Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 00:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3adffec21dfd97ee49390ea0822efa70_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
3adffec21dfd97ee49390ea0822efa70_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
3adffec21dfd97ee49390ea0822efa70_NeikiAnalytics.exe
-
Size
94KB
-
MD5
3adffec21dfd97ee49390ea0822efa70
-
SHA1
0c11748146f1b152387fbe50ba3c34659160899f
-
SHA256
9ea06f709fd9201e5640061c57fc91241fb7411164f0d07c13431f4533595e0a
-
SHA512
1c34b42de8ad98be0599d39a17d16ce2da2a708ee6e826a415c886744ac91d74aeeec0622fda867e00a3aca77cf432f1d8d259c461d6ba9335b1336c7e65bf5b
-
SSDEEP
1536:xKwey4AIoPb1+ozxTED2LHAMQ262AjCsQ2PCZZrqOlNfVSLUKkJr4:xKwgVoPbygHAMQH2qC7ZQOlzSLUK64
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Medggidb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnndhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffhnocfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fffqjfom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfehoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpkiim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbnlim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgjcfgoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neclpamg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibhkfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eajlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnfoac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpeaeedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnbcgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfcoblfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohdbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bknidbhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amqhbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfbaalbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnopjfgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcghkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Najagp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okpkgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knhkkfod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gadqepkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egohdegl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpkppbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgjmkqke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odkaac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbbdad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgkakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bganac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feocoaai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckidcpjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnjkgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jagqfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibnlbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bifkcioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihkila32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efgono32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfgjad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdpmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmbnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eajlhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaedanal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnhdgpii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glajeiml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmficce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmaihekc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iannpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lllagh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhekaejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbdgmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlpcpffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnepbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqioqf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nieggill.exe -
