Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-06-2024 10:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7a28bc3299358cf82af7c25c7d23efe0_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
7a28bc3299358cf82af7c25c7d23efe0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
7a28bc3299358cf82af7c25c7d23efe0_NeikiAnalytics.exe
-
Size
1.2MB
-
MD5
7a28bc3299358cf82af7c25c7d23efe0
-
SHA1
7226f8a1cd2f7d76ec23749abb90bc78513c1109
-
SHA256
107853eebfe96459cf5d94ad24f9610fd9cf81b37fbbe4a4634b6ecd90eab8a1
-
SHA512
0fb8ed2933085056e296895b498a2dcd19164787e166c68524c5d5d26be720ce7e253e7a681219b935f3e6749f6b5d26ecc4ca679d7cfb0989cbd3bf5368296a
-
SSDEEP
12288:pZMgxXYlFiWZCXwpnsKvNA+XTvZHWuEo3oWiQ4ca:pZMOYlFiWZpsKv2EvZHp3oWiQ4ca
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdciiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcimdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnmaea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hblkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpchib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfgipd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcpcdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glhimp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmhcaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kamjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doccpcja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imgicgca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iebngial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iomoenej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jadgnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbcncibp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjhbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dakikoom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eklajcmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njedbjej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Finnef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohqnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgkmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gehbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnmaea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klndfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcdeeq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apjkcadp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhifomdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bklomh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foclgq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihmedma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gblbca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geaepk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbhoeid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boldhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chnlgjlb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqdpgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egcaod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 7a28bc3299358cf82af7c25c7d23efe0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpbpbecj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcldb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilnbicff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieagmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obqanjdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jedccfqg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjggal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffceip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifcgion.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcanll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knqepc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpqggh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibfnqmpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofmdio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahdpjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mablfnne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afockelf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnepna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkekjdck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhhpop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fganqbgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klbnajqc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgkiaj32.exe -
Executes dropped EXE 64 IoCs
pid Process 464 Ffnknafg.exe 5028 Fimhjl32.exe 3208 Flkdfh32.exe 1484 Fnipbc32.exe 3024 Fbelcblk.exe 3396 Fechomko.exe 620 Fiodpl32.exe 1280 Flmqlg32.exe 1772 Fpimlfke.exe 4536 Fnlmhc32.exe 3748 Ffceip32.exe 3312 Fiaael32.exe 5016 Fmmmfj32.exe 4556 Fpkibf32.exe 3908 Fnnjmbpm.exe 1800 Gfeaopqo.exe 2560 Gehbjm32.exe 4688 Gmojkj32.exe 2636 Glbjggof.exe 380 Gnqfcbnj.exe 1468 Gblbca32.exe 1640 Gejopl32.exe 5032 Gifkpknp.exe 3744 Gldglf32.exe 4744 Gncchb32.exe 64 Gemkelcd.exe 5080 Gmdcfidg.exe 1328 Gpbpbecj.exe 4912 Gnepna32.exe 4388 Gflhoo32.exe 2684 Gikdkj32.exe 2716 Glipgf32.exe 528 Goglcahb.exe 4424 Gbchdp32.exe 3932 Geaepk32.exe 3720 Gmimai32.exe 4132 Gpgind32.exe 2424 Gbeejp32.exe 4656 Hedafk32.exe 2676 Hmkigh32.exe 3840 Hpiecd32.exe 1992 Hbhboolf.exe 4872 Hfcnpn32.exe 3500 Hibjli32.exe 3464 Hlpfhe32.exe 5064 Hoobdp32.exe 2904 Hffken32.exe 1144 Hehkajig.exe 2040 Hmpcbhji.exe 2196 Hpnoncim.exe 3032 Hblkjo32.exe 5132 Hfhgkmpj.exe 5168 Hifcgion.exe 5204 Hlepcdoa.exe 5240 Hoclopne.exe 5276 Hfjdqmng.exe 5316 Hiipmhmk.exe 5348 Hlglidlo.exe 5384 Hpchib32.exe 5420 Ibaeen32.exe 5456 Iepaaico.exe 5492 Imgicgca.exe 5532 Iliinc32.exe 5564 Iohejo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jafdcbge.exe Johggfha.exe File created C:\Windows\SysWOW64\Hoclopne.exe Hlepcdoa.exe File created C:\Windows\SysWOW64\Iohejo32.exe Iliinc32.exe File created C:\Windows\SysWOW64\Iipfmggc.exe Igajal32.exe File created C:\Windows\SysWOW64\Jpaekqhh.exe Jmbhoeid.exe File created C:\Windows\SysWOW64\Aokkahlo.exe Ahaceo32.exe File created C:\Windows\SysWOW64\Paoinm32.dll Fbbicl32.exe File created C:\Windows\SysWOW64\Hlhbih32.dll Fnkfmm32.exe File created C:\Windows\SysWOW64\Padnaq32.exe Pbcncibp.exe File created C:\Windows\SysWOW64\Gflhoo32.exe Gnepna32.exe File created C:\Windows\SysWOW64\Ibaeen32.exe Hpchib32.exe File created C:\Windows\SysWOW64\Chflphjh.dll Iefgbh32.exe File created C:\Windows\SysWOW64\Kjgeedch.exe Kgiiiidd.exe File created C:\Windows\SysWOW64\Ahaceo32.exe Apjkcadp.exe File opened for modification C:\Windows\SysWOW64\Agimkk32.exe Adkqoohc.exe File created C:\Windows\SysWOW64\Fohhdm32.dll Cgmhcaac.exe File created C:\Windows\SysWOW64\Gblbca32.exe Gnqfcbnj.exe File created C:\Windows\SysWOW64\Bgnffj32.exe Bdojjo32.exe File created C:\Windows\SysWOW64\Hpaoan32.dll Fajbjh32.exe File created C:\Windows\SysWOW64\Cacmpj32.exe Cgmhcaac.exe File created C:\Windows\SysWOW64\Mnokmd32.dll Dgpeha32.exe File opened for modification C:\Windows\SysWOW64\Lqmmmmph.exe Lnoaaaad.exe File created C:\Windows\SysWOW64\Fknofqcc.dll Piocecgj.exe File created C:\Windows\SysWOW64\Hlhmjl32.dll Pfccogfc.exe File opened for modification C:\Windows\SysWOW64\Cbkfbcpb.exe Ckpamabg.exe File opened for modification C:\Windows\SysWOW64\Kolabf32.exe Klndfj32.exe File opened for modification C:\Windows\SysWOW64\Glbjggof.exe