Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 23:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0ddc00e28c25fba6fea0262a491cfae0_NeikiAnalytics.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0ddc00e28c25fba6fea0262a491cfae0_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0ddc00e28c25fba6fea0262a491cfae0_NeikiAnalytics.exe
-
Size
465KB
-
MD5
0ddc00e28c25fba6fea0262a491cfae0
-
SHA1
3cadd0ac7dd031d1c3e252d59123ed89932d9b64
-
SHA256
94b57620b89a19cd2c52036de49b8cc07bb810878ff4b5bacc38e9aaba168f3c
-
SHA512
f022d738abdf3ec15792bf83d4a1527ae8c92dbdfed0d73482c38bc69b16f8e6ea59f24ed418b714c8766b91e2cee788b533a899e763078e7356200cdc9b4253
-
SSDEEP
6144:03lUqREYS1s4qOILKpn/a5/VF5V4lKjIbvBhRJfzSf9x7N/I7b9M:kesEY0yO8S/WNLKlUmpRe94a
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jphkkpbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiidgeki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajdjin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icnpmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kimnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfqmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maiccajf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jofalmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klcekpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjmfjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehapfiem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Facqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkipkani.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flceckoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbnpcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcfggkac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmijbcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkkjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foghnabl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhicpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fagjfflb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kenggi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdlkdhnk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccmgiaig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opakbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfedm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbiip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhmigagd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afghneoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhgonidg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnmhpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kilpmh32.exe -
Executes dropped EXE 64 IoCs
pid Process 3348 Eleiam32.exe 4624 Ehljfnpn.exe 2248 Ekjfcipa.exe 1172 Ecandfpd.exe 4108 Eadopc32.exe 1272 Edbklofb.exe 1768 Ehnglm32.exe 992 Fljcmlfd.exe 2060 Fohoigfh.exe 2768 Fcckif32.exe 3668 Febgea32.exe 3520 Fdegandp.exe 112 Fhqcam32.exe 4988 Fllpbldb.exe 2424 Fkopnh32.exe 5000 Fcfhof32.exe 3988 Faihkbci.exe 336 Ffddka32.exe 2224 Fdgdgnbm.exe 3584 Flnlhk32.exe 5028 Fkalchij.exe 4456 Fomhdg32.exe 216 Fakdpb32.exe 2160 Ffgqqaip.exe 1384 Fdialn32.exe 1068 Flqimk32.exe 1596 Fkciihgg.exe 4736 Fooeif32.exe 744 Fbnafb32.exe 620 Ffimfqgm.exe 3492 Fdlnbm32.exe 2944 Flceckoj.exe 368 Fkffog32.exe 4500 Foabofnn.exe 4164 Fbpnkama.exe 2632 Ffkjlp32.exe 4400 Fhjfhl32.exe 2544 Glebhjlg.exe 3596 Gkhbdg32.exe 3580 Gcojed32.exe 4620 Gbbkaako.exe 1912 Gfngap32.exe 884 Ghlcnk32.exe 3656 Glhonj32.exe 4564 Gofkje32.exe 1640 Gcagkdba.exe 1500 Gmjlcj32.exe 4172 Gkmlofol.exe 3200 Gohhpe32.exe 2500 Gcddpdpo.exe 1376 Gfbploob.exe 5016 Ghaliknf.exe 4472 Gmlhii32.exe 2808 Gokdeeec.exe 3752 Gcfqfc32.exe 3564 Gbiaapdf.exe 3612 Gdhmnlcj.exe 1220 Gicinj32.exe 1576 Gmoeoidl.exe 1460 Gomakdcp.exe 4920 Gcimkc32.exe 3516 Gblngpbd.exe 1800 Gfgjgo32.exe 2800 Hiefcj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iqgjmg32.exe