Analysis
-
max time kernel
122s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 21:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2cb3534eee8411ae9bc7db1db5491be0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
2cb3534eee8411ae9bc7db1db5491be0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
2cb3534eee8411ae9bc7db1db5491be0_NeikiAnalytics.exe
-
Size
80KB
-
MD5
2cb3534eee8411ae9bc7db1db5491be0
-
SHA1
d8a92795e44373e673e9e5fbe8c2c959d647dc4f
-
SHA256
d8eee795e3bf259c746facf8db017f6b0846ae0a8f067f1aa28ec730e7645aec
-
SHA512
571b2affbb85b60cfdbacb90172adfccd28438f4a36bf3181c3aa3a0ce5ee558535c70688c0d1baa27f991589b52d78a9ce54ff24e2c44896d2643a21e59ffbf
-
SSDEEP
1536:4cAo1I5aGjUzJcDkXqZmCxS0g4vIuXTXHW7LZUCv2LZaIZTJ+7LhkiB0:4be+aGjUzJcDkXqZmCxS0RvIuXTm7Lqy
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbdfgilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikfdkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efoifiep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikjjda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokdja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdecea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bddbjhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfmqmgbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcflko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lchqcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padccpal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiaqle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijehdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohiffh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpbmqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dekdikhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lidgcclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpmjcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqeomfgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dahkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jefbnacn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhakcfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgeaoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbagipfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqlhkofn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeclebja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbnocipg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qanmcdlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeghng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfmgelil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmjnak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Melifl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeindm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddbjhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqiqjlga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgfooe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcidkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpbdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdjccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmcopebh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famaimfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lidgcclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhoeii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gimaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qndkpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clojhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnpjkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jegdgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egjbdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijmipn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfglep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkdnhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbpqmfmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bomlppdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhjpnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmpjagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhdjgoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkegah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjcjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohdfqbio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Capdpcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onfoin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olpilg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcalnii.exe -
