Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04/06/2024, 06:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
35e8b927a1875d0547913191d243c300_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
35e8b927a1875d0547913191d243c300_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
35e8b927a1875d0547913191d243c300_NeikiAnalytics.exe
-
Size
74KB
-
MD5
35e8b927a1875d0547913191d243c300
-
SHA1
88323e71462b3e69fd136874b222b6011ca3cc04
-
SHA256
70e1f2e44df8d51186534c2e15c74ee81fe1fbd3154da25aac0e3cc323f3ff3e
-
SHA512
6da7adb93818a18ca57733d6cc8e7e8f83cea63db63082d2244f48ab70bae78fd577fbf47d7ad952e509c9c1e051657d182817968b1894734ae6a6954b5c6c81
-
SSDEEP
1536:W+OHf9rLwlvHw1slf722L4xT/jCOmspP+DAwqqS9:W/fyJHwKlzL4x/jCOhpWDqq2
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anmjcieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfealaol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfdfgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Niklpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpbpbecj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balpgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcpahpmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgaokl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgcpokp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aehgnied.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpoefk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgppmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhcbodf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nabfjpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncnofeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibcmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jidklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fefjfked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhlejcpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbphdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfqmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kflide32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhhnpjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgelek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlbgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehdmlhcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqipio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlghoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hginecde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edpgli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fajnfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkadoiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gflhoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfolbmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acqimo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdkidohn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojgjndno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nepgjaeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlmdbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hemdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadifclh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngaionfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oeaoab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejchhgid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlkgmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjeiodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbdjchgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejfeng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfpffeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmncnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Migjoaaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfcdfbqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nojanpej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpbbch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjjnifbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qachgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njhgbp32.exe -
