Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 05:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
445719c5747f2afa40baa82b34dce990_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
445719c5747f2afa40baa82b34dce990_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
445719c5747f2afa40baa82b34dce990_NeikiAnalytics.exe
-
Size
96KB
-
MD5
445719c5747f2afa40baa82b34dce990
-
SHA1
076fef46844d5cc30f92fe67df302e9d36c6a3a5
-
SHA256
d2d61f029320f11a4d1aea06f3771b8d4b57c13e5dca35d9c3cc06ef191f52dd
-
SHA512
4df15e41924c352defed22ffa3e78cabb43b1de820562c78e8457afaa32cb4e626762e95faaacb1ba54ddbc9bfabf5b97a0cd82136d08244a553fada249101ae
-
SSDEEP
1536:JceJsqv8VLuvMg1apjmZD6UbdWC2LzsBMu/HCmiDcg3MZRP3cEW3AE:ZUVgOrPza6miEo
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djnaji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbkhfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkkojgao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfhjkabi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nddkgonp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkikkeeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkjhoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiehpahb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijdhiaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbgmcnhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdmpje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkjlic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhjckcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkopnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaonjngh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhdqnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdoihpbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idofhfmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmhhehlb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iifokh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mckemg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oenlqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kplpjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oflgep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aepefb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjopcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdinljnk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhemmlhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iehfdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eglgbdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnbklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcifkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcfqfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefjfked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmfbjnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmdqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfjcnold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2068 Coojfa32.exe 2080 Camfbm32.exe 2100 Chgoogfa.exe 376 Cpofpdgd.exe 1544 Ccmclp32.exe 2032 Cekohk32.exe 4316 Dhjkdg32.exe 1556 Dpacfd32.exe 872 Dcopbp32.exe 1496 Denlnk32.exe 2340 Diihojkb.exe 2076 Dpcpkc32.exe 4912 Dadlclim.exe 2344 Dljqpd32.exe 4676 Dohmlp32.exe 4700 Djnaji32.exe 3788 Dphifcoi.exe 2936 Dcfebonm.exe 2856 Dfdbojmq.exe 4020 Djpnohej.exe 3668 Dlojkddn.exe 3396 Domfgpca.exe 4820 Dakbckbe.exe 3344 Efgodj32.exe 5052 Ehekqe32.exe 712 Epmcab32.exe 4832 Eoocmoao.exe 3640 Efikji32.exe 536 Ehhgfdho.exe 4088 Epopgbia.exe 1592 Ecmlcmhe.exe 4728 Eflhoigi.exe 1800 Eleplc32.exe 1764 Eqalmafo.exe 4504 Ecphimfb.exe 4732 Ebbidj32.exe 3984 Ejjqeg32.exe 4840 Elhmablc.exe 3696 Eqciba32.exe 1712 Ebeejijj.exe 3360 Efpajh32.exe 4036 Ehonfc32.exe 3496 Eqfeha32.exe 4308 Eoifcnid.exe 4260 Fbgbpihg.exe 3028 Fjnjqfij.exe 4652 Fmmfmbhn.exe 2572 Fqhbmqqg.exe 2960 Fcgoilpj.exe 640 Ffekegon.exe 3924 Fjqgff32.exe 4536 Fmocba32.exe 868 Fomonm32.exe 4176 Fcikolnh.exe 316 Ffggkgmk.exe 4448 Fmapha32.exe 3256 Fqmlhpla.exe 4644 Fbnhphbp.exe 212 Fjepaecb.exe 4520 Fihqmb32.exe 4244 Fqohnp32.exe 4396 Fobiilai.exe 4572 Fflaff32.exe 1824 Fmficqpc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Meiioonj.exe Process not Found File created C:\Windows\SysWOW64\Hhkephlb.dll Ffddka32.exe File created C:\Windows\SysWOW64\Lklnhlfb.exe Laciofpa.exe File created C:\Windows\SysWOW64\Bejfanad.dll Eofbch32.exe File created C:\Windows\SysWOW64\Ejfenk32.dll Pdfjifjo.exe File opened for modification C:\Windows\SysWOW64\Eopbnbhd.exe Egijmegb.exe File created C:\Windows\SysWOW64\Kgknhl32.exe Kihnmohm.exe File created C:\Windows\SysWOW64\Ffkclmbd.dll Hnfjbdmk.exe File created C:\Windows\SysWOW64\Hqomopfd.dll Process not Found File created C:\Windows\SysWOW64\Eqciba32.exe Elhmablc.exe File opened for modification C:\Windows\SysWOW64\Paoollik.exe Process not Found File created C:\Windows\SysWOW64\Eppjfgcp.exe Process not Found File created C:\Windows\SysWOW64\Bpfkpp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dmalne32.exe Process not Found File created C:\Windows\SysWOW64\Dccledea.dll Process not Found File created C:\Windows\SysWOW64\Ebdcld32.exe Process not Found File created C:\Windows\SysWOW64\Fbelcblk.exe Process not Found File created C:\Windows\SysWOW64\Ekcgkb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kadpdp32.exe Process not Found File created C:\Windows\SysWOW64\Mgnnhk32.exe Mdpalp32.exe File created C:\Windows\SysWOW64\Pcjiff32.exe Process not Found File created C:\Windows\SysWOW64\Ekoglqie.dll Process not Found File opened for modification C:\Windows\SysWOW64\Baegibae.