Process not Found File created C:\Windows\SysWOW64\Qhekaejj.exe Process not Found File created C:\Windows\SysWOW64\Lmldgi32.dll Iicbehnq.exe File created C:\Windows\SysWOW64\Npodfe32.dll Fpejlmcf.exe File created C:\Windows\SysWOW64\Jjjpnlbd.exe Jgkdbacp.exe File opened for modification C:\Windows\SysWOW64\Nelfeo32.exe Nnbnhedj.exe File opened for modification C:\Windows\SysWOW64\Jphkkpbp.exe Jinboekc.exe File created C:\Windows\SysWOW64\Jencdebl.dll Lflbkcll.exe File created C:\Windows\SysWOW64\Ckafkfkp.exe Process not Found File created C:\Windows\SysWOW64\Egnchd32.exe Eaakpm32.exe File opened for modification C:\Windows\SysWOW64\Kiikpnmj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cfjnhe32.exe Process not Found File created C:\Windows\SysWOW64\Kiidgeki.exe Kfjhkjle.exe File created C:\Windows\SysWOW64\Niklpj32.exe Ngmpcn32.exe File created C:\Windows\SysWOW64\Aqoiqn32.exe Ackigjmh.exe File created C:\Windows\SysWOW64\Nooikj32.exe Process not Found File created C:\Windows\SysWOW64\Omclnn32.dll Process not Found File created C:\Windows\SysWOW64\Fgpplf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fkffog32.exe Flceckoj.exe File created C:\Windows\SysWOW64\Chflphjh.dll Igdgglfl.exe File created C:\Windows\SysWOW64\Ieicjl32.dll Jbojlfdp.exe File created C:\Windows\SysWOW64\Fplnogmb.exe Process not Found File created C:\Windows\SysWOW64\Phajblpj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Qkqdnkge.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bgcknmop.exe Bmngqdpj.exe File created C:\Windows\SysWOW64\Jekeodnf.dll Lqkgbcff.exe File created C:\Windows\SysWOW64\Hehkga32.dll Nndjndbh.exe File created C:\Windows\SysWOW64\Lbcedmnl.exe Process not Found File created C:\Windows\SysWOW64\Ldjcfk32.dll Klcekpdo.exe File created C:\Windows\SysWOW64\Lomjicei.exe Process not Found File created C:\Windows\SysWOW64\Fnjhjn32.exe Foghnabl.exe File created C:\Windows\SysWOW64\Dmdnljan.dll Bmbiamhi.exe File opened for modification C:\Windows\SysWOW64\Ijngkf32.exe Process not Found File created C:\Windows\SysWOW64\Bhagaamj.dll Kijjbofj.exe File created C:\Windows\SysWOW64\Ekonpckp.exe Ehpadhll.exe File opened for modification C:\Windows\SysWOW64\Mlbpma32.exe Process not Found File created C:\Windows\SysWOW64\Cibifp32.dll Hbgmcnhf.exe File opened for modification C:\Windows\SysWOW64\Fdhcgaic.exe Fgdbnmji.exe File created C:\Windows\SysWOW64\Egdagc32.dll Jofalmmp.exe File opened for modification C:\Windows\SysWOW64\Jjihfbno.exe Process not Found File created C:\Windows\SysWOW64\Clpgkcdj.exe Process not Found File created C:\Windows\SysWOW64\Jamenc32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fcfhof32.exe Fkopnh32.exe File created C:\Windows\SysWOW64\Ghngib32.dll Pqpgdfnp.exe File opened for modification C:\Windows\SysWOW64\Dbphcpog.exe Process not Found File created C:\Windows\SysWOW64\Pokhnl32.dll Lifjnm32.exe File opened for modification C:\Windows\SysWOW64\Ijadbdoj.exe Iafonaao.exe File created C:\Windows\SysWOW64\Nlnhqepf.dll Eblimcdf.exe File created C:\Windows\SysWOW64\Ghjnkpdc.dll Gmdcfidg.exe File created C:\Windows\SysWOW64\Eebgqe32.exe Process not Found File created C:\Windows\SysWOW64\Lcqgahoe.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ecandfpd.exe Ekjfcipa.exe File created C:\Windows\SysWOW64\Gfngap32.exe Gbbkaako.exe File created C:\Windows\SysWOW64\Cmkkkihe.dll Ehapfiem.exe File opened for modification C:\Windows\SysWOW64\Klpakj32.exe Process not Found File created C:\Windows\SysWOW64\Ahgamo32.exe Process not Found File created C:\Windows\SysWOW64\Paadbk32.dll Flqimk32.exe File created C:\Windows\SysWOW64\Mmjmhg32.dll Ckclhn32.exe File created C:\Windows\SysWOW64\Gphddlfp.exe Process not Found File created C:\Windows\SysWOW64\Nodqpf32.dll Process not Found File created C:\Windows\SysWOW64\Naqcfnjk.dll Ffddka32.exe File opened for modification C:\Windows\SysWOW64\Mnnkgl32.exe Majjng32.exe File created C:\Windows\SysWOW64\Anhejhfp.dll Jiiicf32.exe File created C:\Windows\SysWOW64\Dkakfgoq.