Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/05/2024, 11:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
786587f69801f3df64534a6816682b30_NEIKI.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
786587f69801f3df64534a6816682b30_NEIKI.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
786587f69801f3df64534a6816682b30_NEIKI.exe
-
Size
224KB
-
MD5
786587f69801f3df64534a6816682b30
-
SHA1
c9a9a1b58886756e31f7aab52648687e34be14b6
-
SHA256
9dc8d57faaccbc8c600ba730d8356e09ca1b8c90abb666db8cf3a38202c8e649
-
SHA512
e84ff169744ac6c73aeb13dde78d0679d8bdf23105376815f694eb8f37f6d2dc0b61487a2e8ec52d9a4ae8cd7492a7177ab354c09c9932966e94ba87d70753d7
-
SSDEEP
6144:sWMzoLHE4rQD85k/hQO+zrWnAdqjeOpKff:s6LprQg5W/+zrWAI5KH
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lolpah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnhobgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhqfie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnfodojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgjmoace.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhlbbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeoeplfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afhbljko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edhkpcdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhhkbqea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nakikpin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfmqigba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oiljcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcmdpcle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpnobi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afpapcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jneoojeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oophlpag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiqegb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnnfkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihnmfoli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcaghm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gecklbih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amhopfof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epdljjjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnbjca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inplqlng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohncdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqdelh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjeihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljejgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkopndcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbjchfaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnihneon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deajlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdkcgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hganjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcenmcea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fokaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmgekh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhcicf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndndbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibadnhmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmgpcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcnhcdkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eccdmmpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2040 Pefhlcdk.exe 1296 Qaofgc32.exe 1568 Qdpohodn.exe 2244 Adblnnbk.exe 2020 Addhcn32.exe 464 Adgein32.exe 1096 Ajamfh32.exe 2484 Aifjgdkj.exe 2664 Bihgmdih.exe 2836 Bimphc32.exe 2852 Bahelebm.exe 2436 Bnofaf32.exe 2912 Cppobaeb.exe 1812 Ccqhdmbc.exe 3052 Cnflae32.exe 1688 Cfaqfh32.exe 2588 Cceapl32.exe 1472 Doqkpl32.exe 848 Ddmchcnd.exe 808 Dqddmd32.exe 2272 Dkjhjm32.exe 2264 Dgqion32.exe 2576 Eddjhb32.exe 1552 Egebjmdn.exe 2368 Eclcon32.exe 1612 Epcddopf.exe 948 Eebibf32.exe 1964 Fhbbcail.exe 