Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
159s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 21:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
648877eda799a5ae15dab6c2c6af6fd0_NEIKI.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
648877eda799a5ae15dab6c2c6af6fd0_NEIKI.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
648877eda799a5ae15dab6c2c6af6fd0_NEIKI.exe
-
Size
364KB
-
MD5
648877eda799a5ae15dab6c2c6af6fd0
-
SHA1
eb93529409d622602ca7396a9932ce0f6a2cadee
-
SHA256
947615b204d4643004fe65317c6619d515bc25b6db553820b9ab0d303089f67e
-
SHA512
5c160cd9185d13bc59ce015cf8d531b1c81bcdf7c1a82913ef669e4d233a5adfa337bcd4570e520d57b655673397be2fdbf3f6bfea44ad1da73171d256bf0859
-
SSDEEP
6144:KinSBZ1Tx0mZu5HRDg1Tx0mZunWTMCM+1Tx0mZu5HRDg1Tx0mZu:KuSTaSTiWRTaST
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjambg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iojbid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chdikajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elbhde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odljjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhadgmge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glhgojef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obafim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnnkaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgkijp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iheaqolo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoaianan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkffhmka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmoodbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obafim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opqopj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddlfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmhbqbae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohdbkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glhgojef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbibeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbpnegbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnfcbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngehoqdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pagbklae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nemchn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnmpbec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qolbgbgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Appaangd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efeiahdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bimach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgebnc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhpckb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqbbicel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apkjddke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbklli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfoahd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfmekm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Headon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhelddln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlooef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iggocbke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqdmghnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpdhfmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alimnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chblebll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfknmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bimach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfndlphp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peaokh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odgjdibf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfaqafjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcnfhmcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kefiheqf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlhidg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cknlln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdknpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbonm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonilenb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppeipfdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jabiie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eohhie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbinkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knoonphp.exe -
