Analysis
-
max time kernel
139s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 10:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d9acdfed0edc701271157ead12e3a330_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
d9acdfed0edc701271157ead12e3a330_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
d9acdfed0edc701271157ead12e3a330_NeikiAnalytics.exe
-
Size
59KB
-
MD5
d9acdfed0edc701271157ead12e3a330
-
SHA1
476f667396fc7849f4dec5aeb0e3cf4eff1c3d31
-
SHA256
17aa7c41b12572d596d0b7132f807965e71e8e7c7f3eb3b7ea3b6f3d14759b11
-
SHA512
5daf46a4138339cbeba31424d10e1cb4d4ffbcc708db62b204c95547794fc465c5470aa3ff70829451433ae9027f4a8acc2a27b1a5ca0bc16d69aad95adbbe91
-
SSDEEP
768:D5OTiSYVzzcvtL/jhZDNVpEx962xJNv+an5W+Q0XvZ/1H5A5nf1fZMEBFELvkVgs:BSYV/cvJ/jLDbpEx9jTNmyFD7mNCyVso
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgdbnmji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkihknfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aodfajaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkgmcjld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcbbmif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbekqdjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ginnfgop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjjbcbqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkcboack.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfgjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chdkoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flceckoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbabgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackigjmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inmpcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmhgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baaplhef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgeaifia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihdafkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baocghgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipbdmaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkhgmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fopldmcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aejfpjne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqmlknnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejfpjne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnhnaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmkdlkph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iohjlmeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqfeha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffjdqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffjdqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aglemn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejegjh32.exe -
Executes dropped EXE 64 IoCs
pid Process 4868 Dcdimopp.exe 1308 Debeijoc.exe 952 Dllmfd32.exe 4140 Dokjbp32.exe 2140 Daifnk32.exe 1168 Djpnohej.exe 3704 Dhcnke32.exe 3952 Dpjflb32.exe 4584 Ejbkehcg.exe 4412 Ehekqe32.exe 3556 Epmcab32.exe 1244 Eckonn32.exe 2056 Efikji32.exe 2292 Ejegjh32.exe 2940 Ehhgfdho.exe 1548 Eoapbo32.exe 2180 Eflhoigi.exe 3800 Ejgdpg32.exe 4492 Eleplc32.exe 2544 Ecphimfb.exe 1628 Efneehef.exe 2316 Elhmablc.exe 2224 Ecbenm32.exe 3876 Ejlmkgkl.exe 5056 Ehonfc32.exe 1812 Eqfeha32.exe 3616 Fbgbpihg.exe 2064 Ffbnph32.exe 232 Fmmfmbhn.exe 3860 Fcgoilpj.exe 4888 Ficgacna.exe 696 Fqkocpod.exe 3588 Fbllkh32.exe 3032 Fifdgblo.exe 4344 Fqmlhpla.exe 4060 Fopldmcl.exe 3988 Fbnhphbp.exe 4748 Ffjdqg32.exe 4656 Fihqmb32.exe 4556 Fmclmabe.exe 2424 Fobiilai.exe 2376 Fbqefhpm.exe 4812 Fjhmgeao.exe 2384 Fqaeco32.exe 4012 Gcpapkgp.exe 1964 Gbcakg32.exe 1632 Gimjhafg.exe 4896 Gqdbiofi.exe 4000 Gcbnejem.exe 2912 Gfqjafdq.exe 4768 Gmkbnp32.exe 2744 Goiojk32.exe 4516 Gcekkjcj.exe 4512 Gbgkfg32.exe 5108 Giacca32.exe 4692 Gmmocpjk.exe 4036 Gqikdn32.exe 2752 Gbjhlfhb.exe 4864 Gfedle32.exe 3204 Gjapmdid.exe 1080 Gmoliohh.exe 4824 Gpnhekgl.exe 4112 Gcidfi32.exe 4560 Gfhqbe32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ihpcinld.exe Process not Found File opened for modification C:\Windows\SysWOW64\Iamamcop.exe Process not Found File created C:\Windows\SysWOW64\Nincmhle.dll Likcilhh.exe File opened for modification C:\Windows\SysWOW64\Oigllh32.exe Oghppm32.exe File opened for modification C:\Windows\SysWOW64\Gihgfk32.exe Process not Found File created C:\Windows\SysWOW64\Ljeafb32.exe Process not Found File created C:\Windows\SysWOW64\Ocfgbfdm.dll Process not Found File created C:\Windows\SysWOW64\Efmolq32.dll Acjclpcf.exe File opened for modification C:\Windows\SysWOW64\Jgpmmp32.exe Process not Found File created C:\Windows\SysWOW64\Pqlhmf32.dll Process not Found File created C:\Windows\SysWOW64\Ijkljp32.exe Idacmfkj.exe File created C:\Windows\SysWOW64\Hfningai.exe