1752 Fefcmehe.exe 2616 Fcichb32.exe 2872 Fjfhkl32.exe 592 Gbcien32.exe 1332 Gminbfoh.exe 2396 Gpgjnbnl.exe 2644 Gipngg32.exe 2676 Gleqdb32.exe 2992 Hgoadp32.exe 864 Hpgfmeag.exe 1556 Hganjo32.exe 2940 Hafbghhj.exe 1456 Hgckoofa.exe 2060 Hlpchfdi.exe 1732 Hgfheodo.exe 1516 Hjddaj32.exe 2068 Hghdjn32.exe 1660 Ipqicdim.exe 2340 Iemalkgd.exe 876 Ilgjhena.exe 1416 Ifpnaj32.exe 1984 Iklfia32.exe 2328 Iafofkkf.exe 2828 Igcgnbim.exe 676 Ibillk32.exe 2548 Ihbdhepp.exe 2656 Inplqlng.exe 2888 Jghqia32.exe 1624 Jmdiahco.exe 1720 Jgjmoace.exe 3008 Jcandb32.exe 2972 Jjkfqlpf.exe 3040 Jqeomfgc.exe 2816 Jfagemej.exe 1512 Jkopndcb.exe 2892 Jfddkmch.exe -
Loads dropped DLL 64 IoCs
pid Process 2044 786587f69801f3df64534a6816682b30_NEIKI.exe 2044 786587f69801f3df64534a6816682b30_NEIKI.exe 2040 Pefhlcdk.exe 2040 Pefhlcdk.exe 1296 Qaofgc32.exe 1296 Qaofgc32.exe 1568 Qdpohodn.exe 1568 Qdpohodn.exe 2244 Adblnnbk.exe 2244 Adblnnbk.exe 2020 Addhcn32.exe 2020 Addhcn32.exe 464 Adgein32.exe 464 Adgein32.exe 1096 Ajamfh32.exe 1096 Ajamfh32.exe 2484 Aifjgdkj.exe 2484 Aifjgdkj.exe 2664 Bihgmdih.exe 2664 Bihgmdih.exe 2836 Bimphc32.exe 2836 Bimphc32.exe 2852 Bahelebm.exe 2852 Bahelebm.exe 2436 Bnofaf32.exe 2436 Bnofaf32.exe 2912 Cppobaeb.exe 2912 Cppobaeb.exe 1812 Ccqhdmbc.exe 1812 Ccqhdmbc.exe 3052 Cnflae32.exe 3052 Cnflae32.exe 1688 Cfaqfh32.exe 1688 Cfaqfh32.exe 2588 Cceapl32.exe 2588 Cceapl32.exe 1472 Doqkpl32.exe 1472 Doqkpl32.exe 848 Ddmchcnd.exe 848 Ddmchcnd.exe 808 Dqddmd32.exe 808 Dqddmd32.exe 2272 Dkjhjm32.exe 2272 Dkjhjm32.exe 2264 Dgqion32.exe 2264 Dgqion32.exe 2576 Eddjhb32.exe 2576 Eddjhb32.exe 1552 Egebjmdn.exe 1552 Egebjmdn.exe 2368 Eclcon32.exe 2368 Eclcon32.exe 1612 Epcddopf.exe 1612 Epcddopf.exe 948 Eebibf32.exe 948 Eebibf32.exe 1964 Fhbbcail.exe 1964 Fhbbcail.exe 1752 Fefcmehe.exe 1752 Fefcmehe.exe 2616 Fcichb32.exe 2616 Fcichb32.exe 2872 Fjfhkl32.exe 2872 Fjfhkl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pjhpin32.exe Pqplqile.exe File created C:\Windows\SysWOW64\Hgpeimhf.exe Hbblpf32.exe File opened for modification C:\Windows\SysWOW64\Pkiikm32.exe Process not Found File created C:\Windows\SysWOW64\Kdilkllh.exe Klbdiokf.exe File created C:\Windows\SysWOW64\Lpnobi32.exe Lnobfn32.exe File created C:\Windows\SysWOW64\Oifbhdjc.dll Llgllj32.exe File created C:\Windows\SysWOW64\Conbmfif.exe Cfemdp32.exe File opened for modification C:\Windows\SysWOW64\Dodlfmlb.exe Dhggdcgh.exe File created C:\Windows\SysWOW64\Ndgbohdn.dll Iojoalda.exe File opened for modification C:\Windows\SysWOW64\Cblniaii.exe Conbmfif.exe File created C:\Windows\SysWOW64\Lcdmekne.exe Process not Found File created C:\Windows\SysWOW64\Odmhjp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fpecddpi.exe Process not Found File created C:\Windows\SysWOW64\Ablmilgf.exe Agfikc32.exe File created C:\Windows\SysWOW64\Hnjompcl.dll Jfkbqcam.exe File created C:\Windows\SysWOW64\Dbadcdgp.exe Djfooa32.exe File created C:\Windows\SysWOW64\Bbeheeho.dll Hhnnpolk.exe File created C:\Windows\SysWOW64\Ddcadd32.exe Dgoakpjn.exe File created C:\Windows\SysWOW64\Dkkpeg32.dll Process not Found File created C:\Windows\SysWOW64\Gqaaok32.dll Jhmpbc32.exe File opened for modification C:\Windows\SysWOW64\Nmbenc32.exe Ndiaem32.exe File opened for modification C:\Windows\SysWOW64\Djnbdlla.exe Process not Found File created C:\Windows\SysWOW64\Epkgkfmd.exe Process not Found File created C:\Windows\SysWOW64\Khqplf32.dll Dqddmd32.exe File created C:\Windows\SysWOW64\Fblljhbo.exe Fladmn32.exe File created C:\Windows\SysWOW64\Mffdmfjd.exe Mibdcakk.exe File created C:\Windows\SysWOW64\Fgmlfo32.dll Oikeal32.exe File created C:\Windows\SysWOW64\Fohaqk32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Oqjibkek.exe Ofdeeb32.exe File created C:\Windows\SysWOW64\Moflkfca.exe Mfngbq32.exe File created C:\Windows\SysWOW64\Pahjgb32.exe Phoeomjc.exe File created C:\Windows\SysWOW64\Jfijmdbh.