Executes dropped EXE 64 IoCs
pid Process 2468 Bekmle32.exe 2588 Cpcnonob.exe 2892 Cbdgqimc.exe 2544 Cdgpnqpo.exe 2448 Cmpdgf32.exe 880 Dgjfek32.exe 2356 Dpcjnabn.exe 2276 Dllhhaep.exe 2656 Dedlag32.exe 1612 Eheecbia.exe 2176 Egjbdo32.exe 1676 Egokonjc.exe 1180 Ecfldoph.exe 552 Fffefjmi.exe 680 Ffibkj32.exe 2732 Fkhgip32.exe 2896 Findhdcb.exe 1772 Gqiimfam.exe 1688 Ggcaiqhj.exe 2948 Gmpjagfa.exe 924 Gqnbhf32.exe 540 Gfmgelil.exe 1708 Gpelnb32.exe 576 Hbfepmmn.exe 1920 Hloiib32.exe 2560 Hjdfjo32.exe 2984 Heikgh32.exe 2628 Hdoghdmd.exe 2380 Hmglajcd.exe 2400 Iphecepe.exe 1564 Ijmipn32.exe 2864 Ilabmedg.exe 1072 Ifffkncm.exe 568 Jhjphfgi.exe 1452 Jkpbdq32.exe 1200 Kdjccf32.exe 2168 Kjglkm32.exe 2280 Kjihalag.exe 1636 Kcamjb32.exe 1300 Kkmand32.exe 2644 Kdefgj32.exe 2708 Knnkpobc.exe 2216 Kgfoie32.exe 3004 Lblcfnhj.exe 2028 Lhelbh32.exe 1584 Lqqpgj32.exe 1724 Lgkhdddo.exe 488 Lcaiiejc.exe 2868 Lmjnak32.exe 884 Lfbbjpgd.exe 1988 Lokgcf32.exe 2252 Mkaghg32.exe 2504 Mkddnf32.exe 2532 Mbnljqic.exe 2700 Melifl32.exe 2820 Macilmnk.exe 2832 Mlhnifmq.exe 2100 Meabakda.exe 2016 Nmlgfnal.exe 908 Nhakcfab.exe 1768 Najpll32.exe 1492 Njbdea32.exe 2140 Nigafnck.exe 2132 Ndmecgba.exe -
Loads dropped DLL 64 IoCs
pid Process 2456 2cb3534eee8411ae9bc7db1db5491be0_NeikiAnalytics.exe 2456 2cb3534eee8411ae9bc7db1db5491be0_NeikiAnalytics.exe 2468 Bekmle32.exe 2468 Bekmle32.exe 2588 Cpcnonob.exe 2588 Cpcnonob.exe 2892 Cbdgqimc.exe 2892 Cbdgqimc.exe 2544 Cdgpnqpo.exe 2544 Cdgpnqpo.exe 2448 Cmpdgf32.exe 2448 Cmpdgf32.exe 880 Dgjfek32.exe 880 Dgjfek32.exe 2356 Dpcjnabn.exe 2356 Dpcjnabn.exe 2276 Dllhhaep.exe 2276 Dllhhaep.exe 2656 Dedlag32.exe 2656 Dedlag32.exe 1612 Eheecbia.exe 1612 Eheecbia.exe 2176 Egjbdo32.exe 2176 Egjbdo32.exe 1676 Egokonjc.exe 1676 Egokonjc.exe 1180 Ecfldoph.exe 1180 Ecfldoph.exe 552 Fffefjmi.exe 552 Fffefjmi.exe 680 Ffibkj32.exe 680 Ffibkj32.exe 2732 Fkhgip32.exe 2732 Fkhgip32.exe 2896 Findhdcb.exe 2896 Findhdcb.exe 1772 Gqiimfam.exe 1772 Gqiimfam.exe 1688 Ggcaiqhj.exe 1688 Ggcaiqhj.exe 2948 Gmpjagfa.exe 2948 Gmpjagfa.exe 924 Gqnbhf32.exe 924 Gqnbhf32.exe 540 Gfmgelil.exe 540 Gfmgelil.exe 1708 Gpelnb32.exe 1708 Gpelnb32.exe 576 Hbfepmmn.exe 576 Hbfepmmn.exe 1920 Hloiib32.exe 1920 Hloiib32.exe 2560 Hjdfjo32.exe 2560 Hjdfjo32.exe 2984 Heikgh32.exe 2984 Heikgh32.exe 2628 Hdoghdmd.exe 2628 Hdoghdmd.exe 2380 Hmglajcd.exe 2380 Hmglajcd.exe 2400 Iphecepe.exe 2400 Iphecepe.exe 1564 Ijmipn32.exe 1564 Ijmipn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nldpgbhe.dll Cbpbgk32.exe File created C:\Windows\SysWOW64\Oapcfo32.exe Nanfqo32.exe File created C:\Windows\SysWOW64\Kipdmjne.dll Bhjpnj32.exe File opened for modification C:\Windows\SysWOW64\Admgglep.exe Aicfgn32.exe File created C:\Windows\SysWOW64\Ggcaiqhj.exe Gqiimfam.exe File opened for modification C:\Windows\SysWOW64\Hqgddm32.exe Gqdgom32.exe File created C:\Windows\SysWOW64\Omiand32.exe Ogliemkk.exe File created C:\Windows\SysWOW64\Mhjcec32.exe Mneohj32.exe File created C:\Windows\SysWOW64\Obgmpo32.dll Bhdhefpc.exe File created C:\Windows\SysWOW64\Pfekjn32.dll Qcjoci32.exe File created C:\Windows\SysWOW64\Pdaemiaj.dll Bbjmpcab.exe File opened for modification C:\Windows\SysWOW64\Klfjpa32.exe Kkdnhi32.exe File created C:\Windows\SysWOW64\Lkdjglfo.exe Lonibk32.exe File created C:\Windows\SysWOW64\Odohol32.dll Obdojcef.exe File opened for modification C:\Windows\SysWOW64\Plmpblnb.exe Ppfomk32.exe File created C:\Windows\SysWOW64\Hfjckino.dll Ijehdl32.exe File created C:\Windows\SysWOW64\Fhdmph32.exe Folhgbid.exe File created C:\Windows\SysWOW64\Iaimld32.dll Llepen32.exe File created C:\Windows\SysWOW64\Bkhjamcf.exe Bapfhg32.exe File created C:\Windows\SysWOW64\Mqmojc32.dll Hpgfmeag.exe File opened for modification C:\Windows\SysWOW64\Hdoghdmd.exe Heikgh32.exe File created C:\Windows\SysWOW64\Qlfgce32.dll Mmicfh32.exe File created C:\Windows\SysWOW64\Hnjblg32.dll Kdkelolf.exe File created