Dcfebonm.exe 84 PID 5072 wrote to memory of 3424 5072 Dcfebonm.exe 84 PID 5072 wrote to memory of 3424 5072 Dcfebonm.exe 84 PID 3424 wrote to memory of 3032 3424 Dpjflb32.exe 85 PID 3424 wrote to memory of 3032 3424 Dpjflb32.exe 85 PID 3424 wrote to memory of 3032 3424 Dpjflb32.exe 85 PID 3032 wrote to memory of 1416 3032 Dchbhn32.exe 86 PID 3032 wrote to memory of 1416 3032 Dchbhn32.exe 86 PID 3032 wrote to memory of 1416 3032 Dchbhn32.exe 86 PID 1416 wrote to memory of 792 1416 Efikji32.exe 87 PID 1416 wrote to memory of 792 1416 Efikji32.exe 87 PID 1416 wrote to memory of 792 1416 Efikji32.exe 87 PID 792 wrote to memory of 1688 792 Epopgbia.exe 88 PID 792 wrote to memory of 1688 792 Epopgbia.exe 88 PID 792 wrote to memory of 1688 792 Epopgbia.exe 88 PID 1688 wrote to memory of 392 1688 Ehjdldfl.exe 90 PID 1688 wrote to memory of 392 1688 Ehjdldfl.exe 90 PID 1688 wrote to memory of 392 1688 Ehjdldfl.exe 90 PID 392 wrote to memory of 1592 392 Ecphimfb.exe 91 PID 392 wrote to memory of 1592 392 Ecphimfb.exe 91 PID 392 wrote to memory of 1592 392 Ecphimfb.exe 91 PID 1592 wrote to memory of 3656 1592 Ebeejijj.exe 92 PID 1592 wrote to memory of 3656 1592 Ebeejijj.exe 92 PID 1592 wrote to memory of 3656 1592 Ebeejijj.exe 92 PID 3656 wrote to memory of 60 3656 Ecdbdl32.exe 94 PID 3656 wrote to memory of 60 3656 Ecdbdl32.exe 94 PID 3656 wrote to memory of 60 3656 Ecdbdl32.exe 94 PID 60 wrote to memory of 452 60 Ffbnph32.exe 95 PID 60 wrote to memory of 452 60 Ffbnph32.exe 95 PID 60 wrote to memory of 452 60 Ffbnph32.exe 95 PID 452 wrote to memory of 5068 452 Fokbim32.exe 97 PID 452 wrote to memory of 5068 452 Fokbim32.exe 97 PID 452 wrote to memory of 5068 452 Fokbim32.exe 97 PID 5068 wrote to memory of 4904 5068 Fqkocpod.exe 98 PID 5068 wrote to memory of 4904 5068 Fqkocpod.exe 98 PID 5068 wrote to memory of 4904 5068 Fqkocpod.exe 98 PID 4904 wrote to memory of 4076 4904 Fbllkh32.exe 99 PID 4904 wrote to memory of 4076 4904 Fbllkh32.exe 99 PID 4904 wrote to memory of 4076 4904 Fbllkh32.exe 99 PID 4076 wrote to memory of 3068 4076 Fopldmcl.exe 100 PID 4076 wrote to memory of 3068 4076 Fopldmcl.exe 100 PID 4076 wrote to memory of 3068 4076 Fopldmcl.exe 100 PID 3068 wrote to memory of 2412 3068 Fihqmb32.exe 101 PID 3068 wrote to memory of 2412 3068 Fihqmb32.exe 101 PID 3068 wrote to memory of 2412 3068 Fihqmb32.exe 101 PID 2412 wrote to memory of 3512 2412 Fqohnp32.exe 102 PID 2412 wrote to memory of 3512 2412 Fqohnp32.exe 102 PID 2412 wrote to memory of 3512 2412 Fqohnp32.exe 102 PID 3512 wrote to memory of 2316 3512 Fodeolof.exe 103 PID 3512 wrote to memory of 2316 3512 Fodeolof.exe 103 PID 3512 wrote to memory of 2316 3512 Fodeolof.exe 103 PID 2316 wrote to memory of 4932 2316 Gimjhafg.exe 104 PID 2316 wrote to memory of 4932 2316 Gimjhafg.exe 104 PID 2316 wrote to memory of 4932 2316 Gimjhafg.exe 104 PID 4932 wrote to memory of 4576 4932 Gqdbiofi.exe 105 PID 4932 wrote to memory of 4576 4932 Gqdbiofi.exe 105 PID 4932 wrote to memory of 4576 4932 Gqdbiofi.exe 105 PID 4576 wrote to memory of 1256 4576 Gfqjafdq.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\a86577be993c66d8f03c814a08f4bff0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a86577be993c66d8f03c814a08f4bff0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Dagiil32.exeC:\Windows\system32\Dagiil32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Dcfebonm.exeC:\Windows\system32\Dcfebonm.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Dpjflb32.exeC:\Windows\system32\Dpjflb32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\Dchbhn32.exeC:\Windows\system32\Dchbhn32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Efikji32.exeC:\Windows\system32\Efikji32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Epopgbia.exeC:\Windows\system32\Epopgbia.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Ecphimfb.exeC:\Windows\system32\Ecphimfb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Ebeejijj.exeC:\Windows\system32\Ebeejijj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\Fqkocpod.exeC:\Windows\system32\Fqkocpod.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Gimjhafg.exeC:\Windows\system32\Gimjhafg.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\Gfqjafdq.exeC:\Windows\system32\Gfqjafdq.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe23⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe24⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe25⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe26⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Gpklpkio.exeC:\Windows\system32\Gpklpkio.exe27⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Gbjhlfhb.exeC:\Windows\system32\Gbjhlfhb.exe28⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Gfedle32.exeC:\Windows\system32\Gfedle32.exe29⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Gidphq32.exeC:\Windows\system32\Gidphq32.exe30⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe31⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Gpnhekgl.exeC:\Windows\system32\Gpnhekgl.exe32⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe33⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Gifmnpnl.exeC:\Windows\system32\Gifmnpnl.exe35⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Gameonno.exeC:\Windows\system32\Gameonno.exe36⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe37⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe38⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Hjfihc32.exeC:\Windows\system32\Hjfihc32.exe39⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe40⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Hapaemll.exeC:\Windows\system32\Hapaemll.exe41⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe42⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe43⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe44⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe45⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe46⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe47⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe48⤵