Gmojkj32.exe File opened for modification C:\Windows\SysWOW64\Jmbhoeid.exe Jekqmhia.exe File opened for modification C:\Windows\SysWOW64\Lggejg32.exe Lopmii32.exe File created C:\Windows\SysWOW64\Occmjg32.dll Pmpolgoi.exe File created C:\Windows\SysWOW64\Bfcklp32.dll Fofilp32.exe File created C:\Windows\SysWOW64\Gnpphljo.exe Gkaclqkk.exe File created C:\Windows\SysWOW64\Halhfe32.exe Hhdcmp32.exe File created C:\Windows\SysWOW64\Kefiopki.exe Kolabf32.exe File opened for modification C:\Windows\SysWOW64\Pfhmjf32.exe Pidlqb32.exe File created C:\Windows\SysWOW64\Glbjggof.exe Gmojkj32.exe File opened for modification C:\Windows\SysWOW64\Ofmdio32.exe Ocohmc32.exe File opened for modification C:\Windows\SysWOW64\Bfolacnc.exe Bpedeiff.exe File created C:\Windows\SysWOW64\Fpkibf32.exe Fmmmfj32.exe File created C:\Windows\SysWOW64\Pmhkafda.dll Imiehfao.exe File created C:\Windows\SysWOW64\Dohjem32.dll Lljklo32.exe File opened for modification C:\Windows\SysWOW64\Paiogf32.exe Pnkbkk32.exe File created C:\Windows\SysWOW64\Kcoccc32.exe Kpqggh32.exe File created C:\Windows\SysWOW64\Oiagde32.exe Ooibkpmi.exe File created C:\Windows\SysWOW64\Cdmoafdb.exe Cigkdmel.exe File opened for modification C:\Windows\SysWOW64\Pccahbmn.exe Pnfiplog.exe File created C:\Windows\SysWOW64\Pafkgphl.exe Piocecgj.exe File opened for modification C:\Windows\SysWOW64\Ajmladbl.exe Apggckbf.exe File opened for modification C:\Windows\SysWOW64\Bmbnnn32.exe Abmjqe32.exe File created C:\Windows\SysWOW64\Cgklmacf.exe Cdmoafdb.exe File created C:\Windows\SysWOW64\Lpcgahca.dll Cacmpj32.exe File created C:\Windows\SysWOW64\Fpimlfke.exe Flmqlg32.exe File created C:\Windows\SysWOW64\Hlgdjg32.dll Joahqn32.exe File created C:\Windows\SysWOW64\Jlllhigk.dll Lncjlq32.exe File created C:\Windows\SysWOW64\Dnkdmlfj.dll Apjkcadp.exe File created C:\Windows\SysWOW64\Baannc32.exe Bobabg32.exe File created C:\Windows\SysWOW64\Ieojgc32.exe Inebjihf.exe File opened for modification C:\Windows\SysWOW64\Noblkqca.exe Njedbjej.exe File created C:\Windows\SysWOW64\Lfgipd32.exe Lcimdh32.exe File created C:\Windows\SysWOW64\Ekjali32.dll Iehmmb32.exe File created C:\Windows\SysWOW64\Lgidjfjk.dll Qfjjpf32.exe File created C:\Windows\SysWOW64\Ogjembbd.dll Lqkqhm32.exe File created C:\Windows\SysWOW64\Pagbaglh.exe Pnifekmd.exe File created C:\Windows\SysWOW64\Ckebcg32.exe Chfegk32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11408 11316 WerFault.exe 529 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gemkelcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnegbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpjbdk32.dll" Dhgonidg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekellcop.dll" Eklajcmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnkfmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcodk32.dll" Kekbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gifkpknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bppgif32.dll" Kpanan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblhpckf.dll" Llodgnja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdjljdk.dll" Ljeafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Helbbkkj.dll" Fgjhpcmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foapaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnoigkk.dll" Obqanjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abhqefpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koonge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piocecgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obqanjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbqdpi32.dll" Ilnbicff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igdgglfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpoalo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofmdio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Foclgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihmfco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfeaopqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cacckp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aabkbono.