Executes dropped EXE 64 IoCs
pid Process 2756 Fdgdgnbm.exe 1808 Flnlhk32.exe 4996 Ffgqqaip.exe 2940 Fdialn32.exe 1904 Fkciihgg.exe 1300 Fooeif32.exe 2172 Ffimfqgm.exe 2884 Flceckoj.exe 1008 Fcmnpe32.exe 1108 Ffkjlp32.exe 3216 Fhjfhl32.exe 4628 Gododflk.exe 3612 Gbbkaako.exe 2648 Gdqgmmjb.exe 1864 Gkkojgao.exe 3348 Gcagkdba.exe 4168 Gdcdbl32.exe 4484 Gmjlcj32.exe 3096 Gbgdlq32.exe 2524 Gfbploob.exe 4952 Ghaliknf.exe 4580 Gokdeeec.exe 4392 Gfembo32.exe 5044 Gicinj32.exe 3104 Gblngpbd.exe 2860 Gdjjckag.exe 4148 Hkdbpe32.exe 4084 Hbnjmp32.exe 392 Helfik32.exe 1972 Hkfoeega.exe 4696 Hbpgbo32.exe 2024 Heocnk32.exe 964 Hmfkoh32.exe 4232 Hkikkeeo.exe 704 Himldi32.exe 2768 Hofdacke.exe 3628 Hcbpab32.exe 2152 Hfqlnm32.exe 440 Hkmefd32.exe 2952 Hoiafcic.exe 4700 Hfcicmqp.exe 3288 Iiaephpc.exe 2912 Ikpaldog.exe 4756 Icgjmapi.exe 552 Ifefimom.exe 1796 Iicbehnq.exe 4224 Ikbnacmd.exe 384 Ipnjab32.exe 1924 Iblfnn32.exe 2472 Iejcji32.exe 3392 Imakkfdg.exe 640 Ippggbck.exe 1316 Ibnccmbo.exe 4408 Iihkpg32.exe 1160 Ilghlc32.exe 4472 Icnpmp32.exe 4488 Ieolehop.exe 3272 Imfdff32.exe 3472 Ipdqba32.exe 1276 Ibcmom32.exe 1100 Jmhale32.exe 1912 Jcbihpel.exe 2540 Jfaedkdp.exe 4344 Jioaqfcc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jlbgha32.exe Jidklf32.exe File opened for modification C:\Windows\SysWOW64\Olicnfco.exe Oeokal32.exe File opened for modification C:\Windows\SysWOW64\Mhbmphjm.exe Medqcmki.exe File opened for modification C:\Windows\SysWOW64\Jbdlop32.exe Jhlgfj32.exe File created C:\Windows\SysWOW64\Kechmoil.exe Kfqgab32.exe File created C:\Windows\SysWOW64\Bkaobnio.exe Blnoga32.exe File opened for modification C:\Windows\SysWOW64\Jmbdbd32.exe Jfhlejnh.exe File opened for modification C:\Windows\SysWOW64\Kppici32.exe Jghabl32.exe File opened for modification C:\Windows\SysWOW64\Cabomkll.exe Cpbbch32.exe File opened for modification C:\Windows\SysWOW64\Kcmmhj32.exe Kpoalo32.exe File created C:\Windows\SysWOW64\Ndcdmikd.exe Ndaggimg.exe File opened for modification C:\Windows\SysWOW64\Kngcje32.exe Klifnj32.exe File opened for modification C:\Windows\SysWOW64\Mhfppabl.exe Mnnkgl32.exe File opened for modification C:\Windows\SysWOW64\Ckilmcgb.exe Cbphdn32.exe File opened for modification C:\Windows\SysWOW64\Fcmnpe32.exe Flceckoj.exe File created C:\Windows\SysWOW64\Inbqhhfj.exe Ighhln32.exe File created C:\Windows\SysWOW64\Nbkdke32.dll Kmdlffhj.exe File opened for modification C:\Windows\SysWOW64\Lopmii32.exe Lmaamn32.exe File opened for modification C:\Windows\SysWOW64\Pnakhkol.exe Pdifoehl.exe File opened for modification C:\Windows\SysWOW64\Hgelek32.exe Gnlgleef.exe File created C:\Windows\SysWOW64\Ifolfj32.dll Nojanpej.exe File created C:\Windows\SysWOW64\Hildmn32.exe Hgmgqc32.exe File opened for modification C:\Windows\SysWOW64\Npchgdcd.exe Nemcjk32.exe File opened for modification C:\Windows\SysWOW64\Hajpbckl.exe Hgelek32.exe File opened for modification C:\Windows\SysWOW64\Dojqjdbl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Menjdbgj.exe Mgkjhe32.exe File created C:\Windows\SysWOW64\Cofnik32.exe Ckjbhmad.exe File created C:\Windows\SysWOW64\Ncqlkemc.exe Nmfcok32.exe File created C:\Windows\SysWOW64\Mmihfl32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cncnob32.exe Process not Found File created C:\Windows\SysWOW64\Pocehodm.dll Ghbbcd32.exe File created C:\Windows\SysWOW64\Ddfbhfmf.dll Alqjpi32.exe File created C:\Windows\SysWOW64\Npdpachh.dll Dbbffdlq.exe File created C:\Windows\SysWOW64\Kfjapcii.exe Knbiofhg.exe File opened for modification