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 9572 11248 Process not Found 1805 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heckkb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbbhk32.dll" Kdqejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbfjlb32.dll" Lpbopfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpcfmkff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcejco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jadgnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Innfnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eldafjjc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll" Pgnilpah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcbdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polalahi.dll" Jmbhoeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapmnano.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdjpphi.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hodgkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmbheilp.dll" Lgffic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnffda32.dll" Dfgcakon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imnocf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hflcbngh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gifkpknp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igedlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dahmfpap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjpbam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbhkkpon.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lboeaifi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmjaphek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knbbep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmhegoin.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bheffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkhkced.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfmmplad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpengmlg.dll" Plhnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niehpfnk.dll" Ckkiccep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmpbqoqg.dll" Cbgnemjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eicedn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiqjke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpbjfjci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkfcl32.dll" Gkmlofol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfjjppmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moipoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bicbje32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpbiip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbngllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eijbed32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afghneoo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4596 wrote to memory of 3348 4596 0ddc00e28c25fba6fea0262a491cfae0_NeikiAnalytics.exe 80 PID 4596 wrote to memory of 3348 4596 0ddc00e28c25fba6fea0262a491cfae0_NeikiAnalytics.exe 80 PID 4596 wrote to memory of 3348 4596 0ddc00e28c25fba6fea0262a491cfae0_NeikiAnalytics.exe 80 PID 3348 wrote to memory of 4624 3348 Eleiam32.exe 81 PID 3348 wrote to memory of 4624 3348 Eleiam32.exe 81 PID 3348 wrote to memory of 4624 3348 Eleiam32.exe 81 PID 4624 wrote to memory of 2248 4624 Ehljfnpn.exe 82 PID 4624 wrote to memory of 2248 4624 Ehljfnpn.exe 82 PID 4624 wrote to memory of 2248 4624 Ehljfnpn.exe 82 PID 2248 wrote to memory of 1172 2248 Ekjfcipa.exe 83 PID 2248 wrote to memory of 1172 2248 Ekjfcipa.exe 83 PID 2248 wrote to memory of 1172 2248 Ekjfcipa.exe 83 PID 1172 wrote to memory of 4108 1172 