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abmjqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hifcgion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqhfnd32.dll" Hlglidlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fofilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlblcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgmhcaac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 7a28bc3299358cf82af7c25c7d23efe0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckebcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fofilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhbbnba.dll" Giecfejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlmhc32.dll" Cpbjkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fganqbgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndoell32.dll" Goglcahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hifcgion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekoglqie.dll" Klfaapbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofmdio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnplfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdfpkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbekii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfepdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclnjo32.dll" Nbbeml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjgeedch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paiogf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mioaanec.dll" Bdmmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgnffj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feqeog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iajdgcab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mledmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmjhab32.dll" Jnlkedai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plikcm32.dll" Baannc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domdocba.dll" Boihcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boihcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bajqda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kefiopki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpnoncim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igfclkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdmmeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbcncibp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4044 wrote to memory of 464 4044 7a28bc3299358cf82af7c25c7d23efe0_NeikiAnalytics.exe 89 PID 4044 wrote to memory of 464 4044 7a28bc3299358cf82af7c25c7d23efe0_NeikiAnalytics.exe 89 PID 4044 wrote to memory of 464 4044 7a28bc3299358cf82af7c25c7d23efe0_NeikiAnalytics.exe 89 PID 464 wrote to memory of 5028 464 Ffnknafg.exe 90 PID 464 wrote to memory of 5028 464 Ffnknafg.exe 90 PID 464 wrote to memory of 5028 464 Ffnknafg.exe 90 PID 5028 wrote to memory of 3208 5028 Fimhjl32.exe 91 PID 5028 wrote to memory of 3208 5028 Fimhjl32.exe 91 PID 5028 wrote to memory of 3208 5028 Fimhjl32.exe 91 PID 3208 wrote to memory of 1484 3208 Flkdfh32.exe 92 PID 3208 wrote to memory of 1484 3208 Flkdfh32.exe 92 PID 3208 wrote to memory of 1484 3208 Flkdfh32.exe 92 PID 1484 wrote to memory of 3024 1484 