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ncbafoge.exe Process not Found File created C:\Windows\SysWOW64\Kfqgab32.exe Kpgodhkd.exe File created C:\Windows\SysWOW64\Ipgiebei.dll Fpjjac32.exe File created C:\Windows\SysWOW64\Lljklo32.exe Process not Found File created C:\Windows\SysWOW64\Nhhlki32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bgnkhg32.exe Bogcgj32.exe File created C:\Windows\SysWOW64\Hbpphi32.exe Hnddgjbj.exe File opened for modification C:\Windows\SysWOW64\Ajggomog.exe Process not Found File created C:\Windows\SysWOW64\Gmfplibd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Iomoenej.exe Process not Found File created C:\Windows\SysWOW64\Mmkdcm32.exe Process not Found File created C:\Windows\SysWOW64\Qbdadm32.dll Process not Found File created C:\Windows\SysWOW64\Omfmcjlk.dll Process not Found File created C:\Windows\SysWOW64\Jfpbkoql.dll Oqhacgdh.exe File created C:\Windows\SysWOW64\Dggbcf32.exe Process not Found File created C:\Windows\SysWOW64\Hofmfmhj.exe Hgoeep32.exe File opened for modification C:\Windows\SysWOW64\Injcmc32.exe Igqkqiai.exe File created C:\Windows\SysWOW64\Ejlbhh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Djpnohej.exe Dfdbojmq.exe File created C:\Windows\SysWOW64\Hhmkaf32.dll Mpjlklok.exe File created C:\Windows\SysWOW64\Bmkjkd32.exe Bjmnoi32.exe File created C:\Windows\SysWOW64\Plcpgejf.dll Hkpheidp.exe File opened for modification C:\Windows\SysWOW64\Nkqkhk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cncnob32.exe Process not Found File created C:\Windows\SysWOW64\Qgiiak32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Njjmni32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dpacfd32.exe Dhjkdg32.exe File created C:\Windows\SysWOW64\Pbhgoh32.exe Process not Found File created C:\Windows\SysWOW64\Ofjqihnn.exe Process not Found File created C:\Windows\SysWOW64\Pejjde32.dll Ehedfo32.exe File opened for modification C:\Windows\SysWOW64\Gegkpf32.exe Process not Found File created C:\Windows\SysWOW64\Jplifcqp.dll Kibnhjgj.exe File created C:\Windows\SysWOW64\Jfbkpd32.exe Joiccj32.exe File opened for modification C:\Windows\SysWOW64\Fpimlfke.exe Process not Found File created C:\Windows\SysWOW64\Jpehef32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ikcdlmgf.exe Iiehpahb.exe File opened for modification C:\Windows\SysWOW64\Hkikkeeo.exe Hmfkoh32.exe File created C:\Windows\SysWOW64\Dqfhilhd.dll Aepefb32.exe File created C:\Windows\SysWOW64\Jeqbpb32.exe Jbbfdfkn.exe File created C:\Windows\SysWOW64\Nlfndjhh.dll Process not Found File created C:\Windows\SysWOW64\Bomfgoah.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 6004 6836 Process not Found 2052 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddmhja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpgmha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdabnm32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leboon32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fehfljca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kioghlbd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dccbbhld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iejpiq32.dll" Ajhniccb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iakiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jobfelii.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfmcjlk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgaeof32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcbnejem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkncdifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaiapmca.dll" Nggqoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjqaij32.dll" Dllfkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfcbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lahdik32.dll" Ibicnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgbfaeek.dll" Gacjadad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdbhkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjohgj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojmcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldjhpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjllddpj.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiffen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodfmh32.dll" Mckemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fddqghpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmlfpb32.dll" Lhdqnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioqgiibk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gemdebha.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjfof32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phelcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impjjbmh.dll" Amhfkopc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 445719c5747f2afa40baa82b34dce990_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll" Mciobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgaocmg.dll" Kbhoqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgjjdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffpicn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idkbkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llhikacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdmfqg32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll" Ijkljp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mefiblfk.dll" Cfadkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgghhlhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll" Qqijje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eibfck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmfkk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccbakce.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1108 wrote to memory of 2068 1108 445719c5747f2afa40baa82b34dce990_NeikiAnalytics.exe 81 PID 1108 wrote to memory of 2068 1108 445719c5747f2afa40baa82b34dce990_NeikiAnalytics.exe 81 PID 1108 wrote to memory of 2068 1108 445719c5747f2afa40baa82b34dce990_NeikiAnalytics.exe 81 PID 2068 wrote to memory of 2080 2068 Coojfa32.exe 82 PID 2068 wrote to memory of 2080 2068 Coojfa32.exe 82 PID 2068 wrote to memory of 2080 2068 Coojfa32.exe 82 PID 2080 wrote to memory of 2100 2080 Camfbm32.exe 83 PID 2080 wrote to memory of 2100 2080 Camfbm32.exe 83 PID 2080 wrote to memory of 2100 2080 Camfbm32.exe 83 PID 2100 wrote to memory of 376 2100 Chgoogfa.exe 84 PID 2100 wrote to memory of 376 2100 Chgoogfa.exe 84 PID 2100 wrote to memory of 376 2100 Chgoogfa.exe 84 PID 376 wrote to memory of 1544 376 Cpofpdgd.exe 85 PID 376 wrote to memory of 1544 376 Cpofpdgd.exe 85 PID 376 wrote to memory of 1544 376 Cpofpdgd.exe 85 PID 1544 wrote to memory of 2032 1544 Ccmclp32.exe 86 PID 1544 wrote to memory of 2032 1544 Ccmclp32.exe 86 PID 1544 wrote to memory of 2032 1544 Ccmclp32.exe 86 PID 2032 wrote to memory of 4316 2032 Cekohk32.exe 87 PID 2032 wrote to memory of 4316 2032 Cekohk32.exe 87 PID 2032 wrote to memory of 4316 2032 Cekohk32.exe 87 PID 4316 wrote to memory of 1556 4316 Dhjkdg32.exe 88 PID 4316 wrote to memory of 1556 4316 Dhjkdg32.exe 88 PID 4316 wrote to memory of 1556 4316 Dhjkdg32.exe 88 PID 1556 wrote to memory of 872 1556 Dpacfd32.exe 89 PID 1556 wrote to memory of 872 1556 Dpacfd32.exe 89 PID 1556 wrote to memory of 872 1556 Dpacfd32.exe 89 PID 872 wrote to memory of 1496 872 Dcopbp32.exe 90 PID 872 wrote to memory of 1496 872 Dcopbp32.exe 90 PID 872 wrote to memory of 1496 872 Dcopbp32.exe 90 PID 1496 wrote to memory of 2340 1496 Denlnk32.exe 92 PID 1496 wrote to memory of 2340 1496 Denlnk32.exe 92 PID 1496 wrote to memory of 2340 1496 Denlnk32.exe 92 PID 2340 wrote to memory of 2076 2340 Diihojkb.exe 93 PID 2340 wrote to memory of 2076 2340 Diihojkb.exe 93 PID 2340 wrote to memory of 2076 2340 Diihojkb.exe 93 PID 2076 wrote to memory of 4912 2076 Dpcpkc32.exe 94 PID 2076 wrote to memory of 4912 2076 Dpcpkc32.exe 94 PID 2076 wrote to memory of 4912 2076 Dpcpkc32.exe 94 PID 4912 wrote to memory of 2344 4912 Dadlclim.exe 95 PID 4912 wrote to memory of 2344 4912 Dadlclim.exe 95 PID 4912 wrote to memory of 2344 4912 Dadlclim.exe 95 PID 2344 wrote to memory of 4676 2344 Dljqpd32.exe 97 PID 2344 wrote to memory of 4676 2344 Dljqpd32.exe 97 PID 2344 wrote to memory of 4676 2344 Dljqpd32.exe 97 PID 4676 wrote to memory of 4700 4676 Dohmlp32.exe 98 PID 4676 wrote to memory of 4700 4676 Dohmlp32.exe 98 PID 4676 wrote to memory of 4700 4676 Dohmlp32.exe 98 PID 4700 wrote to memory of 3788 4700 Djnaji32.exe 99 PID 4700 wrote to memory of 3788 4700 Djnaji32.exe 99 PID 4700 wrote to memory of 3788 4700 Djnaji32.exe 99 PID 3788 wrote to memory of 2936 3788 Dphifcoi.exe 100 PID 3788 wrote to memory of 2936 3788 Dphifcoi.exe 100 PID 3788 wrote to memory of 2936 3788 Dphifcoi.exe 100 PID 2936 wrote to memory of 2856 2936 Dcfebonm.exe 101 PID 2936 wrote to memory of 2856 2936 Dcfebonm.exe 101 PID 2936 wrote to memory of 2856 2936 Dcfebonm.exe 101 PID 2856 wrote to memory of 4020 2856 Dfdbojmq.exe 103 PID 2856 wrote to memory of 4020 2856 Dfdbojmq.exe 103 PID 2856 wrote to memory of 4020 2856 Dfdbojmq.exe 103 PID 4020 wrote to memory of 3668 4020 Djpnohej.exe 104 PID 4020 wrote to memory of 3668 4020 Djpnohej.exe 104 PID 4020 wrote to memory of 3668 4020 Djpnohej.exe 104 PID 3668 wrote to memory of 3396 3668 Dlojkddn.