C:\Windows\SysWOW64\Ebejfk32.exe Dlkbjqgm.exe File created C:\Windows\SysWOW64\Ajihlijd.dll Mkhapk32.exe File created C:\Windows\SysWOW64\Ongbqjjf.dll Dmadco32.exe File opened for modification C:\Windows\SysWOW64\Pkadoiip.exe Pedlgbkh.exe File created C:\Windows\SysWOW64\Mcqjon32.exe Lmgabcge.exe File opened for modification C:\Windows\SysWOW64\Gkglja32.exe Ghipne32.exe File created C:\Windows\SysWOW64\Jibmgi32.exe Jnmijq32.exe File created C:\Windows\SysWOW64\Hijeeipc.dll Kecabifp.exe File created C:\Windows\SysWOW64\Gmdkpdef.dll Onjegled.exe File created C:\Windows\SysWOW64\Hcjccj32.dll Dhfajjoj.exe File created C:\Windows\SysWOW64\Hffken32.exe Hlpfhe32.exe File created C:\Windows\SysWOW64\Flpafo32.dll Klgqcqkl.exe File created C:\Windows\SysWOW64\Ogkcpbam.exe Odmgcgbi.exe File created C:\Windows\SysWOW64\Ginacp32.dll Alpbecod.exe File created C:\Windows\SysWOW64\Ckhindhb.dll Fcmnpe32.exe File created C:\Windows\SysWOW64\Lpggmhkg.dll Cajlhqjp.exe File created C:\Windows\SysWOW64\Gdkcckgg.dll Ngjbaj32.exe File created C:\Windows\SysWOW64\Iikikigb.dll Cfpffeaj.exe File created C:\Windows\SysWOW64\Jleijb32.exe Jekqmhia.exe File opened for modification C:\Windows\SysWOW64\Pnlaml32.exe Ofeilobp.exe File created C:\Windows\SysWOW64\Mjokgg32.exe Mgaokl32.exe File created C:\Windows\SysWOW64\Gadqlkep.exe Goedpofl.exe File opened for modification C:\Windows\SysWOW64\Ajbmdn32.exe Achegd32.exe File opened for modification C:\Windows\SysWOW64\Hofdacke.exe Himldi32.exe File opened for modification C:\Windows\SysWOW64\Nqmfdj32.exe Mgeakekd.exe File opened for modification C:\Windows\SysWOW64\Pgefeajb.exe Pnlaml32.exe File created C:\Windows\SysWOW64\Lncjlq32.exe Lflbkcll.exe File opened for modification C:\Windows\SysWOW64\Hmlpaoaj.exe Ggahedjn.exe File created C:\Windows\SysWOW64\Fechok32.dll Oeokal32.exe File created C:\Windows\SysWOW64\Mjelcfha.dll Delnin32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7232 11096 Process not Found 1223 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhjfhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebejfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nccokk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfonlkp.dll" Jlgepanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgmjmjnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hckeoeno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfhdlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjbkgfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnocehc.dll" Mcqjon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifona32.dll" Plejdkmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll" Olcbmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Liqihglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memfnodb.dll" Dfefkkqp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkeekk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbmingjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pocehodm.dll" Ghbbcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfplpfib.dll" Dmalne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkadfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajckij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idjlpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ciafbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmkmlmnl.dll" Gfhndpol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkmefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnlaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Danecp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgmjmjnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnnlaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enabbk32.dll" Ebhglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oanfen