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ejnnbpol.exe Process not Found File created C:\Windows\SysWOW64\Kjhfjpdd.exe Kelmbifm.exe File created C:\Windows\SysWOW64\Nohddd32.exe Nmggllha.exe File created C:\Windows\SysWOW64\Kjlgaa32.exe Kapbmo32.exe File opened for modification C:\Windows\SysWOW64\Adcakdhn.exe Process not Found File created C:\Windows\SysWOW64\Qqbeel32.exe Qkelme32.exe File opened for modification C:\Windows\SysWOW64\Clnhajlc.exe Cedpdpdf.exe File created C:\Windows\SysWOW64\Jhniebne.exe Jfpmifoa.exe File created C:\Windows\SysWOW64\Nmiinh32.dll Fcaaloed.exe File created C:\Windows\SysWOW64\Iqpiepcn.exe Ihedan32.exe File created C:\Windows\SysWOW64\Nagjpd32.dll Process not Found File created C:\Windows\SysWOW64\Kljmfe32.dll Acadchoo.exe File created C:\Windows\SysWOW64\Jfiekc32.exe Jdjioh32.exe File created C:\Windows\SysWOW64\Kiefad32.dll Emjjfb32.exe File created C:\Windows\SysWOW64\Mkhocj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ahhgkdfo.exe Process not Found File created C:\Windows\SysWOW64\Nkfkidmk.exe Nhhominh.exe File created C:\Windows\SysWOW64\Fnkfoiql.dll Plfhdlfb.exe File created C:\Windows\SysWOW64\Faohlp32.dll Ajlabc32.exe File opened for modification C:\Windows\SysWOW64\Kfnmnojj.exe Kaaeegkc.exe File created C:\Windows\SysWOW64\Gloppi32.exe Process not Found File created C:\Windows\SysWOW64\Mieiglio.dll Fqhclqnc.exe File created C:\Windows\SysWOW64\Fkambhgf.exe Fqkieogp.exe File created C:\Windows\SysWOW64\Nomphm32.exe Niqgof32.exe File created C:\Windows\SysWOW64\Hhdmgkhc.dll Kdilkllh.exe File opened for modification C:\Windows\SysWOW64\Behnkm32.exe Bkbjmd32.exe File opened for modification C:\Windows\SysWOW64\Bpieli32.exe Bjomoo32.exe File created C:\Windows\SysWOW64\Gdnpak32.dll Chfffk32.exe File created C:\Windows\SysWOW64\Dqddmd32.exe Ddmchcnd.exe File opened for modification C:\Windows\SysWOW64\Pipjpj32.exe Pqdelh32.exe File created C:\Windows\SysWOW64\Hipdajoc.dll Mlhmkbhb.exe File created C:\Windows\SysWOW64\Cjcfdm32.dll Dgjfbllj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5596 4284 Process not Found 2013 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lllihf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oinbglkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naegmigc.dll" Cdjabn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aoakfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emhnqbjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfnmqjah.dll" Kpgdnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmoli32.dll" Eocfmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnjehaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acheia32.dll" Lckflc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgjfbllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpiqiqkf.dll" Ckebbgoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iogbllfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbcien32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofgbkacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aepnkjcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iopcaica.dll" Pqplqile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhnnpolk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehblofm.dll" Bkghjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgpmbgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jibcja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekljoh32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnqhkcdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnhnmckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekipgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbldcifi.dll" Hfdbji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmggcmgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjlgaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aennhcpi.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopako32.dll" Ibillk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibdhlmil.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epkqhe32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccoile32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pihlhagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njmejaqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hegjbnaa.dll" Nqdjge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knkkngol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ingmoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipaklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honblmaq.dll" Mpalfabn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qajfmbna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onhnjclg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adkbgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afngoand.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdjgfomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgbhibio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpnobi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofilmn32.dll" Mdkcgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgjjdijo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbboiknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oqjibkek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hoeigi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njbfpe32.dll" Mjeholco.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2044 wrote to memory of 2040 2044 786587f69801f3df64534a6816682b30_NEIKI.exe 30 PID 2044 wrote to memory of 2040 2044 786587f69801f3df64534a6816682b30_NEIKI.exe 30 PID 2044 wrote to memory of 2040 2044 786587f69801f3df64534a6816682b30_NEIKI.exe 30 PID 2044 wrote to memory of 2040 2044 786587f69801f3df64534a6816682b30_NEIKI.exe 30 PID 2040 wrote to memory of 1296 2040 Pefhlcdk.exe 31 PID 2040 wrote to memory of 1296 2040 Pefhlcdk.exe 31 PID 2040 wrote to memory of 1296 2040 Pefhlcdk.exe 31 PID 2040 wrote to memory of 1296 2040 Pefhlcdk.exe 31 PID 1296 wrote to memory of 1568 1296 Qaofgc32.exe 32 PID 1296 wrote to memory of 1568 1296 Qaofgc32.exe 32 PID 1296 wrote to memory of 1568 1296 Qaofgc32.exe 32 PID 1296 wrote to memory of 1568 1296 Qaofgc32.exe 32 PID 1568 wrote to memory of 2244 1568 Qdpohodn.exe 33 PID 1568 wrote to memory of 2244 1568 Qdpohodn.exe 33 PID 1568 wrote to memory of 2244 1568 Qdpohodn.exe 33 PID 1568 wrote to memory of 2244 1568 Qdpohodn.exe 33 PID 2244 wrote to memory of 2020 2244 Adblnnbk.exe 34 PID 2244 wrote to memory of 2020 2244 Adblnnbk.exe 34 PID 2244 wrote to memory of 2020 2244 Adblnnbk.exe 34 PID 2244 wrote to memory of 2020 2244 Adblnnbk.exe 34 PID 2020 wrote to memory of 464 2020 Addhcn32.exe 35 PID 2020 wrote to memory of 464 2020 Addhcn32.exe 35 PID 2020 wrote to memory of 464 2020 Addhcn32.exe 35 PID 2020 wrote to memory of 464 2020 Addhcn32.exe 35 PID 464 wrote to memory of 1096 464 Adgein32.exe 36 PID 464 wrote to memory of 1096 464 Adgein32.exe 36 PID 464 wrote to memory of 1096 464 Adgein32.exe 36 PID 464 wrote to memory of 1096 464 Adgein32.exe 36 PID 1096 wrote to memory of 2484 1096 Ajamfh32.exe 37 PID 1096 wrote to memory of 2484 1096 Ajamfh32.exe 37 PID 1096 wrote to memory of 2484 1096 Ajamfh32.exe 37 PID 1096 wrote to memory of 2484 1096 Ajamfh32.exe 37 PID 2484 wrote to memory of 2664 2484 Aifjgdkj.exe 38 PID 2484 wrote to memory of 2664 2484 Aifjgdkj.exe 38 PID 2484 wrote to memory of 2664 2484 Aifjgdkj.exe 38 PID 2484 wrote to memory of 2664 2484 Aifjgdkj.exe 38 PID 2664 wrote to memory of 2836 2664 Bihgmdih.exe 39 PID 2664 wrote to memory of 2836 2664 Bihgmdih.exe 39 PID 2664 wrote to memory of 2836 2664 Bihgmdih.exe 39 PID 2664 wrote to memory of 2836 2664 Bihgmdih.exe 39 PID 2836 wrote to memory of 2852 2836 Bimphc32.exe 40 PID 2836 wrote to memory of 2852 2836 Bimphc32.exe 40 PID 2836 wrote to memory of 2852 2836 Bimphc32.exe 40 PID 2836 wrote to memory of 2852 2836 Bimphc32.exe 40 PID 2852 wrote to memory of 2436 2852 Bahelebm.exe 41 PID 2852 wrote to memory of 2436 2852 Bahelebm.exe 41 PID 2852 wrote to memory of 2436 2852 Bahelebm.exe 41 PID 2852 wrote