C:\Windows\SysWOW64\Mhgacc32.dll Gpjmnh32.exe File created C:\Windows\SysWOW64\Cplffidh.dll Gpmjcg32.exe File opened for modification C:\Windows\SysWOW64\Gcmcebkc.exe Glckihcg.exe File created C:\Windows\SysWOW64\Pjibmbqj.dll Pfkkeq32.exe File created C:\Windows\SysWOW64\Ndlaqocp.dll Gqcnln32.exe File created C:\Windows\SysWOW64\Iichjc32.exe Ipjdameg.exe File opened for modification C:\Windows\SysWOW64\Eknpadcn.exe Eimcjl32.exe File created C:\Windows\SysWOW64\Iilaldhd.dll Dfngll32.exe File created C:\Windows\SysWOW64\Fmaobq32.dll Laodmoep.exe File created C:\Windows\SysWOW64\Knoegqbp.dll Bdcnhk32.exe File created C:\Windows\SysWOW64\Hoiaho32.dll Olophhjd.exe File opened for modification C:\Windows\SysWOW64\Gkalhgfd.exe Gqlhkofn.exe File created C:\Windows\SysWOW64\Mokhho32.dll Mfmqmgbm.exe File opened for modification C:\Windows\SysWOW64\Cmpdgf32.exe Cdgpnqpo.exe File created C:\Windows\SysWOW64\Bddlnn32.dll Kjihalag.exe File created C:\Windows\SysWOW64\Elnlcjph.dll Cenmfbml.exe File created C:\Windows\SysWOW64\Gpjmnh32.exe Geqlnjcf.exe File opened for modification C:\Windows\SysWOW64\Ncfalqpm.exe Njnmbk32.exe File created C:\Windows\SysWOW64\Mmjgpkif.dll Ccpeld32.exe File created C:\Windows\SysWOW64\Iqdekgib.dll Dnefhpma.exe File created C:\Windows\SysWOW64\Eckfklnl.dll Dncibp32.exe File created C:\Windows\SysWOW64\Epeoaffo.exe Eikfdl32.exe File created C:\Windows\SysWOW64\Gfjqal32.dll Pmpdmfff.exe File created C:\Windows\SysWOW64\Jefbnacn.exe Jpjifjdg.exe File opened for modification C:\Windows\SysWOW64\Hijhhl32.exe Gcppkbia.exe File created C:\Windows\SysWOW64\Lokgcf32.exe Lfbbjpgd.exe File created C:\Windows\SysWOW64\Golbnm32.exe Ghajacmo.exe File created C:\Windows\SysWOW64\Pmkhjncg.exe Pbagipfi.exe File opened for modification C:\Windows\SysWOW64\Bdfahaaa.exe Bojipjcj.exe File created C:\Windows\SysWOW64\Bkkioeig.exe Bjiljf32.exe File created C:\Windows\SysWOW64\Liihgqil.dll Gfcnegnk.exe File created C:\Windows\SysWOW64\Ajcbch32.dll Hakkgc32.exe File created C:\Windows\SysWOW64\Lidgcclp.exe Lplbjm32.exe File opened for modification C:\Windows\SysWOW64\Fllaopcg.exe Efoifiep.exe File created C:\Windows\SysWOW64\Nnoiio32.exe Nefdpjkl.exe File opened for modification C:\Windows\SysWOW64\Ohbikbkb.exe Oniebmda.exe File created C:\Windows\SysWOW64\Faphfl32.dll Iipejmko.exe File opened for modification C:\Windows\SysWOW64\Lfbbjpgd.exe Lmjnak32.exe File created C:\Windows\SysWOW64\Fnofjfhk.exe Edfbaabj.exe File opened for modification C:\Windows\SysWOW64\Fnofjfhk.exe Edfbaabj.exe File opened for modification C:\Windows\SysWOW64\Qjgjpi32.exe Qpniokan.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeohkeoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iipejmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebknblho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll" Bqlfaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cinafkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkhdcccf.dll" Edcqjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfiebi32.dll" Honfqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lokgcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Najpll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmmagpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqnocncd.dll" Kndbko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlkglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odifibfn.dll" Famaimfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igeddb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfmhdpnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pleofj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peqhgmdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gifclb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqfaldbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odchbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjogcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgnebokc.dll" Kkgahoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obhdcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbofa32.dll" Lkdjglfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piliii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bomlppdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icoepohq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kffqqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhmdim32.dll" Plmpblnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lillifio.dll" Diaaeepi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onfoin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgfmep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boobki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obhdcanc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmpdmfff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geqlnjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncdgll32.dll" Eheecbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhbciaki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bapfhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajamfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbflbd32.dll" Bjiljf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkaghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijehdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Famaimfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhdmph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llepen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjcbk32.dll" Lhelbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgcdgcc.dll" Gifclb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhcghdk.dll" Dgnjqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jendoajo.dll" Aomnhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djdjalea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjllk32.dll" Ciohqa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfejjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpefpo32.dll" Qndkpmkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icdcllpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfnoegaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niplmn32.dll" Mlhnifmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imokehhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiokholk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hijhhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qemomb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qndkpmkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plmbkd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2456 wrote to memory of 2468 2456 2cb3534eee8411ae9bc7db1db5491be0_NeikiAnalytics.exe 28 PID 2456 wrote to memory of 2468 2456 2cb3534eee8411ae9bc7db1db5491be0_NeikiAnalytics.exe 28 PID 2456 wrote to memory of 2468 2456 2cb3534eee8411ae9bc7db1db5491be0_NeikiAnalytics.exe 28 PID 2456 wrote to memory of 2468 2456 2cb3534eee8411ae9bc7db1db5491be0_NeikiAnalytics.exe 28 PID 2468 wrote to memory of 2588 2468 Bekmle32.exe 29 PID 2468 wrote to memory of 2588 2468 Bekmle32.exe 29 PID 2468 wrote to memory of 2588 2468 Bekmle32.exe 29 PID 2468 wrote to memory of 2588 2468 Bekmle32.exe 29 PID 2588 wrote to memory of 2892 2588 Cpcnonob.exe 30 PID 2588 wrote to memory of 2892 2588 Cpcnonob.exe 30 PID 2588 wrote to memory of 2892 2588 Cpcnonob.exe 30 PID 2588 wrote to memory of 2892 2588 Cpcnonob.exe 30 PID 2892 wrote to memory of 2544 2892 Cbdgqimc.exe 31 PID 2892 wrote to memory of 2544 2892 Cbdgqimc.exe 31 PID 2892 wrote to memory of 2544 2892 Cbdgqimc.exe 31 PID 2892 wrote to memory of 2544 2892 Cbdgqimc.exe 31 PID 2544 wrote to memory of 2448 2544 Cdgpnqpo.exe 32 PID 2544 wrote to memory of 2448 2544 Cdgpnqpo.exe 32 PID 2544 wrote to memory of 2448 2544 Cdgpnqpo.exe 32 PID 2544 wrote to memory of 2448 2544 Cdgpnqpo.exe 32 PID 2448 wrote to memory of 880 2448 Cmpdgf32.exe 33 PID 2448 wrote to memory of 880 2448 Cmpdgf32.exe 33 PID 2448 wrote to memory of 880 2448 Cmpdgf32.exe 33 PID 2448 wrote to memory of 880 2448 Cmpdgf32.exe 33 PID 880 wrote to memory of 2356 880 Dgjfek32.exe 34 PID 880 wrote to memory of 2356 880 Dgjfek32.exe 34 PID 880 wrote to memory of 2356 880 Dgjfek32.exe 34 PID 880 wrote to memory of 2356 880 Dgjfek32.exe 34 PID 2356 wrote to memory of 2276 2356 Dpcjnabn.exe 35 PID 2356 wrote to memory of 2276 2356 Dpcjnabn.exe 35 PID 2356 wrote to memory of 2276 2356 Dpcjnabn.exe 35 PID 2356 wrote to memory of 