Executes dropped EXE 64 IoCs
pid Process 568 Bkobmnka.exe 1104 Ckeimm32.exe 4688 Cfnjpfcl.exe 3688 Cbdjeg32.exe 2560 Ckmonl32.exe 220 Dmlkhofd.exe 456 Dbkqfe32.exe 664 Dkfadkgf.exe 2100 Dkhnjk32.exe 1048 Ebdcld32.exe 736 Efblbbqd.exe 4372 Enpmld32.exe 2272 Fpbflg32.exe 4900 Ffnknafg.exe 3672 Fiodpl32.exe 2432 Fiaael32.exe 4180 Gfeaopqo.exe 2652 Gfhndpol.exe 3668 Gldglf32.exe 3644 Gemkelcd.exe 2884 Geohklaa.exe 5016 Geaepk32.exe 1536 Gojiiafp.exe 4992 Holfoqcm.exe 496 Hlpfhe32.exe 2464 Hiipmhmk.exe 3284 Ipgbdbqb.exe 576 Ibhkfm32.exe 2932 Ieidhh32.exe 1412 Jcmdaljn.exe 3816 Jilfifme.exe 396 Jcfggkac.exe 1900 Knnhjcog.exe 3972 Knqepc32.exe 2604 Kncaec32.exe 5052 Kcbfcigf.exe 4364 Lpfgmnfp.exe 2936 Lgbloglj.exe 3356 Lfgipd32.exe 3888 Ljeafb32.exe 2904 Mcpcdg32.exe 2620 Mnhdgpii.exe 2556 Mfeeabda.exe 1708 Nqpcjj32.exe 2724 Nglhld32.exe 1212 Njmqnobn.exe 4024 Oaifpi32.exe 4216 Ogekbb32.exe 4896 Oghghb32.exe 400 Ondljl32.exe 4200 Pmiikh32.exe 1648 Ppjbmc32.exe 1872 Pnmopk32.exe 1408 Pfiddm32.exe 4636 Pdmdnadc.exe 4544 Qaqegecm.exe 4120 Qodeajbg.exe 2708 Akkffkhk.exe 4920 Amlogfel.exe 4292 Amnlme32.exe 3020 Amqhbe32.exe 1052 Akdilipp.exe 4828 Bgkiaj32.exe 4080 Bgnffj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mapppn32.exe Lhgkgijg.exe File created C:\Windows\SysWOW64\Eqkondfl.exe Egbken32.exe File opened for modification C:\Windows\SysWOW64\Jaemilci.exe Jlidpe32.exe File created C:\Windows\SysWOW64\Geeecogb.exe Ghadjkhh.exe File created C:\Windows\SysWOW64\Bpaacblm.exe Bekmei32.exe File opened for modification C:\Windows\SysWOW64\Pjgemi32.exe Phfhfa32.exe File created C:\Windows\SysWOW64\Aebhaede.exe Process not Found File created C:\Windows\SysWOW64\Plmoaa32.dll Bffkcp32.exe File created C:\Windows\SysWOW64\Efnolmmb.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bmhocd32.exe Bgnffj32.exe File created C:\Windows\SysWOW64\Ellpmolj.exe Epeohn32.exe File created C:\Windows\SysWOW64\Lofllk32.dll Qfilkj32.exe File created C:\Windows\SysWOW64\Dabhomea.exe Cgjcfgoa.exe File created C:\Windows\SysWOW64\Ppemmg32.exe Process not Found File created C:\Windows\SysWOW64\Qbdaqe32.dll Process not Found File created C:\Windows\SysWOW64\Ibcbfe32.dll Jilfifme.exe File created C:\Windows\SysWOW64\Fffcpnjo.dll Hqfqfj32.exe File opened for modification C:\Windows\SysWOW64\Malefbkc.exe Ldfhgn32.exe File opened for modification C:\Windows\SysWOW64\Akogio32.exe Afboah32.exe File created C:\Windows\SysWOW64\Dckfjnkb.dll Ioicnn32.exe File created C:\Windows\SysWOW64\Galfhpmf.exe Geeecogb.exe File created C:\Windows\SysWOW64\Ccdgjm32.exe Cjlbag32.exe File created C:\Windows\SysWOW64\Bhgeao32.exe Bplammmf.exe File created C:\Windows\SysWOW64\Ndmepe32.exe Mkepgp32.exe File opened for modification C:\Windows\SysWOW64\Pidaleei.exe Process not Found File created C:\Windows\SysWOW64\Nqaiecjd.exe Nmcpoedn.exe File created C:\Windows\SysWOW64\Bminokil.exe Bcqife32.exe File created C:\Windows\SysWOW64\Bdknah32.dll Enbhdojn.exe File opened for modification C:\Windows\SysWOW64\Giaaoa32.exe Process not Found File created C:\Windows\SysWOW64\Jhdfpjee.dll Ccfcpm32.exe File created C:\Windows\SysWOW64\Achmjmnb.exe Qlmhfj32.exe File opened for modification C:\Windows\SysWOW64\Ejchbmna.exe Process not Found File created C:\Windows\SysWOW64\Hfgnle32.dll Kflnpild.exe File opened for modification C:\Windows\SysWOW64\Inhgaipf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ckdkhq32.exe Calfpk32.exe File opened for modification C:\Windows\SysWOW64\Ajmgof32.exe Ajjjjghg.exe File opened for modification C:\Windows\SysWOW64\Impldi32.exe Iplkje32.exe File opened for modification C:\Windows\SysWOW64\Qfgfpp32.exe Pmoagk32.exe File created C:\Windows\SysWOW64\Hqkefo32.dll Hlogfd32.exe File opened for modification C:\Windows\SysWOW64\Kpeibdfp.exe Keoeel32.exe File opened for modification C:\Windows\SysWOW64\Mikcbb32.exe Process not Found File created C:\Windows\SysWOW64\Pninea32.dll