to memory of 2436 2852 Bahelebm.exe 41 PID 2436 wrote to memory of 2912 2436 Bnofaf32.exe 42 PID 2436 wrote to memory of 2912 2436 Bnofaf32.exe 42 PID 2436 wrote to memory of 2912 2436 Bnofaf32.exe 42 PID 2436 wrote to memory of 2912 2436 Bnofaf32.exe 42 PID 2912 wrote to memory of 1812 2912 Cppobaeb.exe 43 PID 2912 wrote to memory of 1812 2912 Cppobaeb.exe 43 PID 2912 wrote to memory of 1812 2912 Cppobaeb.exe 43 PID 2912 wrote to memory of 1812 2912 Cppobaeb.exe 43 PID 1812 wrote to memory of 3052 1812 Ccqhdmbc.exe 44 PID 1812 wrote to memory of 3052 1812 Ccqhdmbc.exe 44 PID 1812 wrote to memory of 3052 1812 Ccqhdmbc.exe 44 PID 1812 wrote to memory of 3052 1812 Ccqhdmbc.exe 44 PID 3052 wrote to memory of 1688 3052 Cnflae32.exe 45 PID 3052 wrote to memory of 1688 3052 Cnflae32.exe 45 PID 3052 wrote to memory of 1688 3052 Cnflae32.exe 45 PID 3052 wrote to memory of 1688 3052 Cnflae32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\786587f69801f3df64534a6816682b30_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\786587f69801f3df64534a6816682b30_NEIKI.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Pefhlcdk.exeC:\Windows\system32\Pefhlcdk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Qaofgc32.exeC:\Windows\system32\Qaofgc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Qdpohodn.exeC:\Windows\system32\Qdpohodn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Adblnnbk.exeC:\Windows\system32\Adblnnbk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Addhcn32.exeC:\Windows\system32\Addhcn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Adgein32.exeC:\Windows\system32\Adgein32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\Ajamfh32.exeC:\Windows\system32\Ajamfh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Aifjgdkj.exeC:\Windows\system32\Aifjgdkj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Bihgmdih.exeC:\Windows\system32\Bihgmdih.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Bimphc32.exeC:\Windows\system32\Bimphc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Bahelebm.exeC:\Windows\system32\Bahelebm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Bnofaf32.exeC:\Windows\system32\Bnofaf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Cppobaeb.exeC:\Windows\system32\Cppobaeb.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Ccqhdmbc.exeC:\Windows\system32\Ccqhdmbc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Cnflae32.exeC:\Windows\system32\Cnflae32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Cfaqfh32.exeC:\Windows\system32\Cfaqfh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Cceapl32.exeC:\Windows\system32\Cceapl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Doqkpl32.exeC:\Windows\system32\Doqkpl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1472 -
C:\Windows\SysWOW64\Ddmchcnd.exeC:\Windows\system32\Ddmchcnd.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Dqddmd32.exeC:\Windows\system32\Dqddmd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:808 -
C:\Windows\SysWOW64\Dkjhjm32.exeC:\Windows\system32\Dkjhjm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Dgqion32.exeC:\Windows\system32\Dgqion32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Eddjhb32.exeC:\Windows\system32\Eddjhb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Egebjmdn.exeC:\Windows\system32\Egebjmdn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Eclcon32.exeC:\Windows\system32\Eclcon32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Epcddopf.exeC:\Windows\system32\Epcddopf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Eebibf32.exeC:\Windows\system32\Eebibf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\Fhbbcail.exeC:\Windows\system32\Fhbbcail.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Fefcmehe.exeC:\Windows\system32\Fefcmehe.