2276 2356 Dpcjnabn.exe 35 PID 2276 wrote to memory of 2656 2276 Dllhhaep.exe 36 PID 2276 wrote to memory of 2656 2276 Dllhhaep.exe 36 PID 2276 wrote to memory of 2656 2276 Dllhhaep.exe 36 PID 2276 wrote to memory of 2656 2276 Dllhhaep.exe 36 PID 2656 wrote to memory of 1612 2656 Dedlag32.exe 37 PID 2656 wrote to memory of 1612 2656 Dedlag32.exe 37 PID 2656 wrote to memory of 1612 2656 Dedlag32.exe 37 PID 2656 wrote to memory of 1612 2656 Dedlag32.exe 37 PID 1612 wrote to memory of 2176 1612 Eheecbia.exe 38 PID 1612 wrote to memory of 2176 1612 Eheecbia.exe 38 PID 1612 wrote to memory of 2176 1612 Eheecbia.exe 38 PID 1612 wrote to memory of 2176 1612 Eheecbia.exe 38 PID 2176 wrote to memory of 1676 2176 Egjbdo32.exe 39 PID 2176 wrote to memory of 1676 2176 Egjbdo32.exe 39 PID 2176 wrote to memory of 1676 2176 Egjbdo32.exe 39 PID 2176 wrote to memory of 1676 2176 Egjbdo32.exe 39 PID 1676 wrote to memory of 1180 1676 Egokonjc.exe 40 PID 1676 wrote to memory of 1180 1676 Egokonjc.exe 40 PID 1676 wrote to memory of 1180 1676 Egokonjc.exe 40 PID 1676 wrote to memory of 1180 1676 Egokonjc.exe 40 PID 1180 wrote to memory of 552 1180 Ecfldoph.exe 41 PID 1180 wrote to memory of 552 1180 Ecfldoph.exe 41 PID 1180 wrote to memory of 552 1180 Ecfldoph.exe 41 PID 1180 wrote to memory of 552 1180 Ecfldoph.exe 41 PID 552 wrote to memory of 680 552 Fffefjmi.exe 42 PID 552 wrote to memory of 680 552 Fffefjmi.exe 42 PID 552 wrote to memory of 680 552 Fffefjmi.exe 42 PID 552 wrote to memory of 680 552 Fffefjmi.exe 42 PID 680 wrote to memory of 2732 680 Ffibkj32.exe 43 PID 680 wrote to memory of 2732 680 Ffibkj32.exe 43 PID 680 wrote to memory of 2732 680 Ffibkj32.exe 43 PID 680 wrote to memory of 2732 680 Ffibkj32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cb3534eee8411ae9bc7db1db5491be0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2cb3534eee8411ae9bc7db1db5491be0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Cmpdgf32.exeC:\Windows\system32\Cmpdgf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Dpcjnabn.exeC:\Windows\system32\Dpcjnabn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Eheecbia.exeC:\Windows\system32\Eheecbia.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\Fkhgip32.exeC:\Windows\system32\Fkhgip32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1772 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:924 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:540 -
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1920 -
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Ilabmedg.exeC:\Windows\system32\Ilabmedg.exe33⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe34⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe35⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Jkpbdq32.exeC:\Windows\system32\Jkpbdq32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Kjglkm32.exeC:\Windows\system32\Kjglkm32.exe38⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe40⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Kkmand32.exeC:\Windows\system32\Kkmand32.exe41⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe42⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe43⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe44⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe45⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe47⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe48⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe49⤵
- Executes dropped EXE
PID:488 -
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Lfbbjpgd.exeC:\Windows\system32\Lfbbjpgd.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:884 -
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1484 -
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe55⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe56⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Melifl32.exeC:\Windows\system32\Melifl32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe58⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Mlhnifmq.exeC:\Windows\system32\Mlhnifmq.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Meabakda.exeC:\Windows\system32\Meabakda.exe60⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe61⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Nhakcfab.exeC:\Windows\system32\Nhakcfab.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe64⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe65⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe66⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe67⤵PID:1568