Executes dropped EXE 64 IoCs
pid Process 5076 Laiipofp.exe 2500 Lhgkgijg.exe 2440 Mapppn32.exe 836 Mlhqcgnk.exe 3660 Mjlalkmd.exe 1596 Mjnnbk32.exe 1968 Mjpjgj32.exe 868 Nhegig32.exe 4292 Nhhdnf32.exe 4280 Pmhbqbae.exe 4844 Pafkgphl.exe 5052 Aabkbono.exe 2832 Aagdnn32.exe 688 Bbaclegm.exe 3652 Cgfbbb32.exe 2232 Cdjblf32.exe 3212 Cpacqg32.exe 4808 Famhmfkl.exe 4988 Gdiakp32.exe 5044 Gjficg32.exe 644 Gdknpp32.exe 2592 Jjgkab32.exe 2240 Jjkdlall.exe 4396 Kkpnga32.exe 4708 Kefbdjgm.exe 3380 Kejloi32.exe 3532 Lacijjgi.exe 2160 Llimgb32.exe 1452 Leabphmp.exe 732 Lknjhokg.exe 5016 Lbhool32.exe 4032 Lkcccn32.exe 1752 Maoifh32.exe 3676 Mhiabbdi.exe 1664 Maaekg32.exe 888 Moefdljc.exe 1012 Mdbnmbhj.exe 4508 Nlnpio32.exe 3984 Nefdbekh.exe 5008 Nlcidopb.exe 760 Nfknmd32.exe 2052 Nkhfek32.exe 4300 Nhlfoodc.exe 3360 Nofoki32.exe 3900 Ohcmpn32.exe 2256 Obkahddl.exe 2632 Omaeem32.exe 3612 Odljjo32.exe 2380 Okfbgiij.exe 2008 Pdngpo32.exe 4860 Pbbgicnd.exe 3536 Pilpfm32.exe 2244 Pcbdcf32.exe 1644 Apgqie32.exe 2664 Aecialmb.exe 1252 Apkjddke.exe 2680 Afeban32.exe 3056 Amoknh32.exe 2444 Bbalaoda.exe 2252 Bmfqngcg.exe 1884 Bbcignbo.exe 3300 Bimach32.exe 4984 Bpgjpb32.exe 3104 Cdebfago.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bjielh32.exe Bpaacblm.exe File created C:\Windows\SysWOW64\Oioojh32.exe Nhpbpepo.exe File opened for modification C:\Windows\SysWOW64\Lokdgpqe.exe Ljnloi32.exe File created C:\Windows\SysWOW64\Mdqpdcdl.dll Nnafgd32.exe File opened for modification C:\Windows\SysWOW64\Obkahddl.exe Ohcmpn32.exe File created C:\Windows\SysWOW64\Dmabgl32.dll Bbcignbo.exe File created C:\Windows\SysWOW64\Kkhpmigp.exe Kkechjib.exe File created C:\Windows\SysWOW64\Opqopj32.exe Ofhkgeij.exe File created C:\Windows\SysWOW64\Pemhmn32.exe Pocpqcpm.exe File created C:\Windows\SysWOW64\Lnccmnak.exe Lckbje32.exe File opened for modification C:\Windows\SysWOW64\Ffqhmf32.exe Fmhcda32.exe File created C:\Windows\SysWOW64\Iqdmghnp.exe Iglhob32.exe File opened for modification C:\Windows\SysWOW64\Icklhnop.exe Hladlc32.exe File created C:\Windows\SysWOW64\Giefjdnj.dll Nogngp32.exe File created C:\Windows\SysWOW64\Jjoplkfh.dll Pagbklae.exe File opened for modification C:\Windows\SysWOW64\Ccbhhl32.exe Cfogohpa.exe File opened for modification C:\Windows\SysWOW64\Ibhlmgdj.exe Iddlccfp.exe File created C:\Windows\SysWOW64\Bgqppbdk.dll Lihpbl32.exe File created C:\Windows\SysWOW64\Angpod32.dll Fqpomo32.exe File created C:\Windows\SysWOW64\Fogpoiia.dll Lbhool32.exe File created C:\Windows\SysWOW64\Bknidbhi.exe Almifk32.exe File created C:\Windows\SysWOW64\Ajfhhp32.exe Aeiooi32.exe File created C:\Windows\SysWOW64\Faejhf32.dll Acclejeb.exe File created C:\Windows\SysWOW64\Nemchn32.exe Nockkcjg.exe File created C:\Windows\SysWOW64\Lhelddln.exe Jlnbhe32.exe File created C:\Windows\SysWOW64\Aohbbqme.exe Agmmnnpj.exe File created C:\Windows\SysWOW64\Lmlccq32.dll Khmoionj.exe File opened for modification C:\Windows\SysWOW64\Mhpeelnd.exe Ldpoinjq.exe File created C:\Windows\SysWOW64\Emhleghg.dll Jeanfkob.exe File created C:\Windows\SysWOW64\Ceogigfa.dll Bpaacblm.exe File created C:\Windows\SysWOW64\Mglkge32.dll Ffmelmbc.exe File created C:\Windows\SysWOW64\Neiiiecg.exe Ngehoqdn.exe File created C:\Windows\SysWOW64\Kgkfhngo.exe Kgiibnib.exe File created C:\Windows\SysWOW64\Jijpnp32.dll Lqjqab32.exe File created C:\Windows\SysWOW64\Dchknl32.dll Fongpm32.exe File created C:\Windows\SysWOW64\Qolbgbgb.exe Qipjokik.exe File created C:\Windows\SysWOW64\Aeiooi32.exe Ajckbp32.exe File opened for modification C:\Windows\SysWOW64\Mpiejkql.exe Mfaqafjl.exe File created C:\Windows\SysWOW64\Hbfgja32.dll Oplfekdp.exe File created C:\Windows\SysWOW64\Fgjhiibl.exe Fqpomo32.exe File created C:\Windows\SysWOW64\Famhmfkl.exe Cpacqg32.exe