Mfbaalbi.exe File opened for modification C:\Windows\SysWOW64\Qdihfq32.exe Qnopjfgi.exe File created C:\Windows\SysWOW64\Bahdje32.exe Bpggbm32.exe File opened for modification C:\Windows\SysWOW64\Lnepbm32.exe Lpapiipo.exe File created C:\Windows\SysWOW64\Mojhphij.exe Process not Found File created C:\Windows\SysWOW64\Bgabmp32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Oamgcm32.exe Ohdbkh32.exe File opened for modification C:\Windows\SysWOW64\Fehplggn.exe Fongpm32.exe File created C:\Windows\SysWOW64\Icnmcc32.dll Fdmfcn32.exe File created C:\Windows\SysWOW64\Noncij32.dll Deokhc32.exe File created C:\Windows\SysWOW64\Dqdkbgch.dll Ehocjo32.exe File created C:\Windows\SysWOW64\Jklpakam.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lebijnak.exe Kofdhd32.exe File created C:\Windows\SysWOW64\Kkegbpca.exe Kalcik32.exe File created C:\Windows\SysWOW64\Hpqkcc32.dll Pgaelcgm.exe File created C:\Windows\SysWOW64\Fjmnib32.dll Kmbkfp32.exe File opened for modification C:\Windows\SysWOW64\Adapqk32.exe Ahjoljqc.exe File created C:\Windows\SysWOW64\Ljgmjm32.dll Omdieb32.exe File created C:\Windows\SysWOW64\Ephbhd32.exe Ejojljqa.exe File created C:\Windows\SysWOW64\Kacofh32.dll Oamgcm32.exe File created C:\Windows\SysWOW64\Fhjoilop.exe Faqflb32.exe File opened for modification C:\Windows\SysWOW64\Aancojgn.exe Aqkgikip.exe File created C:\Windows\SysWOW64\Jhcalb32.dll Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ainnhdbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhfoocaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfjmg32.dll" Fmmmqnaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnpognhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdbked32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njploeoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdebopdl.dll" Amlogfel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foenplji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akipic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Necbhj32.dll" Jdhigk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alnjhe32.dll" Bnfoac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcdakd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccdgjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojjhfe32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijicm32.dll" Kleiid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nabaklon.dll" Hihbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbfkceca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beiopegj.dll" Jlblcdpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blmamh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmjlmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikagpcof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjmpege.dll" Bpdfpmoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbplml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdeffgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnpmkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Digcnb32.dll" Bgfpdmho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhgkgijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbmhjmdk.dll" Gklnem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhibfek.dll" Pcgdhkem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejioqkck.dll" Hkohchko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgjcfgoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnpiedch.dll" Hfkdkqeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iboogh32.dll" Hikfbeod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqklfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kidben32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Logicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjkdi32.dll" Cndidlfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpqlfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acemjd32.dll" Fmndkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgdgodhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdlcde32.dll" Nqklfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amlogfel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnknoicc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akcgmn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pecebk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdojoeki.dll" Ofdqcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeimqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqfbkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdqgfbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibeqgdpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmangnmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipgbdbqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngidlo32.dll" Lfgipd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haaggn32.dll" Bmfqngcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpmfklbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pimcpf32.dll" Gmmome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Famipk32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdmdnadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebkbbmqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iocchhof.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 652 wrote to memory of 568 652 3adffec21dfd97ee49390ea0822efa70_NeikiAnalytics.exe 90 PID 652 wrote to memory of 568 652 3adffec21dfd97ee49390ea0822efa70_NeikiAnalytics.exe 90 PID 652 wrote to memory of 568 652 3adffec21dfd97ee49390ea0822efa70_NeikiAnalytics.exe 90 PID 568 wrote to memory of 1104 568 Bkobmnka.exe 91 PID 568 wrote to memory of 1104 568 Bkobmnka.exe 91 PID 568 wrote to memory of 1104 568 Bkobmnka.exe 91 PID 1104 wrote to memory of 4688 1104 Ckeimm32.exe 92 PID 1104 wrote to memory of 4688 1104 Ckeimm32.exe 92 PID 1104 wrote to memory of 4688 1104 Ckeimm32.exe 92 PID 4688 wrote to memory of 3688 4688 Cfnjpfcl.exe 93 PID 4688 wrote to memory of 3688 4688 Cfnjpfcl.exe 93 PID 4688 wrote to memory of 3688 4688 Cfnjpfcl.exe 93 PID 3688 wrote to memory of 2560 3688 Cbdjeg32.exe 94 PID 3688 wrote to memory of 2560 3688 Cbdjeg32.exe 94 PID 3688 wrote to memory of 2560 3688 Cbdjeg32.exe 94 PID 2560 wrote to memory of 220 2560 Ckmonl32.exe 95 PID 2560 wrote to memory of 220 2560 Ckmonl32.exe 95 PID 2560 wrote to memory of 220 2560 Ckmonl32.exe 95 PID 220 wrote to memory of 456 220 Dmlkhofd.exe 96 PID 220 wrote to memory of 456 220 Dmlkhofd.exe 96 PID 220 wrote to memory of 456 220 Dmlkhofd.exe 96 PID 456 wrote to memory of 664 456 Dbkqfe32.exe 97 PID 456 wrote to memory of 664 456 Dbkqfe32.exe 97 PID 456 wrote to memory of 664 456 Dbkqfe32.exe 97 PID 664 wrote to memory of 2100 664 Dkfadkgf.exe 98 PID 664 wrote to memory of 2100 664 Dkfadkgf.exe 98 PID 664 wrote to memory of 2100 664 Dkfadkgf.exe 98 PID 2100 wrote to memory of 1048 2100 Dkhnjk32.exe 99 PID 2100 wrote to memory of 1048 2100 Dkhnjk32.exe 99 PID 2100 wrote to memory of 1048 2100 Dkhnjk32.exe 99 PID 1048 wrote to memory of 736 1048 Ebdcld32.exe 100 PID 1048 wrote to memory of 736 1048 Ebdcld32.exe 100 PID 1048 wrote to memory of 736 1048 Ebdcld32.exe 100 PID 736 wrote to memory of 4372 736 Efblbbqd.exe 101 PID 736 wrote to memory of 4372 736 Efblbbqd.exe 101 PID 736 wrote to memory of 4372 736 Efblbbqd.exe 101 PID 4372 wrote to memory of 2272 4372 Enpmld32.exe 102 PID 4372 wrote to memory of 2272 4372 Enpmld32.exe 102 PID 4372 wrote to memory of 2272 4372 Enpmld32.exe 102 PID 2272 wrote to memory of 4900 2272 Fpbflg32.exe 103 PID 2272 wrote to memory of 4900 2272 Fpbflg32.exe 103 PID 2272 wrote to memory of 4900 2272 Fpbflg32.exe 103 PID 4900 wrote to memory of 3672 4900 Ffnknafg.exe 104 PID 4900 wrote to memory of 3672 4900 Ffnknafg.exe 104 PID 4900 wrote to memory of 3672 4900 Ffnknafg.exe 104 PID 3672 wrote to memory of 2432 3672 Fiodpl32.exe 105 PID 3672 wrote to memory of 2432 3672 Fiodpl32.exe 105 PID 3672 wrote to memory of 2432 3672 Fiodpl32.exe 105 PID 2432 wrote to memory of 4180 2432 Fiaael32.exe 