Ecandfpd.exe 84 PID 1172 wrote to memory of 4108 1172 Ecandfpd.exe 84 PID 1172 wrote to memory of 4108 1172 Ecandfpd.exe 84 PID 4108 wrote to memory of 1272 4108 Eadopc32.exe 85 PID 4108 wrote to memory of 1272 4108 Eadopc32.exe 85 PID 4108 wrote to memory of 1272 4108 Eadopc32.exe 85 PID 1272 wrote to memory of 1768 1272 Edbklofb.exe 86 PID 1272 wrote to memory of 1768 1272 Edbklofb.exe 86 PID 1272 wrote to memory of 1768 1272 Edbklofb.exe 86 PID 1768 wrote to memory of 992 1768 Ehnglm32.exe 87 PID 1768 wrote to memory of 992 1768 Ehnglm32.exe 87 PID 1768 wrote to memory of 992 1768 Ehnglm32.exe 87 PID 992 wrote to memory of 2060 992 Fljcmlfd.exe 88 PID 992 wrote to memory of 2060 992 Fljcmlfd.exe 88 PID 992 wrote to memory of 2060 992 Fljcmlfd.exe 88 PID 2060 wrote to memory of 2768 2060 Fohoigfh.exe 89 PID 2060 wrote to memory of 2768 2060 Fohoigfh.exe 89 PID 2060 wrote to memory of 2768 2060 Fohoigfh.exe 89 PID 2768 wrote to memory of 3668 2768 Fcckif32.exe 90 PID 2768 wrote to memory of 3668 2768 Fcckif32.exe 90 PID 2768 wrote to memory of 3668 2768 Fcckif32.exe 90 PID 3668 wrote to memory of 3520 3668 Febgea32.exe 91 PID 3668 wrote to memory of 3520 3668 Febgea32.exe 91 PID 3668 wrote to memory of 3520 3668 Febgea32.exe 91 PID 3520 wrote to memory of 112 3520 Fdegandp.exe 92 PID 3520 wrote to memory of 112 3520 Fdegandp.exe 92 PID 3520 wrote to memory of 112 3520 Fdegandp.exe 92 PID 112 wrote to memory of 4988 112 Fhqcam32.exe 93 PID 112 wrote to memory of 4988 112 Fhqcam32.exe 93 PID 112 wrote to memory of 4988 112 Fhqcam32.exe 93 PID 4988 wrote to memory of 2424 4988 Fllpbldb.exe 94 PID 4988 wrote to memory of 2424 4988 Fllpbldb.exe 94 PID 4988 wrote to memory of 2424 4988 Fllpbldb.exe 94 PID 2424 wrote to memory of 5000 2424 Fkopnh32.exe 95 PID 2424 wrote to memory of 5000 2424 Fkopnh32.exe 95 PID 2424 wrote to memory of 5000 2424 Fkopnh32.exe 95 PID 5000 wrote to memory of 3988 5000 Fcfhof32.exe 96 PID 5000 wrote to memory of 3988 5000 Fcfhof32.exe 96 PID 5000 wrote to memory of 3988 5000 Fcfhof32.exe 96 PID 3988 wrote to memory of 336 3988 Faihkbci.exe 97 PID 3988 wrote to memory of 336 3988 Faihkbci.exe 97 PID 3988 wrote to memory of 336 3988 Faihkbci.exe 97 PID 336 wrote to memory of 2224 336 Ffddka32.exe 98 PID 336 wrote to memory of 2224 336 Ffddka32.exe 98 PID 336 wrote to memory of 2224 336 Ffddka32.exe 98 PID 2224 wrote to memory of 3584 2224 Fdgdgnbm.exe 99 PID 2224 wrote to memory of 3584 2224 Fdgdgnbm.exe 99 PID 2224 wrote to memory of 3584 2224 Fdgdgnbm.exe 99 PID 3584 wrote to memory of 5028 3584 Flnlhk32.exe 100 PID 3584 wrote to memory of 5028 3584 Flnlhk32.exe 100 PID 3584 wrote to memory of 5028 3584 Flnlhk32.exe 100 PID 5028 wrote to memory of 4456 5028 Fkalchij.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ddc00e28c25fba6fea0262a491cfae0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0ddc00e28c25fba6fea0262a491cfae0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\Ehljfnpn.exeC:\Windows\system32\Ehljfnpn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Ecandfpd.exeC:\Windows\system32\Ecandfpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Fljcmlfd.exeC:\Windows\system32\Fljcmlfd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Febgea32.exeC:\Windows\system32\Febgea32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Faihkbci.exeC:\Windows\system32\Faihkbci.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\Ffddka32.exeC:\Windows\system32\Ffddka32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Fomhdg32.exeC:\Windows\system32\Fomhdg32.exe23⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Fakdpb32.exeC:\Windows\system32\Fakdpb32.exe24⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Ffgqqaip.exeC:\Windows\system32\Ffgqqaip.exe25⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe26⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Flqimk32.exeC:\Windows\system32\Flqimk32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1068 -