File created C:\Windows\SysWOW64\Nphhfp32.exe Npcokpln.exe File opened for modification C:\Windows\SysWOW64\Gkffhmka.exe Fckacknf.exe File opened for modification C:\Windows\SysWOW64\Gpaiadel.exe Fqblbo32.exe File created C:\Windows\SysWOW64\Amoknh32.exe Afeban32.exe File created C:\Windows\SysWOW64\Ngnppfgb.exe Nemchn32.exe File opened for modification C:\Windows\SysWOW64\Kdpfbp32.exe Jmjojh32.exe File created C:\Windows\SysWOW64\Iniiin32.dll Daeddlco.exe File created C:\Windows\SysWOW64\Ilcjgm32.exe Ieiajckh.exe File created C:\Windows\SysWOW64\Phhjdncl.dll Llmbqdfb.exe File opened for modification C:\Windows\SysWOW64\Fifdqhal.exe Foifmcoa.exe File opened for modification C:\Windows\SysWOW64\Ebpjjk32.exe Deliaf32.exe File created C:\Windows\SysWOW64\Bpakpbld.dll Foapkfco.exe File opened for modification C:\Windows\SysWOW64\Kejeebpl.exe Kmppneal.exe File opened for modification C:\Windows\SysWOW64\Dabhomea.exe Ckfofe32.exe File created C:\Windows\SysWOW64\Mniafbfn.exe Milinkgf.exe File created C:\Windows\SysWOW64\Lkcccn32.exe Lbhool32.exe File created C:\Windows\SysWOW64\Mlooef32.exe Majjgmco.exe File created C:\Windows\SysWOW64\Ooinijfk.dll Cliahf32.exe File created C:\Windows\SysWOW64\Bjjlij32.dll Poggnnkk.exe File created C:\Windows\SysWOW64\Ejchbmna.exe Ecipeb32.exe File created C:\Windows\SysWOW64\Kkpnga32.exe Jjkdlall.exe File opened for modification C:\Windows\SysWOW64\Boldcj32.exe Appaangd.exe File created C:\Windows\SysWOW64\Jcimnfna.dll Hlipfh32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dajqphlf.dll" Kcfnqccd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikechced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjeaph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqafbaap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdaaqg32.dll" Obkahddl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaocfbb.dll" Iooimi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggnlhgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abjllocj.dll" Hgieipmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmfhd32.dll" Cponodge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkmfmiei.dll" Eliecc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjffgl32.dll" Ddgpfgil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmmqbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leppfinp.dll" Kfmejopp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooinijfk.dll" Cliahf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hahcfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njghcg32.dll" Majjgmco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afddge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnqfekhi.dll" Fmhcda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icmbcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boldcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbkjcl32.dll" Bgdcom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcppbpee.dll" Omkmhlpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbddpclj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejaklmpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkpfjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckfofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdpfbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mehcnlie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nalpbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkndbkop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndjnmej.dll" Dahmoefm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdbnmbhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljoboloa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdmdhmch.dll" Akniofoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 