106 PID 2432 wrote to memory of 4180 2432 Fiaael32.exe 106 PID 2432 wrote to memory of 4180 2432 Fiaael32.exe 106 PID 4180 wrote to memory of 2652 4180 Gfeaopqo.exe 107 PID 4180 wrote to memory of 2652 4180 Gfeaopqo.exe 107 PID 4180 wrote to memory of 2652 4180 Gfeaopqo.exe 107 PID 2652 wrote to memory of 3668 2652 Gfhndpol.exe 108 PID 2652 wrote to memory of 3668 2652 Gfhndpol.exe 108 PID 2652 wrote to memory of 3668 2652 Gfhndpol.exe 108 PID 3668 wrote to memory of 3644 3668 Gldglf32.exe 109 PID 3668 wrote to memory of 3644 3668 Gldglf32.exe 109 PID 3668 wrote to memory of 3644 3668 Gldglf32.exe 109 PID 3644 wrote to memory of 2884 3644 Gemkelcd.exe 110 PID 3644 wrote to memory of 2884 3644 Gemkelcd.exe 110 PID 3644 wrote to memory of 2884 3644 Gemkelcd.exe 110 PID 2884 wrote to memory of 5016 2884 Geohklaa.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\3adffec21dfd97ee49390ea0822efa70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3adffec21dfd97ee49390ea0822efa70_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\Bkobmnka.exeC:\Windows\system32\Bkobmnka.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\Ckeimm32.exeC:\Windows\system32\Ckeimm32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Cfnjpfcl.exeC:\Windows\system32\Cfnjpfcl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Cbdjeg32.exeC:\Windows\system32\Cbdjeg32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\Ckmonl32.exeC:\Windows\system32\Ckmonl32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Dmlkhofd.exeC:\Windows\system32\Dmlkhofd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Dbkqfe32.exeC:\Windows\system32\Dbkqfe32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Dkfadkgf.exeC:\Windows\system32\Dkfadkgf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Dkhnjk32.exeC:\Windows\system32\Dkhnjk32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Ebdcld32.exeC:\Windows\system32\Ebdcld32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Efblbbqd.exeC:\Windows\system32\Efblbbqd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\Enpmld32.exeC:\Windows\system32\Enpmld32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\Fpbflg32.exeC:\Windows\system32\Fpbflg32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Ffnknafg.exeC:\Windows\system32\Ffnknafg.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Fiodpl32.exeC:\Windows\system32\Fiodpl32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Fiaael32.exeC:\Windows\system32\Fiaael32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Gfeaopqo.exeC:\Windows\system32\Gfeaopqo.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\Gfhndpol.exeC:\Windows\system32\Gfhndpol.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Gldglf32.exeC:\Windows\system32\Gldglf32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Gemkelcd.exeC:\Windows\system32\Gemkelcd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\Geohklaa.exeC:\Windows\system32\Geohklaa.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Geaepk32.exeC:\Windows\system32\Geaepk32.exe23⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Gojiiafp.exeC:\Windows\system32\Gojiiafp.exe24⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Holfoqcm.exeC:\Windows\system32\Holfoqcm.exe25⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Hlpfhe32.exeC:\Windows\system32\Hlpfhe32.exe26⤵
- Executes dropped EXE
PID:496 -
C:\Windows\SysWOW64\Hiipmhmk.exeC:\Windows\system32\Hiipmhmk.exe27⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Ipgbdbqb.exeC:\Windows\system32\Ipgbdbqb.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:3284 -
C:\Windows\SysWOW64\Ibhkfm32.exeC:\Windows\system32\Ibhkfm32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Ieidhh32.exeC:\Windows\system32\Ieidhh32.exe30⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Jcmdaljn.exeC:\Windows\system32\Jcmdaljn.exe31⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Jilfifme.exeC:\Windows\system32\Jilfifme.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3816 -