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe28⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Fooeif32.exeC:\Windows\system32\Fooeif32.exe29⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Fbnafb32.exeC:\Windows\system32\Fbnafb32.exe30⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe31⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Fdlnbm32.exeC:\Windows\system32\Fdlnbm32.exe32⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe34⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Foabofnn.exeC:\Windows\system32\Foabofnn.exe35⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe36⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Ffkjlp32.exeC:\Windows\system32\Ffkjlp32.exe37⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe38⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe39⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Gkhbdg32.exeC:\Windows\system32\Gkhbdg32.exe40⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Gcojed32.exeC:\Windows\system32\Gcojed32.exe41⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4620 -
C:\Windows\SysWOW64\Gfngap32.exeC:\Windows\system32\Gfngap32.exe43⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe44⤵PID:4480
-
C:\Windows\SysWOW64\Ghlcnk32.exeC:\Windows\system32\Ghlcnk32.exe45⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe46⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe47⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Gcagkdba.exeC:\Windows\system32\Gcagkdba.exe48⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe49⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Gkmlofol.exeC:\Windows\system32\Gkmlofol.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4172 -
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe51⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Gcddpdpo.exeC:\Windows\system32\Gcddpdpo.exe52⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Gfbploob.exeC:\Windows\system32\Gfbploob.exe53⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe54⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Gmlhii32.exeC:\Windows\system32\Gmlhii32.exe55⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Gokdeeec.exeC:\Windows\system32\Gokdeeec.exe56⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe57⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Gbiaapdf.exeC:\Windows\system32\Gbiaapdf.exe58⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Gdhmnlcj.exeC:\Windows\system32\Gdhmnlcj.exe59⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Gicinj32.exeC:\Windows\system32\Gicinj32.exe60⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe61⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Gomakdcp.exeC:\Windows\system32\Gomakdcp.exe62⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Gcimkc32.exeC:\Windows\system32\Gcimkc32.exe63⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Gblngpbd.exeC:\Windows\system32\Gblngpbd.exe64⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Gfgjgo32.exeC:\Windows\system32\Gfgjgo32.exe65⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Hiefcj32.exeC:\Windows\system32\Hiefcj32.exe66⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Hmabdibj.exeC:\Windows\system32\Hmabdibj.exe67⤵PID:2648
-
C:\Windows\SysWOW64\Hopnqdan.exeC:\Windows\system32\Hopnqdan.exe68⤵PID:3000
-
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe69⤵PID:3324
-
C:\Windows\SysWOW64\Hbnjmp32.exeC:\Windows\system32\Hbnjmp32.exe70⤵PID:1276
-
C:\Windows\SysWOW64\Helfik32.exeC:\Windows\system32\Helfik32.exe71⤵PID:2820
-
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe72⤵PID:2972
-
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe73⤵PID:3456
-