Fnipbc32.exe 93 PID 1484 wrote to memory of 3024 1484 Fnipbc32.exe 93 PID 1484 wrote to memory of 3024 1484 Fnipbc32.exe 93 PID 3024 wrote to memory of 3396 3024 Fbelcblk.exe 94 PID 3024 wrote to memory of 3396 3024 Fbelcblk.exe 94 PID 3024 wrote to memory of 3396 3024 Fbelcblk.exe 94 PID 3396 wrote to memory of 620 3396 Fechomko.exe 95 PID 3396 wrote to memory of 620 3396 Fechomko.exe 95 PID 3396 wrote to memory of 620 3396 Fechomko.exe 95 PID 620 wrote to memory of 1280 620 Fiodpl32.exe 96 PID 620 wrote to memory of 1280 620 Fiodpl32.exe 96 PID 620 wrote to memory of 1280 620 Fiodpl32.exe 96 PID 1280 wrote to memory of 1772 1280 Flmqlg32.exe 97 PID 1280 wrote to memory of 1772 1280 Flmqlg32.exe 97 PID 1280 wrote to memory of 1772 1280 Flmqlg32.exe 97 PID 1772 wrote to memory of 4536 1772 Fpimlfke.exe 98 PID 1772 wrote to memory of 4536 1772 Fpimlfke.exe 98 PID 1772 wrote to memory of 4536 1772 Fpimlfke.exe 98 PID 4536 wrote to memory of 3748 4536 Fnlmhc32.exe 99 PID 4536 wrote to memory of 3748 4536 Fnlmhc32.exe 99 PID 4536 wrote to memory of 3748 4536 Fnlmhc32.exe 99 PID 3748 wrote to memory of 3312 3748 Ffceip32.exe 100 PID 3748 wrote to memory of 3312 3748 Ffceip32.exe 100 PID 3748 wrote to memory of 3312 3748 Ffceip32.exe 100 PID 3312 wrote to memory of 5016 3312 Fiaael32.exe 101 PID 3312 wrote to memory of 5016 3312 Fiaael32.exe 101 PID 3312 wrote to memory of 5016 3312 Fiaael32.exe 101 PID 5016 wrote to memory of 4556 5016 Fmmmfj32.exe 102 PID 5016 wrote to memory of 4556 5016 Fmmmfj32.exe 102 PID 5016 wrote to memory of 4556 5016 Fmmmfj32.exe 102 PID 4556 wrote to memory of 3908 4556 Fpkibf32.exe 103 PID 4556 wrote to memory of 3908 4556 Fpkibf32.exe 103 PID 4556 wrote to memory of 3908 4556 Fpkibf32.exe 103 PID 3908 wrote to memory of 1800 3908 Fnnjmbpm.exe 104 PID 3908 wrote to memory of 1800 3908 Fnnjmbpm.exe 104 PID 3908 wrote to memory of 1800 3908 Fnnjmbpm.exe 104 PID 1800 wrote to memory of 2560 1800 Gfeaopqo.exe 105 PID 1800 wrote to memory of 2560 1800 Gfeaopqo.exe 105 PID 1800 wrote to memory of 2560 1800 Gfeaopqo.exe 105 PID 2560 wrote to memory of 4688 2560 Gehbjm32.exe 106 PID 2560 wrote to memory of 4688 2560 Gehbjm32.exe 106 PID 2560 wrote to memory of 4688 2560 Gehbjm32.exe 106 PID 4688 wrote to memory of 2636 4688 Gmojkj32.exe 107 PID 4688 wrote to memory of 2636 4688 Gmojkj32.exe 107 PID 4688 wrote to memory of 2636 4688 Gmojkj32.exe 107 PID 2636 wrote to memory of 380 2636 Glbjggof.exe 108 PID 2636 wrote to memory of 380 2636 Glbjggof.exe 108 PID 2636 wrote to memory of 380 2636 Glbjggof.exe 108 PID 380 wrote to memory of 1468 380 Gnqfcbnj.exe 109 PID 380 wrote to memory of 1468 380 Gnqfcbnj.exe 109 PID 380 wrote to memory of 1468 380 Gnqfcbnj.exe 109 PID 1468 wrote to memory of 1640 1468 Gblbca32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a28bc3299358cf82af7c25c7d23efe0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7a28bc3299358cf82af7c25c7d23efe0_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\Ffnknafg.exeC:\Windows\system32\Ffnknafg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\Fimhjl32.exeC:\Windows\system32\Fimhjl32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Flkdfh32.exeC:\Windows\system32\Flkdfh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Fnipbc32.exeC:\Windows\system32\Fnipbc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Fbelcblk.exeC:\Windows\system32\Fbelcblk.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Fechomko.exeC:\Windows\system32\Fechomko.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\Fiodpl32.exeC:\Windows\system32\Fiodpl32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Flmqlg32.exeC:\Windows\system32\Flmqlg32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Fpimlfke.exeC:\Windows\system32\Fpimlfke.