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qgcbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmlfpb32.dll" Lhdqnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odcfhh32.dll" Gjfnedho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhkmec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gokdeeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll" Bgcknmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbkdpj32.dll" Gmjlcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flakaffp.dll" Fpjcgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abjfai32.dll" Adndoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gikdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klfaapbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikbnacmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfcej32.dll" Lgokmgjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aeniabfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghgmioe.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noekdfjb.dll" Klifnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgadgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iojbpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcgpni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcdala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ponfka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghaliknf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdppbfff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nincmhle.dll" Leoghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odblin32.dll" Oileggkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcddcbab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmlpaoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckjbhmad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqbdjfln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjagqbca.dll" Idjlpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddnfmqng.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3752 wrote to memory of 2756 3752 35e8b927a1875d0547913191d243c300_NeikiAnalytics.exe 83 PID 3752 wrote to memory of 2756 3752 35e8b927a1875d0547913191d243c300_NeikiAnalytics.exe 83 PID 3752 wrote to memory of 2756 3752 35e8b927a1875d0547913191d243c300_NeikiAnalytics.exe 83 PID 2756 wrote to memory of 1808 2756 Fdgdgnbm.exe 84 PID 2756 wrote to memory of 1808 2756 Fdgdgnbm.exe 84 PID 2756 wrote to memory of 1808 2756 Fdgdgnbm.exe 84 PID 1808 wrote to memory of 4996 1808 Flnlhk32.exe 85 PID 1808 wrote to memory of 4996 1808 Flnlhk32.exe 85 PID 1808 wrote to memory of 4996 1808 Flnlhk32.exe 85 PID 4996 wrote to memory of 2940 4996 Ffgqqaip.exe 86 PID 4996 wrote to memory of 2940 4996 Ffgqqaip.exe 86 PID 4996 wrote to memory of 2940 4996 Ffgqqaip.exe 86 PID 2940 wrote to memory of 1904 2940 Fdialn32.exe 87 PID 2940 wrote to memory of 1904 2940 Fdialn32.exe 87 PID 2940 wrote to memory of 1904 2940 Fdialn32.exe 87 PID 1904 wrote to memory of 1300 1904 Fkciihgg.exe 88 PID 1904 wrote to memory of 1300 1904 Fkciihgg.exe 88 PID 1904 wrote to memory of 1300 1904 Fkciihgg.exe 88 PID 1300 wrote to memory of 2172 1300 Fooeif32.exe 89 PID 1300 wrote to memory of 2172 1300 Fooeif32.exe 89 PID 1300 wrote to memory of 2172 1300 Fooeif32.exe 89 PID 2172 wrote to memory of 2884 2172 Ffimfqgm.exe 90 PID 2172 wrote to memory of 2884 2172 Ffimfqgm.exe 90 PID 2172 wrote to memory of 2884 2172 Ffimfqgm.exe 90 PID 2884 wrote to memory of 1008 2884 Flceckoj.exe 91 PID 2884 wrote to memory of 1008 2884 Flceckoj.exe 91 PID 2884 wrote to memory of 1008 2884 Flceckoj.exe 91 PID 1008 wrote to memory of 1108 1008 Fcmnpe32.exe 92 PID 1008 wrote to memory of 1108 1008 Fcmnpe32.exe 92 PID 1008 wrote to memory of 1108 1008 Fcmnpe32.exe 92 PID 1108 wrote to memory of 3216 1108 Ffkjlp32.exe 93 PID 1108 wrote to