Hnfamjqg.exe File created C:\Windows\SysWOW64\Pimfpc32.exe Process not Found File created C:\Windows\SysWOW64\Pcjapi32.exe Odgqdlnj.exe File opened for modification C:\Windows\SysWOW64\Jiaglp32.exe Jeekkafl.exe File created C:\Windows\SysWOW64\Nagbfo32.dll Opemca32.exe File opened for modification C:\Windows\SysWOW64\Bfhadc32.exe Bgeaifia.exe File created C:\Windows\SysWOW64\Peieba32.exe Process not Found File created C:\Windows\SysWOW64\Hekgfj32.exe Process not Found File created C:\Windows\SysWOW64\Bkjlibkf.dll Mlhbal32.exe File opened for modification C:\Windows\SysWOW64\Eiildjag.exe Efkphnbd.exe File created C:\Windows\SysWOW64\Oikjkc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Edemkd32.exe Epjajeqo.exe File opened for modification C:\Windows\SysWOW64\Poliea32.exe Process not Found File created C:\Windows\SysWOW64\Nmocfo32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pmaffnce.exe Process not Found File created C:\Windows\SysWOW64\Efeichoo.dll Process not Found File created C:\Windows\SysWOW64\Ecjhcg32.exe Elppfmoo.exe File opened for modification C:\Windows\SysWOW64\Dfmcfp32.exe Dpckjfgg.exe File opened for modification C:\Windows\SysWOW64\Oldamm32.exe Process not Found File created C:\Windows\SysWOW64\Filapfbo.exe Process not Found File created C:\Windows\SysWOW64\Jpphah32.dll Jfeopj32.exe File created C:\Windows\SysWOW64\Kikdcj32.dll Process not Found File created C:\Windows\SysWOW64\Enjgeopm.dll Process not Found File created C:\Windows\SysWOW64\Fhqcam32.exe Fafkecel.exe File created C:\Windows\SysWOW64\Bgcknmop.exe Bjokdipf.exe File created C:\Windows\SysWOW64\Dcnfjkma.dll Process not Found File created C:\Windows\SysWOW64\Ogqnnn32.dll Dhkapp32.exe File created C:\Windows\SysWOW64\Kpjccmbf.dll Process not Found File created C:\Windows\SysWOW64\Okilfdgl.dll Dpckjfgg.exe File opened for modification C:\Windows\SysWOW64\Kcejco32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bopgjmhe.exe Blbknaib.exe File created C:\Windows\SysWOW64\Alcidkmm.dll Ddmaok32.exe File opened for modification C:\Windows\SysWOW64\Ajneip32.exe Alkdnboj.exe File opened for modification C:\Windows\SysWOW64\Mmpijp32.exe Mgfqmfde.exe File opened for modification C:\Windows\SysWOW64\Okgaijaj.exe Process not Found File created C:\Windows\SysWOW64\Dcoffg32.dll Process not Found File created C:\Windows\SysWOW64\Lomjicei.exe Process not Found File created C:\Windows\SysWOW64\Jgefkimp.dll Mlefklpj.exe File opened for modification C:\Windows\SysWOW64\Nhpiafnm.exe Nebmekoi.exe File opened for modification C:\Windows\SysWOW64\Dcjnoece.exe Dmpfbk32.exe File created C:\Windows\SysWOW64\Phigif32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ocdjpmac.exe Opemca32.exe File created C:\Windows\SysWOW64\Haplhc32.dll Knflpoqf.exe File opened for modification C:\Windows\SysWOW64\Aoabad32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fopldmcl.exe Fqmlhpla.exe File opened for modification C:\Windows\SysWOW64\Kmegbjgn.exe Jkfkfohj.exe File opened for modification C:\Windows\SysWOW64\Kjpijpdg.exe Kgamnded.exe File created C:\Windows\SysWOW64\Liqihglg.exe Lajagj32.exe File opened for modification C:\Windows\SysWOW64\Kgiiiidd.exe Process not Found File created C:\Windows\SysWOW64\Nnjlpo32.exe Ndaggimg.exe File opened for modification C:\Windows\SysWOW64\Jbaojpgb.exe Jnfcia32.exe File opened for modification C:\Windows\SysWOW64\Dggbcf32.exe Process not Found File created C:\Windows\SysWOW64\Lemkcnaa.exe Lbnngbbn.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2724 6652 Process not Found 2189 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmijnn32.dll" Melnob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkobjpin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncjginjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll" Kgphpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefqkm32.dll" Pcpikkge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbmemif.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaepqjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmqgpgoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkpihfh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgffoo32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neiqnh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blleba32.dll" Mpjlklok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieliebnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iankhggi.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll" Qcgffqei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aplpihjd.dll" Dcjnoece.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdcjlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmkcqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnhpoamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffkpn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokgcbe.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjllddpj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjfof32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmdbdbp.dll" Gbgkfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ienanm32.dll" Cbqlfkmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqpgdfnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iedonm32.dll" Ehhgfdho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednhgjia.dll" Dfoplpla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kebkgjkg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dleglm32.dll" Pedbahod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmbiamhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll" Mpdelajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmcldc32.dll" Fdcjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfkjii32.dll" Jhlgfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjmgfgdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmmde32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mimpolee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbenoa32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffgqqaip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klmpiiai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjhfnccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dllmfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll" Kmnjhioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeeobqbq.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqncedbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfqgab32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3908 wrote to memory of 4868 3908 d9acdfed0edc701271157ead12e3a330_NeikiAnalytics.exe 82 PID 3908 wrote to memory of 4868 3908 d9acdfed0edc701271157ead12e3a330_NeikiAnalytics.exe 82 PID 3908 wrote to memory of 4868 3908 d9acdfed0edc701271157ead12e3a330_NeikiAnalytics.exe 82 PID 4868 wrote to memory of 1308 4868 Dcdimopp.exe 83 PID 4868 wrote to memory of 1308 4868 Dcdimopp.exe 83 PID 4868 wrote to memory of 1308 4868 Dcdimopp.exe 83 PID 1308 wrote to memory of 952 1308 Debeijoc.exe 84 PID 1308 wrote to memory of 952 1308 Debeijoc.exe 84 PID 1308 wrote to memory of 952 1308 Debeijoc.exe 84 PID 952 wrote to memory of 4140 952 Dllmfd32.exe 85 PID 952 wrote to memory of 4140 952 Dllmfd32.exe 85 PID 952 wrote to memory of 4140 952 Dllmfd32.exe 85 PID 4140 wrote to memory of 2140 4140 Dokjbp32.exe 86 PID 4140 wrote to memory of 2140 4140 Dokjbp32.exe 86 PID 4140 wrote to memory of 2140 4140 Dokjbp32.exe 86 PID 2140 wrote to memory of 1168 2140 Daifnk32.exe 87 PID 2140 wrote to memory of 1168 2140 Daifnk32.exe 87 PID 2140 wrote to memory of 1168 2140 Daifnk32.exe 87 PID 1168 wrote to memory of 3704 1168 Djpnohej.exe 88 PID 1168 wrote to memory of 3704 1168 Djpnohej.exe 88 PID 1168 wrote to memory of 3704 1168 Djpnohej.exe 88 PID 3704 wrote to memory of 3952 3704 Dhcnke32.exe 89 PID 3704 wrote to memory of 3952 3704 Dhcnke32.exe 89 PID 3704 wrote to memory of 3952 3704 Dhcnke32.exe 89 PID 3952 wrote to memory of 4584 3952 Dpjflb32.exe 90 PID 3952 wrote to memory of 4584 3952 Dpjflb32.exe 90 PID 3952 wrote to memory of 4584 3952 Dpjflb32.exe 90 PID 4584 wrote to memory of 4412 4584 Ejbkehcg.exe 91 PID 4584 wrote to memory of 4412 4584 Ejbkehcg.exe 91 PID 4584 wrote to memory of 4412 4584 Ejbkehcg.exe 91 PID 4412 wrote to memory of 3556 4412 Ehekqe32.exe 92 PID 4412 wrote to memory of 3556 4412 Ehekqe32.exe 92 PID 4412 wrote to memory of 3556 4412 Ehekqe32.exe 92 PID 3556 wrote to memory of 1244 3556 Epmcab32.exe 93 PID 3556 wrote to memory of 1244 3556 Epmcab32.exe 93 PID 3556 wrote to memory of 1244 3556 Epmcab32.exe 93 PID 1244 wrote to memory of 2056 1244 Eckonn32.exe 95 PID 1244 wrote to memory of 2056 1244 Eckonn32.exe 95 PID 1244 wrote to memory of 2056 1244 Eckonn32.exe 95 PID 2056 wrote to memory of 2292 2056 Efikji32.exe 96 PID 2056 wrote to memory of 2292 2056 Efikji32.exe 96 PID 2056 wrote to memory of 2292 2056 Efikji32.exe 96 PID 2292 wrote to memory of 2940 2292 Ejegjh32.exe 97 PID 2292 wrote to memory of 2940 2292 Ejegjh32.exe 97 PID 2292 wrote to memory of 2940 2292 Ejegjh32.exe 97 PID 2940 wrote to memory of 1548 2940 Ehhgfdho.exe 98 PID 2940 wrote to memory of 1548 2940 Ehhgfdho.exe 98 PID 2940 wrote to memory of 1548 2940 Ehhgfdho.exe 98 PID 1548 wrote to memory of 2180 1548 Eoapbo32.exe 100 PID 1548 wrote to memory of 2180 1548 Eoapbo32.exe 100 PID 1548 wrote to memory of 2180 1548 Eoapbo32.exe 100 PID 2180 wrote to memory of 3800 2180 Eflhoigi.exe 101 PID 2180 wrote to memory of 3800 2180 Eflhoigi.exe 101 PID 2180 wrote to memory of 3800 2180 Eflhoigi.exe 101 PID 3800 wrote to memory of 4492 3800 Ejgdpg32.exe 102 PID 3800 wrote to memory of 4492 3800 Ejgdpg32.exe 102 PID 3800 wrote to memory of 4492 3800 Ejgdpg32.exe 102 PID 4492 wrote to memory of 2544 4492 Eleplc32.exe 103 PID 4492 wrote to memory of 2544 4492 Eleplc32.exe 103 PID 4492 wrote to memory of 2544 4492 Eleplc32.exe 103 PID 2544 wrote to memory of 1628 2544 Ecphimfb.exe 104 PID 2544 wrote to memory of 1628 2544 Ecphimfb.exe 104 PID 2544 wrote to memory of 1628 2544 Ecphimfb.exe 104 PID 1628 wrote to memory of 2316 1628 Efneehef.