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Hjjbcbqj.exeC:\Windows\system32\Hjjbcbqj.exe49⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe50⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe51⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe52⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Hbeghene.exeC:\Windows\system32\Hbeghene.exe53⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Hjmoibog.exeC:\Windows\system32\Hjmoibog.exe54⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:976 -
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe56⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe57⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe58⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Icgqggce.exeC:\Windows\system32\Icgqggce.exe59⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe60⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe61⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe62⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe63⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe65⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe66⤵PID:4448
-
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe67⤵PID:1812
-
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe68⤵PID:4776
-
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe69⤵PID:4352
-
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe70⤵PID:4856
-
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe71⤵PID:3612
-
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe72⤵
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\Ipegmg32.exeC:\Windows\system32\Ipegmg32.exe73⤵PID:2040
-
C:\Windows\SysWOW64\Ifopiajn.exeC:\Windows\system32\Ifopiajn.exe74⤵PID:2160
-
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4188 -
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe76⤵PID:4980
-
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe77⤵PID:2108
-
C:\Windows\SysWOW64\Jagqlj32.exeC:\Windows\system32\Jagqlj32.exe78⤵
- Drops file in System32 directory
PID:1352 -
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4172 -
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe80⤵PID:1484
-
C:\Windows\SysWOW64\Jaimbj32.exeC:\Windows\system32\Jaimbj32.exe81⤵PID:864
-
C:\Windows\SysWOW64\Jdhine32.exeC:\Windows\system32\Jdhine32.exe82⤵PID:4052
-
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe83⤵PID:1168
-
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe84⤵PID:3572
-
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe85⤵PID:4152
-
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe86⤵PID:3600
-
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe87⤵PID:4064
-
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe88⤵PID:4884
-
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe89⤵PID:3740
-
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe90⤵
- Modifies registry class
PID:4092 -
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe91⤵PID:1488
-
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe92⤵PID:3240
-
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe93⤵PID:5160
-
C:\Windows\SysWOW64\Kacphh32.exeC:\Windows\system32\Kacphh32.exe94⤵PID:5204
-
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe95⤵
- Drops file in System32 directory
PID:5244 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe96⤵PID:5284
-
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe97⤵PID:5324
-
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe98⤵PID:5364
-
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe99⤵PID:5396
-
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe100⤵
- Modifies registry class
PID:5440 -
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe101⤵PID:5484
-
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe102⤵PID:5528
-
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe103⤵
- Modifies registry class
PID:5564 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe104⤵PID:5608
-
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe105⤵PID:5648
-
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe106⤵PID:5684
-
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe107⤵PID:5728
-
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe108⤵PID:5764
-
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe109⤵PID:5808
-
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe110⤵PID:5852
-
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe111⤵PID:5888
-
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe112⤵PID:5932
-
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe113⤵
- Modifies registry class
PID:5968 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe114⤵PID:6016
-
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe115⤵PID:6052
-
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe116⤵PID:6092
-
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe117⤵PID:6132
-
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe118⤵PID:5136
-
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe119⤵PID:5252
-
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe120⤵PID:5312
-
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe121⤵PID:5384
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-