648877eda799a5ae15dab6c2c6af6fd0_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeanfkob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nclokbca.dll" Bgnfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leedqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djhiglji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkljhhcp.dll" Bjielh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cggikk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekcplp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbbgicnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqmgigfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqbbicel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qibldg32.dll" Jegohe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgfdemck.dll" Cjhfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhppik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmoocf32.dll" Kcikagij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obncao32.dll" Jabiie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llmbqdfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boaeioej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clknnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihknibbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keinepch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhejhkma.dll" Fpbmpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaefne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqinng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Canocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcjcok32.dll" Eenflbll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leabphmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejoogm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggnlhgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afajcjap.dll" Omigmc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1516 wrote to memory of 5076 1516 648877eda799a5ae15dab6c2c6af6fd0_NEIKI.exe 91 PID 1516 wrote to memory of 5076 1516 648877eda799a5ae15dab6c2c6af6fd0_NEIKI.exe 91 PID 1516 wrote to memory of 5076 1516 648877eda799a5ae15dab6c2c6af6fd0_NEIKI.exe 91 PID 5076 wrote to memory of 2500 5076 Laiipofp.exe 92 PID 5076 wrote to memory of 2500 5076 Laiipofp.exe 92 PID 5076 wrote to memory of 2500 5076 Laiipofp.exe 92 PID 2500 wrote to memory of 2440 2500 Lhgkgijg.exe 93 PID 2500 wrote to memory of 2440 2500 Lhgkgijg.exe 93 PID 2500 wrote to memory of 2440 2500 Lhgkgijg.exe 93 PID 2440 wrote to memory of 836 2440 Mapppn32.exe 94 PID 2440 wrote to memory of 836 2440 Mapppn32.exe 94 PID 2440 wrote to memory of 836 2440 Mapppn32.exe 94 PID 836 wrote to memory of 3660 836 Mlhqcgnk.exe 95 PID 836 wrote to memory of 3660 836 Mlhqcgnk.exe 95 PID 836 wrote to memory of 3660 836 Mlhqcgnk.exe 95 PID 3660 wrote to memory of 1596 3660 Mjlalkmd.exe 259 PID 3660 wrote to memory of 1596 3660 Mjlalkmd.exe 259 PID 3660 wrote to memory of 1596 3660 Mjlalkmd.exe 259 PID 1596 wrote to memory of 1968 1596 Mjnnbk32.exe 97 PID 1596 wrote to memory of 1968 1596 Mjnnbk32.exe 97 PID 1596 wrote to memory of 1968 1596 Mjnnbk32.exe 97 PID 1968 wrote to memory of 868 1968 Mjpjgj32.exe 98 PID 1968 wrote to memory of 868 1968 Mjpjgj32.exe 98 PID 1968 wrote to memory of 868 1968 Mjpjgj32.exe 98 PID 868 wrote to memory of 4292 868 Nhegig32.exe 99 PID 868 wrote to memory of 4292 868 Nhegig32.exe 99 PID 868 wrote to memory of 4292 868 Nhegig32.exe 99 PID 4292 wrote to memory of 4280 4292 Nhhdnf32.exe 100 PID 4292 wrote to memory of 4280 4292 Nhhdnf32.exe 100 PID 4292 wrote to memory of 4280 4292 Nhhdnf32.exe 100 PID 4280 wrote to memory of 4844 4280 Pmhbqbae.exe 101 PID 4280 wrote to memory of 4844 4280 Pmhbqbae.exe 101 PID 4280 wrote to memory of 4844 4280 Pmhbqbae.exe 101 PID 4844 wrote to memory of 5052 4844 Pafkgphl.exe 102 PID 4844 wrote to memory of 5052 4844 Pafkgphl.exe 102 PID 4844 wrote to memory of 5052 4844 Pafkgphl.exe 102 PID 5052 wrote to memory of 2832 5052 Aabkbono.exe 103 PID 5052 wrote to memory of 2832 5052 Aabkbono.exe 103 PID 5052 wrote to memory of 2832 5052 Aabkbono.exe 103 PID 2832 wrote to memory of 688 2832 Aagdnn32.exe 104 PID 2832 wrote to memory of 688 2832 Aagdnn32.exe 104 PID 2832 wrote to memory of 688 2832 Aagdnn32.exe 104 PID 688 wrote to memory of 3652 688 Bbaclegm.exe 105 PID 688 wrote to memory of 3652 688 Bbaclegm.exe 105 PID 688 wrote to memory of 3652 688 Bbaclegm.exe 105 PID 3652 wrote to memory of 2232 3652 Cgfbbb32.exe 106 PID 3652 wrote to memory of 2232 3652 Cgfbbb32.exe 106 PID 3652 wrote to memory of 2232 