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Fnlmhc32.exeC:\Windows\system32\Fnlmhc32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Ffceip32.exeC:\Windows\system32\Ffceip32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\Fiaael32.exeC:\Windows\system32\Fiaael32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\Fmmmfj32.exeC:\Windows\system32\Fmmmfj32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Fpkibf32.exeC:\Windows\system32\Fpkibf32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Fnnjmbpm.exeC:\Windows\system32\Fnnjmbpm.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\Gfeaopqo.exeC:\Windows\system32\Gfeaopqo.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Gehbjm32.exeC:\Windows\system32\Gehbjm32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Gmojkj32.exeC:\Windows\system32\Gmojkj32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Glbjggof.exeC:\Windows\system32\Glbjggof.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Gnqfcbnj.exeC:\Windows\system32\Gnqfcbnj.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\Gblbca32.exeC:\Windows\system32\Gblbca32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Gejopl32.exeC:\Windows\system32\Gejopl32.exe23⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Gifkpknp.exeC:\Windows\system32\Gifkpknp.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:5032 -
C:\Windows\SysWOW64\Gldglf32.exeC:\Windows\system32\Gldglf32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Gncchb32.exeC:\Windows\system32\Gncchb32.exe26⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Gemkelcd.exeC:\Windows\system32\Gemkelcd.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:64 -
C:\Windows\SysWOW64\Gmdcfidg.exeC:\Windows\system32\Gmdcfidg.exe28⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Gpbpbecj.exeC:\Windows\system32\Gpbpbecj.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Gnepna32.exeC:\Windows\system32\Gnepna32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4912 -
C:\Windows\SysWOW64\Gflhoo32.exeC:\Windows\system32\Gflhoo32.exe31⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Gikdkj32.exeC:\Windows\system32\Gikdkj32.exe32⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Glipgf32.exeC:\Windows\system32\Glipgf32.exe33⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Goglcahb.exeC:\Windows\system32\Goglcahb.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:528 -
C:\Windows\SysWOW64\Gbchdp32.exeC:\Windows\system32\Gbchdp32.exe35⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Geaepk32.exeC:\Windows\system32\Geaepk32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Gmimai32.exeC:\Windows\system32\Gmimai32.exe37⤵
- Executes dropped EXE
PID:3720 -
C:\Windows\SysWOW64\Gpgind32.exeC:\Windows\system32\Gpgind32.exe38⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Gbeejp32.exeC:\Windows\system32\Gbeejp32.exe39⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Hedafk32.exeC:\Windows\system32\Hedafk32.exe40⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Hmkigh32.exeC:\Windows\system32\Hmkigh32.exe41⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Hpiecd32.exeC:\Windows\system32\Hpiecd32.exe42⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Hbhboolf.exeC:\Windows\system32\Hbhboolf.exe43⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Hfcnpn32.exeC:\Windows\system32\Hfcnpn32.exe44⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Hibjli32.exeC:\Windows\system32\Hibjli32.exe45⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Hlpfhe32.exeC:\Windows\system32\Hlpfhe32.exe46⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Hoobdp32.exeC:\Windows\system32\Hoobdp32.exe47⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Hffken32.exeC:\Windows\system32\Hffken32.exe48⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Hehkajig.exeC:\Windows\system32\Hehkajig.exe49⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Hmpcbhji.exeC:\Windows\system32\Hmpcbhji.exe50⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Hpnoncim.exeC:\Windows\system32\Hpnoncim.