C:\Windows\SysWOW64\Jcfggkac.exeC:\Windows\system32\Jcfggkac.exe33⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Knnhjcog.exeC:\Windows\system32\Knnhjcog.exe34⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Knqepc32.exeC:\Windows\system32\Knqepc32.exe35⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Kncaec32.exeC:\Windows\system32\Kncaec32.exe36⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Kcbfcigf.exeC:\Windows\system32\Kcbfcigf.exe37⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Lpfgmnfp.exeC:\Windows\system32\Lpfgmnfp.exe38⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Lgbloglj.exeC:\Windows\system32\Lgbloglj.exe39⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Lfgipd32.exeC:\Windows\system32\Lfgipd32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3356 -
C:\Windows\SysWOW64\Ljeafb32.exeC:\Windows\system32\Ljeafb32.exe41⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Mcpcdg32.exeC:\Windows\system32\Mcpcdg32.exe42⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Mnhdgpii.exeC:\Windows\system32\Mnhdgpii.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Mfeeabda.exeC:\Windows\system32\Mfeeabda.exe44⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Nqpcjj32.exeC:\Windows\system32\Nqpcjj32.exe45⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Nglhld32.exeC:\Windows\system32\Nglhld32.exe46⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Njmqnobn.exeC:\Windows\system32\Njmqnobn.exe47⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Oaifpi32.exeC:\Windows\system32\Oaifpi32.exe48⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Ogekbb32.exeC:\Windows\system32\Ogekbb32.exe49⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Oghghb32.exeC:\Windows\system32\Oghghb32.exe50⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Ondljl32.exeC:\Windows\system32\Ondljl32.exe51⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Pmiikh32.exeC:\Windows\system32\Pmiikh32.exe52⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Ppjbmc32.exeC:\Windows\system32\Ppjbmc32.exe53⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Pnmopk32.exeC:\Windows\system32\Pnmopk32.exe54⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Pfiddm32.exeC:\Windows\system32\Pfiddm32.exe55⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Pdmdnadc.exeC:\Windows\system32\Pdmdnadc.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:4636 -
C:\Windows\SysWOW64\Qaqegecm.exeC:\Windows\system32\Qaqegecm.exe57⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Qodeajbg.exeC:\Windows\system32\Qodeajbg.exe58⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Akkffkhk.exeC:\Windows\system32\Akkffkhk.exe59⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Amlogfel.exeC:\Windows\system32\Amlogfel.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:4920 -
C:\Windows\SysWOW64\Amnlme32.exeC:\Windows\system32\Amnlme32.exe61⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Amqhbe32.exeC:\Windows\system32\Amqhbe32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Akdilipp.exeC:\Windows\system32\Akdilipp.exe63⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Bgkiaj32.exeC:\Windows\system32\Bgkiaj32.exe64⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Bgnffj32.exeC:\Windows\system32\Bgnffj32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4080 -
C:\Windows\SysWOW64\Bmhocd32.exeC:\Windows\system32\Bmhocd32.exe66⤵PID:2608
-
C:\Windows\SysWOW64\Bhmbqm32.exeC:\Windows\system32\Bhmbqm32.exe67⤵PID:3080
-
C:\Windows\SysWOW64\Bddcenpi.exeC:\Windows\system32\Bddcenpi.exe68⤵PID:2204
-
C:\Windows\SysWOW64\Bahdob32.exeC:\Windows\system32\Bahdob32.exe69⤵PID:872
-
C:\Windows\SysWOW64\Cpmapodj.exeC:\Windows\system32\Cpmapodj.exe70⤵PID:4836
-
C:\Windows\SysWOW64\Cammjakm.exeC:\Windows\system32\Cammjakm.exe71⤵PID:4684
-
C:\Windows\SysWOW64\Cnfkdb32.exeC:\Windows\system32\Cnfkdb32.exe72⤵PID:4748
-
C:\Windows\SysWOW64\Dgeenfog.exeC:\Windows\system32\Dgeenfog.exe73⤵PID:4964