3652 Cgfbbb32.exe 106 PID 2232 wrote to memory of 3212 2232 Cdjblf32.exe 107 PID 2232 wrote to memory of 3212 2232 Cdjblf32.exe 107 PID 2232 wrote to memory of 3212 2232 Cdjblf32.exe 107 PID 3212 wrote to memory of 4808 3212 Cpacqg32.exe 108 PID 3212 wrote to memory of 4808 3212 Cpacqg32.exe 108 PID 3212 wrote to memory of 4808 3212 Cpacqg32.exe 108 PID 4808 wrote to memory of 4988 4808 Famhmfkl.exe 109 PID 4808 wrote to memory of 4988 4808 Famhmfkl.exe 109 PID 4808 wrote to memory of 4988 4808 Famhmfkl.exe 109 PID 4988 wrote to memory of 5044 4988 Gdiakp32.exe 110 PID 4988 wrote to memory of 5044 4988 Gdiakp32.exe 110 PID 4988 wrote to memory of 5044 4988 Gdiakp32.exe 110 PID 5044 wrote to memory of 644 5044 Gjficg32.exe 111 PID 5044 wrote to memory of 644 5044 Gjficg32.exe 111 PID 5044 wrote to memory of 644 5044 Gjficg32.exe 111 PID 644 wrote to memory of 2592 644 Gdknpp32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\648877eda799a5ae15dab6c2c6af6fd0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\648877eda799a5ae15dab6c2c6af6fd0_NEIKI.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Laiipofp.exeC:\Windows\system32\Laiipofp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Lhgkgijg.exeC:\Windows\system32\Lhgkgijg.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Mapppn32.exeC:\Windows\system32\Mapppn32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Mlhqcgnk.exeC:\Windows\system32\Mlhqcgnk.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\Mjlalkmd.exeC:\Windows\system32\Mjlalkmd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\Mjnnbk32.exeC:\Windows\system32\Mjnnbk32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Mjpjgj32.exeC:\Windows\system32\Mjpjgj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Nhegig32.exeC:\Windows\system32\Nhegig32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Nhhdnf32.exeC:\Windows\system32\Nhhdnf32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Pmhbqbae.exeC:\Windows\system32\Pmhbqbae.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Pafkgphl.exeC:\Windows\system32\Pafkgphl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Aabkbono.exeC:\Windows\system32\Aabkbono.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Aagdnn32.exeC:\Windows\system32\Aagdnn32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Bbaclegm.exeC:\Windows\system32\Bbaclegm.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Cgfbbb32.exeC:\Windows\system32\Cgfbbb32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\Cdjblf32.exeC:\Windows\system32\Cdjblf32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Cpacqg32.exeC:\Windows\system32\Cpacqg32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Famhmfkl.exeC:\Windows\system32\Famhmfkl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Gdiakp32.exeC:\Windows\system32\Gdiakp32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Gjficg32.exeC:\Windows\system32\Gjficg32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Gdknpp32.exeC:\Windows\system32\Gdknpp32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\Jjgkab32.exeC:\Windows\system32\Jjgkab32.exe23⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Jjkdlall.exeC:\Windows\system32\Jjkdlall.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Kkpnga32.exeC:\Windows\system32\Kkpnga32.exe25⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Kefbdjgm.exeC:\Windows\system32\Kefbdjgm.exe26⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Kejloi32.exeC:\Windows\system32\Kejloi32.exe27⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Lacijjgi.exeC:\Windows\system32\Lacijjgi.exe28⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Llimgb32.exeC:\Windows\system32\Llimgb32.exe29⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Leabphmp.exeC:\Windows\system32\Leabphmp.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:1452 -
C:\Windows\SysWOW64\Lknjhokg.exeC:\Windows\system32\Lknjhokg.exe31⤵
- Executes dropped EXE
PID:732 -
C:\Windows\SysWOW64\Lbhool32.exeC:\Windows\system32\Lbhool32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5016 -