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9acdfed0edc701271157ead12e3a330_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d9acdfed0edc701271157ead12e3a330_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\Dcdimopp.exeC:\Windows\system32\Dcdimopp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Debeijoc.exeC:\Windows\system32\Debeijoc.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Dllmfd32.exeC:\Windows\system32\Dllmfd32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Dokjbp32.exeC:\Windows\system32\Dokjbp32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\Daifnk32.exeC:\Windows\system32\Daifnk32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Djpnohej.exeC:\Windows\system32\Djpnohej.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Dhcnke32.exeC:\Windows\system32\Dhcnke32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\Dpjflb32.exeC:\Windows\system32\Dpjflb32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\Ehekqe32.exeC:\Windows\system32\Ehekqe32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Epmcab32.exeC:\Windows\system32\Epmcab32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\Eckonn32.exeC:\Windows\system32\Eckonn32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Efikji32.exeC:\Windows\system32\Efikji32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Eoapbo32.exeC:\Windows\system32\Eoapbo32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Eflhoigi.exeC:\Windows\system32\Eflhoigi.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Ejgdpg32.exeC:\Windows\system32\Ejgdpg32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\Ecphimfb.exeC:\Windows\system32\Ecphimfb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Elhmablc.exeC:\Windows\system32\Elhmablc.exe23⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Ecbenm32.exeC:\Windows\system32\Ecbenm32.exe24⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Ejlmkgkl.exeC:\Windows\system32\Ejlmkgkl.exe25⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Ehonfc32.exeC:\Windows\system32\Ehonfc32.exe26⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Eqfeha32.exeC:\Windows\system32\Eqfeha32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe28⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe29⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Fmmfmbhn.exeC:\Windows\system32\Fmmfmbhn.exe30⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe31⤵
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\Ficgacna.exeC:\Windows\system32\Ficgacna.exe32⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Fqkocpod.exeC:\Windows\system32\Fqkocpod.exe33⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe34⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe35⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4344 -
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe38⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe40⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Fmclmabe.exeC:\Windows\system32\Fmclmabe.exe41⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe42⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Fbqefhpm.exeC:\Windows\system32\Fbqefhpm.exe43⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Fjhmgeao.exeC:\Windows\system32\Fjhmgeao.exe44⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Fqaeco32.exeC:\Windows\system32\Fqaeco32.exe45⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Gcpapkgp.exeC:\Windows\system32\Gcpapkgp.exe46⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Gbcakg32.exeC:\Windows\system32\Gbcakg32.exe47⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Gimjhafg.exeC:\Windows\system32\Gimjhafg.exe48⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe49⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe50⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Gfqjafdq.exeC:\Windows\system32\Gfqjafdq.exe51⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe52⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe53⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe54⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Gbgkfg32.exeC:\Windows\system32\Gbgkfg32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:4512 -