memory of 3216 1108 Ffkjlp32.exe 93 PID 1108 wrote to memory of 3216 1108 Ffkjlp32.exe 93 PID 3216 wrote to memory of 4628 3216 Fhjfhl32.exe 94 PID 3216 wrote to memory of 4628 3216 Fhjfhl32.exe 94 PID 3216 wrote to memory of 4628 3216 Fhjfhl32.exe 94 PID 4628 wrote to memory of 3612 4628 Gododflk.exe 95 PID 4628 wrote to memory of 3612 4628 Gododflk.exe 95 PID 4628 wrote to memory of 3612 4628 Gododflk.exe 95 PID 3612 wrote to memory of 2648 3612 Gbbkaako.exe 96 PID 3612 wrote to memory of 2648 3612 Gbbkaako.exe 96 PID 3612 wrote to memory of 2648 3612 Gbbkaako.exe 96 PID 2648 wrote to memory of 1864 2648 Gdqgmmjb.exe 97 PID 2648 wrote to memory of 1864 2648 Gdqgmmjb.exe 97 PID 2648 wrote to memory of 1864 2648 Gdqgmmjb.exe 97 PID 1864 wrote to memory of 3348 1864 Gkkojgao.exe 98 PID 1864 wrote to memory of 3348 1864 Gkkojgao.exe 98 PID 1864 wrote to memory of 3348 1864 Gkkojgao.exe 98 PID 3348 wrote to memory of 4168 3348 Gcagkdba.exe 99 PID 3348 wrote to memory of 4168 3348 Gcagkdba.exe 99 PID 3348 wrote to memory of 4168 3348 Gcagkdba.exe 99 PID 4168 wrote to memory of 4484 4168 Gdcdbl32.exe 100 PID 4168 wrote to memory of 4484 4168 Gdcdbl32.exe 100 PID 4168 wrote to memory of 4484 4168 Gdcdbl32.exe 100 PID 4484 wrote to memory of 3096 4484 Gmjlcj32.exe 101 PID 4484 wrote to memory of 3096 4484 Gmjlcj32.exe 101 PID 4484 wrote to memory of 3096 4484 Gmjlcj32.exe 101 PID 3096 wrote to memory of 2524 3096 Gbgdlq32.exe 102 PID 3096 wrote to memory of 2524 3096 Gbgdlq32.exe 102 PID 3096 wrote to memory of 2524 3096 Gbgdlq32.exe 102 PID 2524 wrote to memory of 4952 2524 Gfbploob.exe 104 PID 2524 wrote to memory of 4952 2524 Gfbploob.exe 104 PID 2524 wrote to memory of 4952 2524 Gfbploob.exe 104 PID 4952 wrote to memory of 4580 4952 Ghaliknf.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\35e8b927a1875d0547913191d243c300_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\35e8b927a1875d0547913191d243c300_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Ffgqqaip.exeC:\Windows\system32\Ffgqqaip.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Fooeif32.exeC:\Windows\system32\Fooeif32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Fcmnpe32.exeC:\Windows\system32\Fcmnpe32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Ffkjlp32.exeC:\Windows\system32\Ffkjlp32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Gcagkdba.exeC:\Windows\system32\Gcagkdba.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\Gdcdbl32.exeC:\Windows\system32\Gdcdbl32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Gfbploob.exeC:\Windows\system32\Gfbploob.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Gokdeeec.exeC:\Windows\system32\Gokdeeec.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:4580 -
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe24⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Gicinj32.exeC:\Windows\system32\Gicinj32.exe25⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Gblngpbd.exeC:\Windows\system32\Gblngpbd.exe26⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe27⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe28⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Hbnjmp32.exeC:\Windows\system32\Hbnjmp32.exe29⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Helfik32.exeC:\Windows\system32\Helfik32.exe30⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe31⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Hbpgbo32.exeC:\Windows\system32\Hbpgbo32.exe32⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Heocnk32.exeC:\Windows\system32\Heocnk32.exe33⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Hmfkoh32.exeC:\Windows\system32\Hmfkoh32.exe34⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Hkikkeeo.exeC:\Windows\system32\Hkikkeeo.exe35⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Himldi32.exeC:\Windows\system32\Himldi32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:704 -