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Hblkjo32.exeC:\Windows\system32\Hblkjo32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Hfhgkmpj.exeC:\Windows\system32\Hfhgkmpj.exe53⤵
- Executes dropped EXE
PID:5132 -
C:\Windows\SysWOW64\Hifcgion.exeC:\Windows\system32\Hifcgion.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5168 -
C:\Windows\SysWOW64\Hlepcdoa.exeC:\Windows\system32\Hlepcdoa.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5204 -
C:\Windows\SysWOW64\Hoclopne.exeC:\Windows\system32\Hoclopne.exe56⤵
- Executes dropped EXE
PID:5240 -
C:\Windows\SysWOW64\Hfjdqmng.exeC:\Windows\system32\Hfjdqmng.exe57⤵
- Executes dropped EXE
PID:5276 -
C:\Windows\SysWOW64\Hiipmhmk.exeC:\Windows\system32\Hiipmhmk.exe58⤵
- Executes dropped EXE
PID:5316 -
C:\Windows\SysWOW64\Hlglidlo.exeC:\Windows\system32\Hlglidlo.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:5348 -
C:\Windows\SysWOW64\Hpchib32.exeC:\Windows\system32\Hpchib32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5384 -
C:\Windows\SysWOW64\Ibaeen32.exeC:\Windows\system32\Ibaeen32.exe61⤵
- Executes dropped EXE
PID:5420 -
C:\Windows\SysWOW64\Iepaaico.exeC:\Windows\system32\Iepaaico.exe62⤵
- Executes dropped EXE
PID:5456 -
C:\Windows\SysWOW64\Imgicgca.exeC:\Windows\system32\Imgicgca.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5492 -
C:\Windows\SysWOW64\Iliinc32.exeC:\Windows\system32\Iliinc32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5532 -
C:\Windows\SysWOW64\Iohejo32.exeC:\Windows\system32\Iohejo32.exe65⤵
- Executes dropped EXE
PID:5564 -
C:\Windows\SysWOW64\Ifomll32.exeC:\Windows\system32\Ifomll32.exe66⤵PID:5604
-
C:\Windows\SysWOW64\Iebngial.exeC:\Windows\system32\Iebngial.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5636 -
C:\Windows\SysWOW64\Imiehfao.exeC:\Windows\system32\Imiehfao.exe68⤵
- Drops file in System32 directory
PID:5672 -
C:\Windows\SysWOW64\Ipgbdbqb.exeC:\Windows\system32\Ipgbdbqb.exe69⤵PID:5712
-
C:\Windows\SysWOW64\Ibfnqmpf.exeC:\Windows\system32\Ibfnqmpf.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5744 -
C:\Windows\SysWOW64\Igajal32.exeC:\Windows\system32\Igajal32.exe71⤵
- Drops file in System32 directory
PID:5780 -
C:\Windows\SysWOW64\Iipfmggc.exeC:\Windows\system32\Iipfmggc.exe72⤵PID:5816
-
C:\Windows\SysWOW64\Ilnbicff.exeC:\Windows\system32\Ilnbicff.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5852 -
C:\Windows\SysWOW64\Iomoenej.exeC:\Windows\system32\Iomoenej.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5892 -
C:\Windows\SysWOW64\Igdgglfl.exeC:\Windows\system32\Igdgglfl.exe75⤵
- Modifies registry class
PID:5924 -
C:\Windows\SysWOW64\Iefgbh32.exeC:\Windows\system32\Iefgbh32.exe76⤵
- Drops file in System32 directory
PID:5960 -
C:\Windows\SysWOW64\Imnocf32.exeC:\Windows\system32\Imnocf32.exe77⤵PID:5996
-
C:\Windows\SysWOW64\Iplkpa32.exeC:\Windows\system32\Iplkpa32.exe78⤵PID:6032
-
C:\Windows\SysWOW64\Ickglm32.exeC:\Windows\system32\Ickglm32.exe79⤵PID:6068
-
C:\Windows\SysWOW64\Igfclkdj.exeC:\Windows\system32\Igfclkdj.exe80⤵
- Modifies registry class
PID:6104 -
C:\Windows\SysWOW64\Iidphgcn.exeC:\Windows\system32\Iidphgcn.exe81⤵PID:6140
-