-
C:\Windows\SysWOW64\Dnonkq32.exeC:\Windows\system32\Dnonkq32.exe74⤵PID:2424
-
C:\Windows\SysWOW64\Dnajppda.exeC:\Windows\system32\Dnajppda.exe75⤵PID:4036
-
C:\Windows\SysWOW64\Doagjc32.exeC:\Windows\system32\Doagjc32.exe76⤵PID:2964
-
C:\Windows\SysWOW64\Dkhgod32.exeC:\Windows\system32\Dkhgod32.exe77⤵PID:3616
-
C:\Windows\SysWOW64\Egohdegl.exeC:\Windows\system32\Egohdegl.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2252 -
C:\Windows\SysWOW64\Ebdlangb.exeC:\Windows\system32\Ebdlangb.exe79⤵PID:348
-
C:\Windows\SysWOW64\Enkmfolf.exeC:\Windows\system32\Enkmfolf.exe80⤵PID:1120
-
C:\Windows\SysWOW64\Enmjlojd.exeC:\Windows\system32\Enmjlojd.exe81⤵PID:1628
-
C:\Windows\SysWOW64\Egened32.exeC:\Windows\system32\Egened32.exe82⤵PID:1844
-
C:\Windows\SysWOW64\Ebkbbmqj.exeC:\Windows\system32\Ebkbbmqj.exe83⤵
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Fnbcgn32.exeC:\Windows\system32\Fnbcgn32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2052 -
C:\Windows\SysWOW64\Fgjhpcmo.exeC:\Windows\system32\Fgjhpcmo.exe85⤵PID:4892
-
C:\Windows\SysWOW64\Fbplml32.exeC:\Windows\system32\Fbplml32.exe86⤵
- Modifies registry class
PID:5128 -
C:\Windows\SysWOW64\Fnfmbmbi.exeC:\Windows\system32\Fnfmbmbi.exe87⤵PID:5172
-
C:\Windows\SysWOW64\Finnef32.exeC:\Windows\system32\Finnef32.exe88⤵PID:5216
-
C:\Windows\SysWOW64\Fnkfmm32.exeC:\Windows\system32\Fnkfmm32.exe89⤵PID:5260
-
C:\Windows\SysWOW64\Fkofga32.exeC:\Windows\system32\Fkofga32.exe90⤵PID:5304
-
C:\Windows\SysWOW64\Gkaclqkk.exeC:\Windows\system32\Gkaclqkk.exe91⤵PID:5348
-
C:\Windows\SysWOW64\Gejhef32.exeC:\Windows\system32\Gejhef32.exe92⤵PID:5392
-
C:\Windows\SysWOW64\Gaqhjggp.exeC:\Windows\system32\Gaqhjggp.exe93⤵PID:5436
-
C:\Windows\SysWOW64\Gndick32.exeC:\Windows\system32\Gndick32.exe94⤵PID:5484
-
C:\Windows\SysWOW64\Ggmmlamj.exeC:\Windows\system32\Ggmmlamj.exe95⤵PID:5528
-
C:\Windows\SysWOW64\Hpfbcn32.exeC:\Windows\system32\Hpfbcn32.exe96⤵PID:5628
-
C:\Windows\SysWOW64\Hhdcmp32.exeC:\Windows\system32\Hhdcmp32.exe97⤵PID:5672
-
C:\Windows\SysWOW64\Hbihjifh.exeC:\Windows\system32\Hbihjifh.exe98⤵PID:5716
-
C:\Windows\SysWOW64\Hlblcn32.exeC:\Windows\system32\Hlblcn32.exe99⤵PID:5760
-
C:\Windows\SysWOW64\Hejqldci.exeC:\Windows\system32\Hejqldci.exe100⤵PID:5808
-
C:\Windows\SysWOW64\Hnbeeiji.exeC:\Windows\system32\Hnbeeiji.exe101⤵PID:5852
-
C:\Windows\SysWOW64\Iacngdgj.exeC:\Windows\system32\Iacngdgj.exe102⤵PID:5896
-
C:\Windows\SysWOW64\Ibcjqgnm.exeC:\Windows\system32\Ibcjqgnm.exe103⤵PID:5940
-
C:\Windows\SysWOW64\Iimcma32.exeC:\Windows\system32\Iimcma32.exe104⤵PID:5984
-
C:\Windows\SysWOW64\Iahgad32.exeC:\Windows\system32\Iahgad32.exe105⤵PID:6040
-
C:\Windows\SysWOW64\Ipihpkkd.exeC:\Windows\system32\Ipihpkkd.exe106⤵PID:6104
-
C:\Windows\SysWOW64\Iefphb32.exeC:\Windows\system32\Iefphb32.exe107⤵PID:5164
-
C:\Windows\SysWOW64\Jlbejloe.exeC:\Windows\system32\Jlbejloe.exe108⤵PID:5228
-
C:\Windows\SysWOW64\Jhifomdj.exeC:\Windows\system32\Jhifomdj.exe109⤵PID:5296
-
C:\Windows\SysWOW64\Jocnlg32.exeC:\Windows\system32\Jocnlg32.exe110⤵PID:5360
-
C:\Windows\SysWOW64\Jlgoek32.exeC:\Windows\system32\Jlgoek32.exe111⤵PID:5428
-
C:\Windows\SysWOW64\Jlikkkhn.exeC:\Windows\system32\Jlikkkhn.exe112⤵PID:5512
-
C:\Windows\SysWOW64\Jafdcbge.exeC:\Windows\system32\Jafdcbge.exe113⤵PID:5552
-
C:\Windows\SysWOW64\Jpgdai32.exeC:\Windows\system32\Jpgdai32.exe114⤵PID:5712
-
C:\Windows\SysWOW64\Khbiello.exeC:\Windows\system32\Khbiello.exe115⤵PID:5768
-
C:\Windows\SysWOW64\Kakmna32.exeC:\Windows\system32\Kakmna32.exe116⤵PID:5836
-
C:\Windows\SysWOW64\Kplmliko.exeC:\Windows\system32\Kplmliko.exe117⤵PID:5932
-
C:\Windows\SysWOW64\Kidben32.exeC:\Windows\system32\Kidben32.exe118⤵
- Modifies registry class
PID:6036 -
C:\Windows\SysWOW64\Kcmfnd32.exeC:\Windows\system32\Kcmfnd32.exe119⤵PID:6116
-
C:\Windows\SysWOW64\Kocgbend.exeC:\Windows\system32\Kocgbend.exe120⤵PID:5212
-
C:\Windows\SysWOW64\Khlklj32.exeC:\Windows\system32\Khlklj32.exe121⤵PID:5384
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-