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\445719c5747f2afa40baa82b34dce990_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\445719c5747f2afa40baa82b34dce990_NeikiAnalytics.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Coojfa32.exeC:\Windows\system32\Coojfa32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Camfbm32.exeC:\Windows\system32\Camfbm32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Chgoogfa.exeC:\Windows\system32\Chgoogfa.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Cpofpdgd.exeC:\Windows\system32\Cpofpdgd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Ccmclp32.exeC:\Windows\system32\Ccmclp32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Cekohk32.exeC:\Windows\system32\Cekohk32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Dhjkdg32.exeC:\Windows\system32\Dhjkdg32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\Dpacfd32.exeC:\Windows\system32\Dpacfd32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Dcopbp32.exeC:\Windows\system32\Dcopbp32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Denlnk32.exeC:\Windows\system32\Denlnk32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Diihojkb.exeC:\Windows\system32\Diihojkb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Dpcpkc32.exeC:\Windows\system32\Dpcpkc32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Dadlclim.exeC:\Windows\system32\Dadlclim.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Dljqpd32.exeC:\Windows\system32\Dljqpd32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Djnaji32.exeC:\Windows\system32\Djnaji32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\Dphifcoi.exeC:\Windows\system32\Dphifcoi.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SysWOW64\Dcfebonm.exeC:\Windows\system32\Dcfebonm.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Dfdbojmq.exeC:\Windows\system32\Dfdbojmq.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Djpnohej.exeC:\Windows\system32\Djpnohej.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Dlojkddn.exeC:\Windows\system32\Dlojkddn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Domfgpca.exeC:\Windows\system32\Domfgpca.exe23⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe24⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Efgodj32.exeC:\Windows\system32\Efgodj32.exe25⤵
- Executes dropped EXE
PID:3344 -
C:\Windows\SysWOW64\Ehekqe32.exeC:\Windows\system32\Ehekqe32.exe26⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Epmcab32.exeC:\Windows\system32\Epmcab32.exe27⤵
- Executes dropped EXE
PID:712 -
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe28⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Efikji32.exeC:\Windows\system32\Efikji32.exe29⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe30⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Epopgbia.exeC:\Windows\system32\Epopgbia.exe31⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Ecmlcmhe.exeC:\Windows\system32\Ecmlcmhe.exe32⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Eflhoigi.exeC:\Windows\system32\Eflhoigi.exe33⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe34⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Eqalmafo.exeC:\Windows\system32\Eqalmafo.exe35⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Ecphimfb.exeC:\Windows\system32\Ecphimfb.exe36⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe37⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Ejjqeg32.exeC:\Windows\system32\Ejjqeg32.exe38⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Elhmablc.exeC:\Windows\system32\Elhmablc.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4840 -
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe40⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Ebeejijj.exeC:\Windows\system32\Ebeejijj.exe41⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe42⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Ehonfc32.exeC:\Windows\system32\Ehonfc32.exe43⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Eqfeha32.exeC:\Windows\system32\Eqfeha32.exe44⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Eoifcnid.exeC:\Windows\system32\Eoifcnid.exe45⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe46⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\Fjnjqfij.exeC:\Windows\system32\Fjnjqfij.exe47⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Fmmfmbhn.exeC:\Windows\system32\Fmmfmbhn.exe48⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Fqhbmqqg.exeC:\Windows\system32\Fqhbmqqg.exe49⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe50⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Ffekegon.exeC:\Windows\system32\Ffekegon.exe51⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe52⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe53⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe54⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Fcikolnh.exeC:\Windows\system32\Fcikolnh.exe55⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe56⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Fmapha32.exeC:\Windows\system32\Fmapha32.exe57⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe58⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe59⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Fjepaecb.exeC:\Windows\system32\Fjepaecb.exe60⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe61⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe62⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe63⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe64⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Fmficqpc.exeC:\Windows\system32\Fmficqpc.exe65⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe66⤵PID:3308
-
C:\Windows\SysWOW64\Gcpapkgp.exeC:\Windows\system32\Gcpapkgp.exe67⤵PID:5080
-
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe68⤵PID:1340
-
C:\Windows\SysWOW64\Gmhfhp32.exeC:\Windows\system32\Gmhfhp32.exe69⤵PID:3784
-
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe70⤵
- Modifies registry class
PID:5096 -
C:\Windows\SysWOW64\Gfqjafdq.exeC:\Windows\system32\Gfqjafdq.exe71⤵PID:3552
-
C:\Windows\SysWOW64\Giofnacd.exeC:\Windows\system32\Giofnacd.exe72⤵PID:1328
-
C:\Windows\SysWOW64\Gqfooodg.exeC:\Windows\system32\Gqfooodg.exe73⤵PID:4752
-
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe74⤵PID:4132
-
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe75⤵PID:3048
-
C:\Windows\SysWOW64\Gcggpj32.exeC:\Windows\system32\Gcggpj32.exe76⤵PID:4456
-
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe77⤵PID:3596
-
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe78⤵PID:4172
-
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe79⤵PID:4988
-
C:\Windows\SysWOW64\Gameonno.exeC:\Windows\system32\Gameonno.exe80⤵PID:4384
-
C:\Windows\SysWOW64\Hjfihc32.exeC:\Windows\system32\Hjfihc32.exe81⤵PID:2836
-
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe82⤵PID:1472
-
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe83⤵PID:1212
-
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe84⤵PID:588
-
C:\Windows\SysWOW64\Hmfbjnbp.exeC:\Windows\system32\Hmfbjnbp.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4476 -
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe86⤵PID:4704
-
C:\Windows\SysWOW64\Hjjbcbqj.exeC:\Windows\system32\Hjjbcbqj.exe87⤵PID:748
-
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe88⤵PID:1536
-
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe89⤵PID:3388
-
C:\Windows\SysWOW64\Hjmoibog.exeC:\Windows\system32\Hjmoibog.exe90⤵PID:2588
-
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe91⤵PID:4772
-
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe92⤵PID:2300
-
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe93⤵PID:2824
-
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe94⤵PID:1424
-
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe95⤵PID:956
-
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe96⤵PID:4892
-
C:\Windows\SysWOW64\Icgqggce.exeC:\Windows\system32\Icgqggce.exe97⤵PID:1124
-
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe98⤵PID:2692
-
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe99⤵PID:4412
-
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe100⤵PID:540
-
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe101⤵PID:3484
-
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe102⤵PID:552
-
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe103⤵PID:3624
-
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe104⤵
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe105⤵PID:1064
-
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe106⤵PID:5128
-
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe107⤵PID:5180
-
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe108⤵PID:5224
-
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe109⤵PID:5296
-
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5348 -
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe111⤵PID:5400
-
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe112⤵PID:5452
-
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe113⤵PID:5492
-
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe114⤵PID:5540
-
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe115⤵
- Modifies registry class
PID:5640 -
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe116⤵PID:5692
-
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe117⤵PID:5736
-
C:\Windows\SysWOW64\Jagqlj32.exeC:\Windows\system32\Jagqlj32.exe118⤵PID:5780
-
C:\Windows\SysWOW64\Jdemhe32.exeC:\Windows\system32\Jdemhe32.exe119⤵PID:5820
-
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe120⤵PID:5868
-
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe121⤵PID:5912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-