C:\Windows\SysWOW64\Ilcldb32.exeC:\Windows\system32\Ilcldb32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3164 -
C:\Windows\SysWOW64\Joahqn32.exeC:\Windows\system32\Joahqn32.exe83⤵
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Jghpbk32.exeC:\Windows\system32\Jghpbk32.exe84⤵PID:4660
-
C:\Windows\SysWOW64\Jekqmhia.exeC:\Windows\system32\Jekqmhia.exe85⤵
- Drops file in System32 directory
PID:3772 -
C:\Windows\SysWOW64\Jmbhoeid.exeC:\Windows\system32\Jmbhoeid.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:740 -
C:\Windows\SysWOW64\Jpaekqhh.exeC:\Windows\system32\Jpaekqhh.exe87⤵PID:1448
-
C:\Windows\SysWOW64\Jcoaglhk.exeC:\Windows\system32\Jcoaglhk.exe88⤵PID:3388
-
C:\Windows\SysWOW64\Jgkmgk32.exeC:\Windows\system32\Jgkmgk32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5188 -
C:\Windows\SysWOW64\Jiiicf32.exeC:\Windows\system32\Jiiicf32.exe90⤵PID:5252
-
C:\Windows\SysWOW64\Jlgepanl.exeC:\Windows\system32\Jlgepanl.exe91⤵PID:5308
-
C:\Windows\SysWOW64\Jpcapp32.exeC:\Windows\system32\Jpcapp32.exe92⤵PID:5360
-
C:\Windows\SysWOW64\Jcanll32.exeC:\Windows\system32\Jcanll32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5444 -
C:\Windows\SysWOW64\Jepjhg32.exeC:\Windows\system32\Jepjhg32.exe94⤵PID:5520
-
C:\Windows\SysWOW64\Jngbjd32.exeC:\Windows\system32\Jngbjd32.exe95⤵PID:5584
-
C:\Windows\SysWOW64\Jljbeali.exeC:\Windows\system32\Jljbeali.exe96⤵PID:5632
-
C:\Windows\SysWOW64\Johnamkm.exeC:\Windows\system32\Johnamkm.exe97⤵PID:5692
-
C:\Windows\SysWOW64\Jgpfbjlo.exeC:\Windows\system32\Jgpfbjlo.exe98⤵PID:5756
-
C:\Windows\SysWOW64\Jinboekc.exeC:\Windows\system32\Jinboekc.exe99⤵PID:5812
-
C:\Windows\SysWOW64\Jllokajf.exeC:\Windows\system32\Jllokajf.exe100⤵PID:5880
-
C:\Windows\SysWOW64\Jphkkpbp.exeC:\Windows\system32\Jphkkpbp.exe101⤵PID:5948
-
C:\Windows\SysWOW64\Jcfggkac.exeC:\Windows\system32\Jcfggkac.exe102⤵PID:2708
-
C:\Windows\SysWOW64\Jedccfqg.exeC:\Windows\system32\Jedccfqg.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6064 -
C:\Windows\SysWOW64\Jnlkedai.exeC:\Windows\system32\Jnlkedai.exe104⤵
- Modifies registry class
PID:6132 -
C:\Windows\SysWOW64\Jlolpq32.exeC:\Windows\system32\Jlolpq32.exe105⤵PID:2900
-
C:\Windows\SysWOW64\Komhll32.exeC:\Windows\system32\Komhll32.exe106⤵PID:2844
-
C:\Windows\SysWOW64\Kgdpni32.exeC:\Windows\system32\Kgdpni32.exe107⤵PID:324
-
C:\Windows\SysWOW64\Kjblje32.exeC:\Windows\system32\Kjblje32.exe108⤵PID:5164
-
C:\Windows\SysWOW64\Knnhjcog.exeC:\Windows\system32\Knnhjcog.exe109⤵PID:5300
-
C:\Windows\SysWOW64\Kpmdfonj.exeC:\Windows\system32\Kpmdfonj.exe110⤵PID:5416
-
C:\Windows\SysWOW64\Kckqbj32.exeC:\Windows\system32\Kckqbj32.exe111⤵PID:5524
-
C:\Windows\SysWOW64\Keimof32.exeC:\Windows\system32\Keimof32.exe112⤵PID:5628
-
C:\Windows\SysWOW64\Knqepc32.exeC:\Windows\system32\Knqepc32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5740 -
C:\Windows\SysWOW64\Kpoalo32.exeC:\Windows\system32\Kpoalo32.exe114⤵
- Modifies registry class
PID:5840 -
C:\Windows\SysWOW64\Koaagkcb.exeC:\Windows\system32\Koaagkcb.exe115⤵PID:5944
-
C:\Windows\SysWOW64\Kgiiiidd.exeC:\Windows\system32\Kgiiiidd.exe116⤵
- Drops file in System32 directory
PID:6056 -
C:\Windows\SysWOW64\Kjgeedch.exeC:\Windows\system32\Kjgeedch.exe117⤵
- Modifies registry class
PID:6152 -
C:\Windows\SysWOW64\Klfaapbl.exeC:\Windows\system32\Klfaapbl.exe118⤵
- Modifies registry class
PID:6188 -
C:\Windows\SysWOW64\Kpanan32.exeC:\Windows\system32\Kpanan32.exe119⤵
- Modifies registry class
PID:6224 -
C:\Windows\SysWOW64\Kcpjnjii.exeC:\Windows\system32\Kcpjnjii.exe120⤵PID:6260
-
C:\Windows\SysWOW64\Kfnfjehl.exeC:\Windows\system32\Kfnfjehl.exe121⤵PID:6296
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-