-
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe68⤵PID:2676
-
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe69⤵
- Drops file in System32 directory
PID:476 -
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe70⤵PID:800
-
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe71⤵PID:2232
-
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe72⤵
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe73⤵PID:1532
-
C:\Windows\SysWOW64\Omcifpnp.exeC:\Windows\system32\Omcifpnp.exe74⤵PID:912
-
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe75⤵PID:2032
-
C:\Windows\SysWOW64\Oaqbln32.exeC:\Windows\system32\Oaqbln32.exe76⤵PID:2012
-
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe77⤵PID:2800
-
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe78⤵
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe79⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe80⤵PID:2528
-
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe81⤵PID:2420
-
C:\Windows\SysWOW64\Popeif32.exeC:\Windows\system32\Popeif32.exe82⤵PID:2824
-
C:\Windows\SysWOW64\Pdmnam32.exeC:\Windows\system32\Pdmnam32.exe83⤵PID:1672
-
C:\Windows\SysWOW64\Qaqnkafa.exeC:\Windows\system32\Qaqnkafa.exe84⤵PID:1660
-
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe85⤵PID:2360
-
C:\Windows\SysWOW64\Qdaglmcb.exeC:\Windows\system32\Qdaglmcb.exe86⤵PID:2144
-
C:\Windows\SysWOW64\Anjlebjc.exeC:\Windows\system32\Anjlebjc.exe87⤵PID:1800
-
C:\Windows\SysWOW64\Aknlofim.exeC:\Windows\system32\Aknlofim.exe88⤵PID:1640
-
C:\Windows\SysWOW64\Agdmdg32.exeC:\Windows\system32\Agdmdg32.exe89⤵PID:868
-
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe90⤵PID:2208
-
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe91⤵PID:1968
-
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe92⤵PID:2880
-
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe93⤵PID:1444
-
C:\Windows\SysWOW64\Bfncpcoc.exeC:\Windows\system32\Bfncpcoc.exe94⤵PID:320
-
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe95⤵PID:3024
-
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe96⤵PID:2204
-
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe97⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe98⤵
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe99⤵
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe100⤵PID:2608
-
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe101⤵PID:1164
-
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe102⤵PID:1744
-
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe103⤵PID:2320
-
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe104⤵PID:2184
-
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe105⤵
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1872 -
C:\Windows\SysWOW64\Epmfgo32.exeC:\Windows\system32\Epmfgo32.exe107⤵PID:2624
-
C:\Windows\SysWOW64\Eejopecj.exeC:\Windows\system32\Eejopecj.exe108⤵PID:2980
-
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe109⤵PID:1440
-
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe110⤵PID:3052
-
C:\Windows\SysWOW64\Eeohkeoe.exeC:\Windows\system32\Eeohkeoe.exe111⤵
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe112⤵PID:1976
-
C:\Windows\SysWOW64\Eddeladm.exeC:\Windows\system32\Eddeladm.exe113⤵PID:2036
-
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe114⤵PID:2136
-
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe115⤵
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Fnofjfhk.exeC:\Windows\system32\Fnofjfhk.exe116⤵PID:1900
-
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2600 -
C:\Windows\SysWOW64\Famope32.exeC:\Windows\system32\Famope32.exe118⤵PID:1496
-
C:\Windows\SysWOW64\Fgigil32.exeC:\Windows\system32\Fgigil32.exe119⤵PID:1868
-
C:\Windows\SysWOW64\Fncpef32.exeC:\Windows\system32\Fncpef32.exe120⤵PID:2444
-
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe121⤵PID:1696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-