C:\Windows\SysWOW64\Lkcccn32.exeC:\Windows\system32\Lkcccn32.exe33⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Maoifh32.exeC:\Windows\system32\Maoifh32.exe34⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Mhiabbdi.exeC:\Windows\system32\Mhiabbdi.exe35⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Maaekg32.exeC:\Windows\system32\Maaekg32.exe36⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Moefdljc.exeC:\Windows\system32\Moefdljc.exe37⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Mdbnmbhj.exeC:\Windows\system32\Mdbnmbhj.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1012 -
C:\Windows\SysWOW64\Nlnpio32.exeC:\Windows\system32\Nlnpio32.exe39⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Nefdbekh.exeC:\Windows\system32\Nefdbekh.exe40⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Nlcidopb.exeC:\Windows\system32\Nlcidopb.exe41⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Nfknmd32.exeC:\Windows\system32\Nfknmd32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Nkhfek32.exeC:\Windows\system32\Nkhfek32.exe43⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Nhlfoodc.exeC:\Windows\system32\Nhlfoodc.exe44⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Nofoki32.exeC:\Windows\system32\Nofoki32.exe45⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Ohcmpn32.exeC:\Windows\system32\Ohcmpn32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3900 -
C:\Windows\SysWOW64\Obkahddl.exeC:\Windows\system32\Obkahddl.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Omaeem32.exeC:\Windows\system32\Omaeem32.exe48⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Odljjo32.exeC:\Windows\system32\Odljjo32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Okfbgiij.exeC:\Windows\system32\Okfbgiij.exe50⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Pdngpo32.exeC:\Windows\system32\Pdngpo32.exe51⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Pbbgicnd.exeC:\Windows\system32\Pbbgicnd.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:4860 -
C:\Windows\SysWOW64\Pilpfm32.exeC:\Windows\system32\Pilpfm32.exe53⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Pcbdcf32.exeC:\Windows\system32\Pcbdcf32.exe54⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Apgqie32.exeC:\Windows\system32\Apgqie32.exe55⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Aecialmb.exeC:\Windows\system32\Aecialmb.exe56⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Apkjddke.exeC:\Windows\system32\Apkjddke.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Afeban32.exeC:\Windows\system32\Afeban32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Amoknh32.exeC:\Windows\system32\Amoknh32.exe59⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Bbalaoda.exeC:\Windows\system32\Bbalaoda.exe60⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Bmfqngcg.exeC:\Windows\system32\Bmfqngcg.exe61⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Bbcignbo.exeC:\Windows\system32\Bbcignbo.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Bimach32.exeC:\Windows\system32\Bimach32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Bpgjpb32.exeC:\Windows\system32\Bpgjpb32.exe64⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Cdebfago.exeC:\Windows\system32\Cdebfago.exe65⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Cefoni32.exeC:\Windows\system32\Cefoni32.exe66⤵PID:4580
-
C:\Windows\SysWOW64\Ellpmolj.exeC:\Windows\system32\Ellpmolj.exe67⤵PID:2984
-
C:\Windows\SysWOW64\Hgnlmdcp.exeC:\Windows\system32\Hgnlmdcp.exe68⤵PID:4796
-
C:\Windows\SysWOW64\Hgebnc32.exeC:\Windows\system32\Hgebnc32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5064 -
C:\Windows\SysWOW64\Iggocbke.exeC:\Windows\system32\Iggocbke.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4576 -
C:\Windows\SysWOW64\Imdgljil.exeC:\Windows\system32\Imdgljil.exe71⤵PID:2248
-
C:\Windows\SysWOW64\Ifmldo32.exeC:\Windows\system32\Ifmldo32.exe72⤵PID:5160
-
C:\Windows\SysWOW64\Imfdaigj.exeC:\Windows\system32\Imfdaigj.exe73⤵PID:5200
-
C:\Windows\SysWOW64\Iglhob32.exeC:\Windows\system32\Iglhob32.exe74⤵
- Drops file in System32 directory
PID:5240 -
C:\Windows\SysWOW64\Iqdmghnp.exeC:\Windows\system32\Iqdmghnp.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5280 -