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Fcichb32.exeC:\Windows\system32\Fcichb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Fjfhkl32.exeC:\Windows\system32\Fjfhkl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Gbcien32.exeC:\Windows\system32\Gbcien32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Gminbfoh.exeC:\Windows\system32\Gminbfoh.exe34⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Gpgjnbnl.exeC:\Windows\system32\Gpgjnbnl.exe35⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Gipngg32.exeC:\Windows\system32\Gipngg32.exe36⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Gleqdb32.exeC:\Windows\system32\Gleqdb32.exe37⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Hgoadp32.exeC:\Windows\system32\Hgoadp32.exe38⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Hpgfmeag.exeC:\Windows\system32\Hpgfmeag.exe39⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Hganjo32.exeC:\Windows\system32\Hganjo32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Hafbghhj.exeC:\Windows\system32\Hafbghhj.exe41⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Hgckoofa.exeC:\Windows\system32\Hgckoofa.exe42⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Hlpchfdi.exeC:\Windows\system32\Hlpchfdi.exe43⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Hgfheodo.exeC:\Windows\system32\Hgfheodo.exe44⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Hjddaj32.exeC:\Windows\system32\Hjddaj32.exe45⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Hghdjn32.exeC:\Windows\system32\Hghdjn32.exe46⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Ipqicdim.exeC:\Windows\system32\Ipqicdim.exe47⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Iemalkgd.exeC:\Windows\system32\Iemalkgd.exe48⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Ilgjhena.exeC:\Windows\system32\Ilgjhena.exe49⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Ifpnaj32.exeC:\Windows\system32\Ifpnaj32.exe50⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Iklfia32.exeC:\Windows\system32\Iklfia32.exe51⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Iafofkkf.exeC:\Windows\system32\Iafofkkf.exe52⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Igcgnbim.exeC:\Windows\system32\Igcgnbim.exe53⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Ibillk32.exeC:\Windows\system32\Ibillk32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Ihbdhepp.exeC:\Windows\system32\Ihbdhepp.exe55⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Inplqlng.exeC:\Windows\system32\Inplqlng.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Jghqia32.exeC:\Windows\system32\Jghqia32.exe57⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Jmdiahco.exeC:\Windows\system32\Jmdiahco.exe58⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Jgjmoace.exeC:\Windows\system32\Jgjmoace.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Jcandb32.exeC:\Windows\system32\Jcandb32.exe60⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Jjkfqlpf.exeC:\Windows\system32\Jjkfqlpf.exe61⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Jqeomfgc.exeC:\Windows\system32\Jqeomfgc.exe62⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Jfagemej.exeC:\Windows\system32\Jfagemej.exe63⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Jkopndcb.exeC:\Windows\system32\Jkopndcb.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Jfddkmch.exeC:\Windows\system32\Jfddkmch.exe65⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Kmnlhg32.exeC:\Windows\system32\Kmnlhg32.exe66⤵PID:2120
-
C:\Windows\SysWOW64\Kffqqm32.exeC:\Windows\system32\Kffqqm32.exe67⤵PID:1768
-
C:\Windows\SysWOW64\Kkciic32.exeC:\Windows\system32\Kkciic32.exe68⤵PID:1600
-
C:\Windows\SysWOW64\Knaeeo32.exeC:\Windows\system32\Knaeeo32.exe69⤵PID:280
-
C:\Windows\SysWOW64\Kelmbifm.exeC:\Windows\system32\Kelmbifm.exe70⤵
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Kjhfjpdd.exeC:\Windows\system32\Kjhfjpdd.exe71⤵PID:1208
-
C:\Windows\SysWOW64\Kenjgi32.exeC:\Windows\system32\Kenjgi32.exe72⤵PID:704
-
C:\Windows\SysWOW64\Knfopnkk.exeC:\Windows\system32\Knfopnkk.exe73⤵PID:2456
-
C:\Windows\SysWOW64\Kgocid32.exeC:\Windows\system32\Kgocid32.exe74⤵PID:2536