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe37⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Hcbpab32.exeC:\Windows\system32\Hcbpab32.exe38⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe39⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Hkmefd32.exeC:\Windows\system32\Hkmefd32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:440 -
C:\Windows\SysWOW64\Hoiafcic.exeC:\Windows\system32\Hoiafcic.exe41⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Hfcicmqp.exeC:\Windows\system32\Hfcicmqp.exe42⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Iiaephpc.exeC:\Windows\system32\Iiaephpc.exe43⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe44⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Icgjmapi.exeC:\Windows\system32\Icgjmapi.exe45⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Ifefimom.exeC:\Windows\system32\Ifefimom.exe46⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Iicbehnq.exeC:\Windows\system32\Iicbehnq.exe47⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Ikbnacmd.exeC:\Windows\system32\Ikbnacmd.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:4224 -
C:\Windows\SysWOW64\Ipnjab32.exeC:\Windows\system32\Ipnjab32.exe49⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Iblfnn32.exeC:\Windows\system32\Iblfnn32.exe50⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Iejcji32.exeC:\Windows\system32\Iejcji32.exe51⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Imakkfdg.exeC:\Windows\system32\Imakkfdg.exe52⤵
- Executes dropped EXE
PID:3392 -
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe53⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Ibnccmbo.exeC:\Windows\system32\Ibnccmbo.exe54⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Iihkpg32.exeC:\Windows\system32\Iihkpg32.exe55⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Ilghlc32.exeC:\Windows\system32\Ilghlc32.exe56⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Icnpmp32.exeC:\Windows\system32\Icnpmp32.exe57⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Ieolehop.exeC:\Windows\system32\Ieolehop.exe58⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Imfdff32.exeC:\Windows\system32\Imfdff32.exe59⤵
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\Ipdqba32.exeC:\Windows\system32\Ipdqba32.exe60⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Jmhale32.exeC:\Windows\system32\Jmhale32.exe62⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Jcbihpel.exeC:\Windows\system32\Jcbihpel.exe63⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Jfaedkdp.exeC:\Windows\system32\Jfaedkdp.exe64⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Jioaqfcc.exeC:\Windows\system32\Jioaqfcc.exe65⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Jlnnmb32.exeC:\Windows\system32\Jlnnmb32.exe66⤵PID:4584
-
C:\Windows\SysWOW64\Jcefno32.exeC:\Windows\system32\Jcefno32.exe67⤵PID:1336
-
C:\Windows\SysWOW64\Jfcbjk32.exeC:\Windows\system32\Jfcbjk32.exe68⤵PID:740
-
C:\Windows\SysWOW64\Jmmjgejj.exeC:\Windows\system32\Jmmjgejj.exe69⤵PID:3024
-
C:\Windows\SysWOW64\Jlpkba32.exeC:\Windows\system32\Jlpkba32.exe70⤵PID:3692
-
C:\Windows\SysWOW64\Jbjcolha.exeC:\Windows\system32\Jbjcolha.exe71⤵PID:3952
-
C:\Windows\SysWOW64\Jidklf32.exeC:\Windows\system32\Jidklf32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Jlbgha32.exeC:\Windows\system32\Jlbgha32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4544 -
C:\Windows\SysWOW64\Jfhlejnh.exeC:\Windows\system32\Jfhlejnh.exe74⤵
- Drops file in System32 directory
PID:3980 -
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe75⤵PID:4968
-
C:\Windows\SysWOW64\Jpppnp32.exeC:\Windows\system32\Jpppnp32.exe76⤵PID:3456