C:\Windows\SysWOW64\Ifaepolg.exeC:\Windows\system32\Ifaepolg.exe76⤵PID:5332
-
C:\Windows\SysWOW64\Jnmglk32.exeC:\Windows\system32\Jnmglk32.exe77⤵PID:5372
-
C:\Windows\SysWOW64\Jegohe32.exeC:\Windows\system32\Jegohe32.exe78⤵
- Modifies registry class
PID:5420 -
C:\Windows\SysWOW64\Jfmekm32.exeC:\Windows\system32\Jfmekm32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5464 -
C:\Windows\SysWOW64\Jabiie32.exeC:\Windows\system32\Jabiie32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5516 -
C:\Windows\SysWOW64\Jaefne32.exeC:\Windows\system32\Jaefne32.exe81⤵
- Modifies registry class
PID:5556 -
C:\Windows\SysWOW64\Kjmjgk32.exeC:\Windows\system32\Kjmjgk32.exe82⤵PID:5596
-
C:\Windows\SysWOW64\Knkcmild.exeC:\Windows\system32\Knkcmild.exe83⤵PID:5644
-
C:\Windows\SysWOW64\Khcgfo32.exeC:\Windows\system32\Khcgfo32.exe84⤵PID:5684
-
C:\Windows\SysWOW64\Kmppneal.exeC:\Windows\system32\Kmppneal.exe85⤵
- Drops file in System32 directory
PID:5724 -
C:\Windows\SysWOW64\Kejeebpl.exeC:\Windows\system32\Kejeebpl.exe86⤵PID:5768
-
C:\Windows\SysWOW64\Kjfmminc.exeC:\Windows\system32\Kjfmminc.exe87⤵PID:5812
-
C:\Windows\SysWOW64\Lhadgmge.exeC:\Windows\system32\Lhadgmge.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5876 -
C:\Windows\SysWOW64\Leedqa32.exeC:\Windows\system32\Leedqa32.exe89⤵
- Modifies registry class
PID:5920 -
C:\Windows\SysWOW64\Lkbmih32.exeC:\Windows\system32\Lkbmih32.exe90⤵PID:5964
-
C:\Windows\SysWOW64\Mhfmbl32.exeC:\Windows\system32\Mhfmbl32.exe91⤵PID:6056
-
C:\Windows\SysWOW64\Mobbdf32.exeC:\Windows\system32\Mobbdf32.exe92⤵PID:6104
-
C:\Windows\SysWOW64\Maehlqch.exeC:\Windows\system32\Maehlqch.exe93⤵PID:5144
-
C:\Windows\SysWOW64\Mhppik32.exeC:\Windows\system32\Mhppik32.exe94⤵
- Modifies registry class
PID:5208 -
C:\Windows\SysWOW64\Nhbmnj32.exeC:\Windows\system32\Nhbmnj32.exe95⤵PID:4972
-
C:\Windows\SysWOW64\Nnoefagj.exeC:\Windows\system32\Nnoefagj.exe96⤵PID:5340
-
C:\Windows\SysWOW64\Namnmp32.exeC:\Windows\system32\Namnmp32.exe97⤵PID:5408
-
C:\Windows\SysWOW64\Nhffijdm.exeC:\Windows\system32\Nhffijdm.exe98⤵PID:5492
-
C:\Windows\SysWOW64\Nejgbn32.exeC:\Windows\system32\Nejgbn32.exe99⤵PID:5548
-
C:\Windows\SysWOW64\Nockkcjg.exeC:\Windows\system32\Nockkcjg.exe100⤵
- Drops file in System32 directory
PID:5480 -
C:\Windows\SysWOW64\Nemchn32.exeC:\Windows\system32\Nemchn32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5676 -
C:\Windows\SysWOW64\Ngnppfgb.exeC:\Windows\system32\Ngnppfgb.exe102⤵PID:5756
-
C:\Windows\SysWOW64\Oeopnmoa.exeC:\Windows\system32\Oeopnmoa.exe103⤵PID:5744
-
C:\Windows\SysWOW64\Oogdfc32.exeC:\Windows\system32\Oogdfc32.exe104⤵PID:5916
-
C:\Windows\SysWOW64\Okneldkf.exeC:\Windows\system32\Okneldkf.exe105⤵PID:5952
-
C:\Windows\SysWOW64\Odgjdibf.exeC:\Windows\system32\Odgjdibf.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6020 -
C:\Windows\SysWOW64\Oakjnnap.exeC:\Windows\system32\Oakjnnap.exe107⤵PID:6112
-
C:\Windows\SysWOW64\Ohdbkh32.exeC:\Windows\system32\Ohdbkh32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5188 -
C:\Windows\SysWOW64\Oamgcm32.exeC:\Windows\system32\Oamgcm32.exe109⤵PID:5304
-
C:\Windows\SysWOW64\Ogjpld32.exeC:\Windows\system32\Ogjpld32.exe110⤵PID:5404
-
C:\Windows\SysWOW64\Paocim32.exeC:\Windows\system32\Paocim32.exe111⤵PID:5564
-
C:\Windows\SysWOW64\Pgllad32.exeC:\Windows\system32\Pgllad32.exe112⤵PID:5720
-
C:\Windows\SysWOW64\Pdpmkhjl.exeC:\Windows\system32\Pdpmkhjl.exe113⤵PID:5712
-
C:\Windows\SysWOW64\Pkjegb32.exeC:\Windows\system32\Pkjegb32.exe114⤵PID:6000
-
C:\Windows\SysWOW64\Pnknim32.exeC:\Windows\system32\Pnknim32.exe115⤵PID:5984
-
C:\Windows\SysWOW64\Ailabddb.exeC:\Windows\system32\Ailabddb.exe116⤵PID:6128
-
C:\Windows\SysWOW64\Aecbge32.exeC:\Windows\system32\Aecbge32.exe117⤵PID:3696
-
C:\Windows\SysWOW64\Aohfdnil.exeC:\Windows\system32\Aohfdnil.exe118⤵PID:5436
-
C:\Windows\SysWOW64\Bbklli32.exeC:\Windows\system32\Bbklli32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5912 -
C:\Windows\SysWOW64\Biedhclh.exeC:\Windows\system32\Biedhclh.exe120⤵PID:4816
-
C:\Windows\SysWOW64\Clffalkf.exeC:\Windows\system32\Clffalkf.exe121⤵PID:5360
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-