-
C:\Windows\SysWOW64\Kjmoeo32.exeC:\Windows\system32\Kjmoeo32.exe75⤵PID:884
-
C:\Windows\SysWOW64\Lcedne32.exeC:\Windows\system32\Lcedne32.exe76⤵PID:2684
-
C:\Windows\SysWOW64\Lhapocoi.exeC:\Windows\system32\Lhapocoi.exe77⤵PID:2008
-
C:\Windows\SysWOW64\Lpldcfmd.exeC:\Windows\system32\Lpldcfmd.exe78⤵PID:2692
-
C:\Windows\SysWOW64\Lidilk32.exeC:\Windows\system32\Lidilk32.exe79⤵PID:3000
-
C:\Windows\SysWOW64\Llcehg32.exeC:\Windows\system32\Llcehg32.exe80⤵PID:916
-
C:\Windows\SysWOW64\Lekjal32.exeC:\Windows\system32\Lekjal32.exe81⤵PID:2920
-
C:\Windows\SysWOW64\Lmbabj32.exeC:\Windows\system32\Lmbabj32.exe82⤵PID:3068
-
C:\Windows\SysWOW64\Lfkfkopk.exeC:\Windows\system32\Lfkfkopk.exe83⤵PID:800
-
C:\Windows\SysWOW64\Lhlbbg32.exeC:\Windows\system32\Lhlbbg32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:640 -
C:\Windows\SysWOW64\Lbagpp32.exeC:\Windows\system32\Lbagpp32.exe85⤵PID:768
-
C:\Windows\SysWOW64\Lljkif32.exeC:\Windows\system32\Lljkif32.exe86⤵PID:2532
-
C:\Windows\SysWOW64\Magdam32.exeC:\Windows\system32\Magdam32.exe87⤵PID:2332
-
C:\Windows\SysWOW64\Mhalngad.exeC:\Windows\system32\Mhalngad.exe88⤵PID:1048
-
C:\Windows\SysWOW64\Mkohjbah.exeC:\Windows\system32\Mkohjbah.exe89⤵PID:1972
-
C:\Windows\SysWOW64\Mhcicf32.exeC:\Windows\system32\Mhcicf32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Momapqgn.exeC:\Windows\system32\Momapqgn.exe91⤵PID:3056
-
C:\Windows\SysWOW64\Mghfdcdi.exeC:\Windows\system32\Mghfdcdi.exe92⤵PID:1056
-
C:\Windows\SysWOW64\Migbpocm.exeC:\Windows\system32\Migbpocm.exe93⤵PID:2620
-
C:\Windows\SysWOW64\Mdlfngcc.exeC:\Windows\system32\Mdlfngcc.exe94⤵PID:2464
-
C:\Windows\SysWOW64\Miiofn32.exeC:\Windows\system32\Miiofn32.exe95⤵PID:1960
-
C:\Windows\SysWOW64\Mgmoob32.exeC:\Windows\system32\Mgmoob32.exe96⤵PID:3064
-
C:\Windows\SysWOW64\Nmggllha.exeC:\Windows\system32\Nmggllha.exe97⤵
- Drops file in System32 directory
PID:308 -
C:\Windows\SysWOW64\Nohddd32.exeC:\Windows\system32\Nohddd32.exe98⤵PID:2636
-
C:\Windows\SysWOW64\Neblqoel.exeC:\Windows\system32\Neblqoel.exe99⤵PID:2764
-
C:\Windows\SysWOW64\Ncfmjc32.exeC:\Windows\system32\Ncfmjc32.exe100⤵PID:2296
-
C:\Windows\SysWOW64\Nipefmkb.exeC:\Windows\system32\Nipefmkb.exe101⤵PID:1344
-
C:\Windows\SysWOW64\Nommodjj.exeC:\Windows\system32\Nommodjj.exe102⤵PID:2976
-
C:\Windows\SysWOW64\Nakikpin.exeC:\Windows\system32\Nakikpin.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2116 -
C:\Windows\SysWOW64\Nkdndeon.exeC:\Windows\system32\Nkdndeon.exe104⤵PID:2820
-
C:\Windows\SysWOW64\Nanfqo32.exeC:\Windows\system32\Nanfqo32.exe105⤵PID:1160
-
C:\Windows\SysWOW64\Nhhominh.exeC:\Windows\system32\Nhhominh.exe106⤵
- Drops file in System32 directory
PID:776 -
C:\Windows\SysWOW64\Nkfkidmk.exeC:\Windows\system32\Nkfkidmk.exe107⤵PID:2544
-
C:\Windows\SysWOW64\Opccallb.exeC:\Windows\system32\Opccallb.exe108⤵PID:516
-
C:\Windows\SysWOW64\Ogmkne32.exeC:\Windows\system32\Ogmkne32.exe109⤵PID:576
-
C:\Windows\SysWOW64\Oabplobe.exeC:\Windows\system32\Oabplobe.exe110⤵PID:2568
-
C:\Windows\SysWOW64\Ogohdeam.exeC:\Windows\system32\Ogohdeam.exe111⤵PID:2936
-
C:\Windows\SysWOW64\Oqgmmk32.exeC:\Windows\system32\Oqgmmk32.exe112⤵PID:1832
-
C:\Windows\SysWOW64\Ofdeeb32.exeC:\Windows\system32\Ofdeeb32.exe113⤵
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Oqjibkek.exeC:\Windows\system32\Oqjibkek.exe114⤵
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Ofgbkacb.exeC:\Windows\system32\Ofgbkacb.exe115⤵
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Omqjgl32.exeC:\Windows\system32\Omqjgl32.exe116⤵PID:872
-
C:\Windows\SysWOW64\Ofiopaap.exeC:\Windows\system32\Ofiopaap.exe117⤵PID:944
-
C:\Windows\SysWOW64\Pmcgmkil.exeC:\Windows\system32\Pmcgmkil.exe118⤵PID:2812
-
C:\Windows\SysWOW64\Poacighp.exeC:\Windows\system32\Poacighp.exe119⤵PID:2012
-
C:\Windows\SysWOW64\Pmecbkgj.exeC:\Windows\system32\Pmecbkgj.exe120⤵PID:1772
-
C:\Windows\SysWOW64\Pnfpjc32.exeC:\Windows\system32\Pnfpjc32.exe121⤵PID:2688
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-