C:\Windows\SysWOW64\Hobkfd32.exeC:\Windows\system32\Hobkfd32.exe74⤵PID:2456
-
C:\Windows\SysWOW64\Hbpgbo32.exeC:\Windows\system32\Hbpgbo32.exe75⤵PID:3416
-
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe76⤵
- Modifies registry class
PID:660 -
C:\Windows\SysWOW64\Heocnk32.exeC:\Windows\system32\Heocnk32.exe77⤵PID:1804
-
C:\Windows\SysWOW64\Hijooifk.exeC:\Windows\system32\Hijooifk.exe78⤵PID:5124
-
C:\Windows\SysWOW64\Hkikkeeo.exeC:\Windows\system32\Hkikkeeo.exe79⤵PID:5164
-
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe80⤵
- Modifies registry class
PID:5196 -
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe81⤵PID:5236
-
C:\Windows\SysWOW64\Hfnphn32.exeC:\Windows\system32\Hfnphn32.exe82⤵PID:5272
-
C:\Windows\SysWOW64\Heapdjlp.exeC:\Windows\system32\Heapdjlp.exe83⤵PID:5304
-
C:\Windows\SysWOW64\Himldi32.exeC:\Windows\system32\Himldi32.exe84⤵PID:5344
-
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe85⤵PID:5380
-
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe86⤵PID:5416
-
C:\Windows\SysWOW64\Hcbpab32.exeC:\Windows\system32\Hcbpab32.exe87⤵PID:5452
-
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe88⤵PID:5484
-
C:\Windows\SysWOW64\Hecmijim.exeC:\Windows\system32\Hecmijim.exe89⤵PID:5524
-
C:\Windows\SysWOW64\Hioiji32.exeC:\Windows\system32\Hioiji32.exe90⤵PID:5560
-
C:\Windows\SysWOW64\Hkmefd32.exeC:\Windows\system32\Hkmefd32.exe91⤵PID:5592
-
C:\Windows\SysWOW64\Hoiafcic.exeC:\Windows\system32\Hoiafcic.exe92⤵PID:5632
-
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe93⤵
- Drops file in System32 directory
PID:5668 -
C:\Windows\SysWOW64\Hfcicmqp.exeC:\Windows\system32\Hfcicmqp.exe94⤵PID:5704
-
C:\Windows\SysWOW64\Iiaephpc.exeC:\Windows\system32\Iiaephpc.exe95⤵PID:5740
-
C:\Windows\SysWOW64\Immapg32.exeC:\Windows\system32\Immapg32.exe96⤵PID:5776
-
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe97⤵PID:5808
-
C:\Windows\SysWOW64\Ipknlb32.exeC:\Windows\system32\Ipknlb32.exe98⤵PID:5848
-
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe99⤵PID:5884
-
C:\Windows\SysWOW64\Ifefimom.exeC:\Windows\system32\Ifefimom.exe100⤵PID:5920
-
C:\Windows\SysWOW64\Iicbehnq.exeC:\Windows\system32\Iicbehnq.exe101⤵
- Drops file in System32 directory
PID:5952 -
C:\Windows\SysWOW64\Ikbnacmd.exeC:\Windows\system32\Ikbnacmd.exe102⤵PID:5992
-
C:\Windows\SysWOW64\Ipnjab32.exeC:\Windows\system32\Ipnjab32.exe103⤵PID:6024
-
C:\Windows\SysWOW64\Icifbang.exeC:\Windows\system32\Icifbang.exe104⤵PID:6064
-
C:\Windows\SysWOW64\Ifgbnlmj.exeC:\Windows\system32\Ifgbnlmj.exe105⤵PID:6100
-
C:\Windows\SysWOW64\Ildkgc32.exeC:\Windows\system32\Ildkgc32.exe106⤵PID:6132
-
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe107⤵PID:3064
-
C:\Windows\SysWOW64\Ickchq32.exeC:\Windows\system32\Ickchq32.exe108⤵PID:4912
-
C:\Windows\SysWOW64\Ibnccmbo.exeC:\Windows\system32\Ibnccmbo.exe109⤵PID:3496
-
C:\Windows\SysWOW64\Iemppiab.exeC:\Windows\system32\Iemppiab.exe110⤵PID:4532
-
C:\Windows\SysWOW64\Iihkpg32.exeC:\Windows\system32\Iihkpg32.exe111⤵PID:1556
-
C:\Windows\SysWOW64\Imdgqfbd.exeC:\Windows\system32\Imdgqfbd.exe112⤵PID:3136
-
C:\Windows\SysWOW64\Ipbdmaah.exeC:\Windows\system32\Ipbdmaah.exe113⤵PID:4292
-
C:\Windows\SysWOW64\Icnpmp32.exeC:\Windows\system32\Icnpmp32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1472 -
C:\Windows\SysWOW64\Ifllil32.exeC:\Windows\system32\Ifllil32.exe115⤵PID:1140
-
C:\Windows\SysWOW64\Iikhfg32.exeC:\Windows\system32\Iikhfg32.exe116⤵PID:5576
-
C:\Windows\SysWOW64\Jcioiood.exeC:\Windows\system32\Jcioiood.exe117⤵PID:5624
-
C:\Windows\SysWOW64\Jfhlejnh.exeC:\Windows\system32\Jfhlejnh.exe118⤵PID:5684
-
C:\Windows\SysWOW64\Jeklag32.exeC:\Windows\system32\Jeklag32.exe119⤵PID:4000
-
C:\Windows\SysWOW64\Jifhaenk.exeC:\Windows\system32\Jifhaenk.exe120⤵PID:5800
-
C:\Windows\SysWOW64\Jlednamo.exeC:\Windows\system32\Jlednamo.exe121⤵PID:5876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-