-
C:\Windows\SysWOW64\Kfjhkjle.exeC:\Windows\system32\Kfjhkjle.exe77⤵PID:3100
-
C:\Windows\SysWOW64\Kiidgeki.exeC:\Windows\system32\Kiidgeki.exe78⤵PID:3184
-
C:\Windows\SysWOW64\Klgqcqkl.exeC:\Windows\system32\Klgqcqkl.exe79⤵
- Drops file in System32 directory
PID:5068 -
C:\Windows\SysWOW64\Kepelfam.exeC:\Windows\system32\Kepelfam.exe80⤵PID:1764
-
C:\Windows\SysWOW64\Klimip32.exeC:\Windows\system32\Klimip32.exe81⤵PID:3888
-
C:\Windows\SysWOW64\Kbceejpf.exeC:\Windows\system32\Kbceejpf.exe82⤵PID:1756
-
C:\Windows\SysWOW64\Kebbafoj.exeC:\Windows\system32\Kebbafoj.exe83⤵PID:3748
-
C:\Windows\SysWOW64\Kmijbcpl.exeC:\Windows\system32\Kmijbcpl.exe84⤵PID:412
-
C:\Windows\SysWOW64\Kedoge32.exeC:\Windows\system32\Kedoge32.exe85⤵PID:2288
-
C:\Windows\SysWOW64\Kmkfhc32.exeC:\Windows\system32\Kmkfhc32.exe86⤵PID:216
-
C:\Windows\SysWOW64\Kdeoemeg.exeC:\Windows\system32\Kdeoemeg.exe87⤵PID:3652
-
C:\Windows\SysWOW64\Kmncnb32.exeC:\Windows\system32\Kmncnb32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2108 -
C:\Windows\SysWOW64\Kplpjn32.exeC:\Windows\system32\Kplpjn32.exe89⤵PID:4196
-
C:\Windows\SysWOW64\Lbjlfi32.exeC:\Windows\system32\Lbjlfi32.exe90⤵PID:3764
-
C:\Windows\SysWOW64\Liddbc32.exeC:\Windows\system32\Liddbc32.exe91⤵PID:4440
-
C:\Windows\SysWOW64\Llcpoo32.exeC:\Windows\system32\Llcpoo32.exe92⤵PID:5144
-
C:\Windows\SysWOW64\Ldjhpl32.exeC:\Windows\system32\Ldjhpl32.exe93⤵PID:5188
-
C:\Windows\SysWOW64\Lfhdlh32.exeC:\Windows\system32\Lfhdlh32.exe94⤵
- Modifies registry class
PID:5232 -
C:\Windows\SysWOW64\Ldleel32.exeC:\Windows\system32\Ldleel32.exe95⤵PID:5276
-
C:\Windows\SysWOW64\Lenamdem.exeC:\Windows\system32\Lenamdem.exe96⤵PID:5328
-
C:\Windows\SysWOW64\Lmdina32.exeC:\Windows\system32\Lmdina32.exe97⤵PID:5376
-
C:\Windows\SysWOW64\Llgjjnlj.exeC:\Windows\system32\Llgjjnlj.exe98⤵PID:5424
-
C:\Windows\SysWOW64\Ldoaklml.exeC:\Windows\system32\Ldoaklml.exe99⤵PID:5464
-
C:\Windows\SysWOW64\Lgmngglp.exeC:\Windows\system32\Lgmngglp.exe100⤵PID:5532
-
C:\Windows\SysWOW64\Likjcbkc.exeC:\Windows\system32\Likjcbkc.exe101⤵PID:5580
-
C:\Windows\SysWOW64\Lljfpnjg.exeC:\Windows\system32\Lljfpnjg.exe102⤵PID:5648
-
C:\Windows\SysWOW64\Ldanqkki.exeC:\Windows\system32\Ldanqkki.exe103⤵PID:5696
-
C:\Windows\SysWOW64\Lgokmgjm.exeC:\Windows\system32\Lgokmgjm.exe104⤵
- Modifies registry class
PID:5744 -
C:\Windows\SysWOW64\Lingibiq.exeC:\Windows\system32\Lingibiq.exe105⤵PID:5792
-
C:\Windows\SysWOW64\Lllcen32.exeC:\Windows\system32\Lllcen32.exe106⤵PID:5836
-
C:\Windows\SysWOW64\Mdckfk32.exeC:\Windows\system32\Mdckfk32.exe107⤵PID:5896
-
C:\Windows\SysWOW64\Mgagbf32.exeC:\Windows\system32\Mgagbf32.exe108⤵PID:5972
-
C:\Windows\SysWOW64\Mipcob32.exeC:\Windows\system32\Mipcob32.exe109⤵PID:6028
-
C:\Windows\SysWOW64\Mpjlklok.exeC:\Windows\system32\Mpjlklok.exe110⤵PID:6088
-
C:\Windows\SysWOW64\Mdehlk32.exeC:\Windows\system32\Mdehlk32.exe111⤵PID:6120
-
C:\Windows\SysWOW64\Megdccmb.exeC:\Windows\system32\Megdccmb.exe112⤵PID:5180
-
C:\Windows\SysWOW64\Mmnldp32.exeC:\Windows\system32\Mmnldp32.exe113⤵PID:5244
-
C:\Windows\SysWOW64\Mplhql32.exeC:\Windows\system32\Mplhql32.exe114⤵PID:5304
-
C:\Windows\SysWOW64\Mckemg32.exeC:\Windows\system32\Mckemg32.exe115⤵PID:5416
-
C:\Windows\SysWOW64\Miemjaci.exeC:\Windows\system32\Miemjaci.exe116⤵PID:5508
-
C:\Windows\SysWOW64\Mpoefk32.exeC:\Windows\system32\Mpoefk32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5572 -
C:\Windows\SysWOW64\Mcmabg32.exeC:\Windows\system32\Mcmabg32.exe118⤵PID:5708
-
C:\Windows\SysWOW64\Migjoaaf.exeC:\Windows\system32\Migjoaaf.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5740 -
C:\Windows\SysWOW64\Mlefklpj.exeC:\Windows\system32\Mlefklpj.exe120⤵PID:5828
-
C:\Windows\SysWOW64\Mdmnlj32.exeC:\Windows\system32\Mdmnlj32.exe121⤵PID:5908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-