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe56⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Gmmocpjk.exeC:\Windows\system32\Gmmocpjk.exe57⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe58⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Gbjhlfhb.exeC:\Windows\system32\Gbjhlfhb.exe59⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Gfedle32.exeC:\Windows\system32\Gfedle32.exe60⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe61⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe62⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Gpnhekgl.exeC:\Windows\system32\Gpnhekgl.exe63⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Gcidfi32.exeC:\Windows\system32\Gcidfi32.exe64⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe65⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe66⤵PID:3328
-
C:\Windows\SysWOW64\Gameonno.exeC:\Windows\system32\Gameonno.exe67⤵PID:4484
-
C:\Windows\SysWOW64\Hclakimb.exeC:\Windows\system32\Hclakimb.exe68⤵PID:1776
-
C:\Windows\SysWOW64\Hfjmgdlf.exeC:\Windows\system32\Hfjmgdlf.exe69⤵PID:3332
-
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe70⤵PID:3248
-
C:\Windows\SysWOW64\Hcnnaikp.exeC:\Windows\system32\Hcnnaikp.exe71⤵PID:1916
-
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe72⤵PID:1252
-
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe73⤵
- Modifies registry class
PID:60 -
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe74⤵PID:4504
-
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe75⤵PID:4828
-
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe76⤵PID:4664
-
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe77⤵PID:1592
-
C:\Windows\SysWOW64\Hjjbcbqj.exeC:\Windows\system32\Hjjbcbqj.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5000 -
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe79⤵PID:1404
-
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe80⤵PID:4840
-
C:\Windows\SysWOW64\Hbeghene.exeC:\Windows\system32\Hbeghene.exe81⤵PID:4380
-
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe82⤵PID:1948
-
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe83⤵PID:3572
-
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe84⤵PID:2876
-
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe85⤵PID:336
-
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe86⤵PID:4048
-
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe87⤵PID:2108
-
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe88⤵PID:1488
-
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe89⤵PID:2488
-
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe90⤵PID:1828
-
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe91⤵PID:3624
-
C:\Windows\SysWOW64\Ijdeiaio.exeC:\Windows\system32\Ijdeiaio.exe92⤵PID:2136
-
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe93⤵PID:5136
-
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe94⤵PID:5200
-
C:\Windows\SysWOW64\Imdnklfp.exeC:\Windows\system32\Imdnklfp.exe95⤵PID:5244
-
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe96⤵PID:5288
-
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe97⤵PID:5328
-
C:\Windows\SysWOW64\Ijhodq32.exeC:\Windows\system32\Ijhodq32.exe98⤵PID:5368
-
C:\Windows\SysWOW64\Imgkql32.exeC:\Windows\system32\Imgkql32.exe99⤵PID:5416
-
C:\Windows\SysWOW64\Ipegmg32.exeC:\Windows\system32\Ipegmg32.exe100⤵PID:5460
-
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe101⤵
- Drops file in System32 directory
PID:5504 -
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe102⤵PID:5548
-
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe103⤵PID:5592
-
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe104⤵PID:5632
-
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe105⤵PID:5676
-
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe106⤵PID:5716
-
C:\Windows\SysWOW64\Jmkdlkph.exeC:\Windows\system32\Jmkdlkph.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5768 -
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe108⤵PID:5804
-
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe109⤵PID:5844
-
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe110⤵PID:5892
-
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe111⤵PID:5924
-
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe112⤵PID:5980
-
C:\Windows\SysWOW64\Jdhine32.exeC:\Windows\system32\Jdhine32.exe113⤵PID:6024
-
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe114⤵PID:6060
-
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe115⤵PID:6100
-
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe116⤵PID:6136
-
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe117⤵PID:5196
-
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe118⤵PID:5220
-
C:\Windows\SysWOW64\Jfhbppbc.exeC:\Windows\system32\Jfhbppbc.exe119⤵PID:5316
-
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe120⤵PID:5388
-
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe121⤵PID:5456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-