Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 00:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b4b7d966464624bedb1a98bb33fb5a50_NEIKI.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
b4b7d966464624bedb1a98bb33fb5a50_NEIKI.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
b4b7d966464624bedb1a98bb33fb5a50_NEIKI.exe
-
Size
227KB
-
MD5
b4b7d966464624bedb1a98bb33fb5a50
-
SHA1
3230c7724284b12e9864ade6187f211d082e3689
-
SHA256
d28db6fccdee18a444e1cf7e6f7d9ab4ad51dce54fd5f81efba9b40f341f6e79
-
SHA512
406ef08ddb6b6163c14451c10b180d00c4423a560faf9781af66e53977f3c68a2399079f12f1aa8c74358897dd7fa98addaa64aea4ee364e344ef58cab8361af
-
SSDEEP
3072:pVCWkuqoHm9jqLsFmsdYXmLlcJVIZen+Vcv2JBwwRBkBnReP2+x7zqg8Kmi9/D0g:pVCZoqjwszeXmr8SeNpgdyuH1l
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dljqpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmficqpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmhjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjqgff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndbnboqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paendb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fokbim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pecgja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjcclf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpeepnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nacbfdao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahppgjjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhlocipo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcopbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpklpkio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjolnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oecncc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcgoilpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqfooodg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipegmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgdbkohf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Himcoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kajfig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oecncc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liekmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lklnhlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aackeqeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gameonno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbhdmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnmopdep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahppgjjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cakjmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dakbckbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbfiep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blpechop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giofnacd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcbiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcklgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oilmnbpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcpapkgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdmcidam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbapjafe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdcijcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bidemmnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bemcgmak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmfbjnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahkflk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijfboafl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imihfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjeddggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcbiao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpolqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdkhapfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olocem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phhqpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpemacql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daifnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqikdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dokjbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epopgbia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhqbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcmofolg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngcgcjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjcclf32.exe -
Executes dropped EXE 64 IoCs
pid Process 1812 Oilmnbpg.exe 1688 Oagbbdnb.exe 4488 Oecncc32.exe 4744 Okmfpm32.exe 4352 Onkbli32.exe 4164 Oajohd32.exe 4080 Olocem32.exe 5024 Onnoah32.exe 2300 Obikbgbb.exe 4520 Oiccoa32.exe 1868 Ogfcjnaj.exe 2444 Pnplghhf.exe 3200 Paohccgj.exe 3536 Phhqpn32.exe 4836 Ppphak32.exe 4316 Paaeiceg.exe 4668 Pihmjqfj.exe 940 Plfiflen.exe 2820 Pbpacfmj.exe 5060 Pacaoc32.exe 2680 Peonoaln.exe 4168 Phmjkmka.exe 3156 Ppdbljkd.exe 1760 Paendb32.exe 552 Pimfep32.exe 4136 Plkbak32.exe 3244 Pniomgpl.exe 3920 Pecgja32.exe 2420 Piockppb.exe 3376 Plmogkoe.exe 4600 Qnlkcfni.exe 4804 Qajhobmm.exe 1616 Qiappono.exe 5104 Qhdpll32.exe 4224 Qpkhmi32.exe 800 Qnnhhflf.exe 2456 Qamdda32.exe 740 Qiclfo32.exe 3004 Albibj32.exe 3364 Apndbici.exe 1148 Ablaodbm.exe 1224 Aejmkpaq.exe 2504 Aifiko32.exe 4512 Ahiigkqd.exe 5040 Aldegj32.exe 1820 Aocace32.exe 4784 Aaanpa32.exe 5068 Aihfanhg.exe 2052 Ahkflk32.exe 2872 Algbmjgk.exe 1108 Aoeniefo.exe 4852 Aackeqeb.exe 3584 Aikbfnfd.exe 4532 Aliobieh.exe 1384 Apekch32.exe 1500 Aafgkpcp.exe 4484 Aimoln32.exe 4856 Ahppgjjl.exe 4132 Alkkhi32.exe 4588 Apggihko.exe 4676 Abedecjb.exe 4472 Aahdqp32.exe 2324 Aedpaoif.exe 464 Aiolam32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pacaoc32.exe Pbpacfmj.exe File created C:\Windows\SysWOW64\Bfolabba.dll Apggihko.exe File created C:\Windows\SysWOW64\Kgmlkp32.exe Kbapjafe.exe File created C:\Windows\SysWOW64\Fqhgbj32.dll Apndbici.exe File created C:\Windows\SysWOW64\Aifiko32.exe Aejmkpaq.exe File opened for modification C:\Windows\SysWOW64\Cpjmee32.exe Chbedh32.exe File created C:\Windows\SysWOW64\Mgghhlhq.exe Mcklgm32.exe File opened for modification C:\Windows\SysWOW64\Apndbici.exe Albibj32.exe File created C:\Windows\SysWOW64\Ngfkoo32.dll Aocace32.exe File created C:\Windows\SysWOW64\Ebhjob32.dll Coagla32.exe File opened for modification C:\Windows\SysWOW64\Dfdbojmq.exe Daifnk32.exe File created C:\Windows\SysWOW64\Inomojol.dll Ecbenm32.exe File created C:\Windows\SysWOW64\Hccglh32.exe Hpgkkioa.exe File created C:\Windows\SysWOW64\Lcmofolg.exe Ldkojb32.exe File created C:\Windows\SysWOW64\Mdfofakp.exe Mahbje32.exe File opened for modification C:\Windows\SysWOW64\Bhgehi32.exe Bidemmnj.exe File created C:\Windows\SysWOW64\Bgkkkd32.dll Doccaall.exe File created C:\Windows\SysWOW64\Eoifcnid.exe Eqfeha32.exe File created C:\Windows\SysWOW64\Qfiapa32.dll Fbllkh32.exe File created C:\Windows\SysWOW64\Gmoliohh.exe Gidphq32.exe File created C:\Windows\SysWOW64\Ifmcdblq.exe Idofhfmm.exe File created C:\Windows\SysWOW64\Kcbibebo.dll Nkjjij32.exe File created C:\Windows\SysWOW64\Plmogkoe.exe Piockppb.exe File opened for modification C:\Windows\SysWOW64\Beppmmoi.exe Bbacqape.exe File opened for modification C:\Windows\SysWOW64\Nkqpjidj.exe Ngedij32.exe File created C:\Windows\SysWOW64\Diefokle.dll Gbldaffp.exe File opened for modification C:\Windows\SysWOW64\Oajohd32.exe Onkbli32.exe File opened for modification C:\Windows\SysWOW64\Olocem32.exe Oajohd32.exe File opened for modification C:\Windows\SysWOW64\Plfiflen.exe Pihmjqfj.exe File created C:\Windows\SysWOW64\Iindogea.dll Cpofpdgd.exe File created C:\Windows\SysWOW64\Ebeejijj.exe Ecbenm32.exe File opened for modification C:\Windows\SysWOW64\Fifdgblo.exe Fjcclf32.exe File opened for modification C:\Windows\SysWOW64\Aejmkpaq.exe Ablaodbm.exe File created C:\Windows\SysWOW64\Bpqjofcd.exe Blennh32.exe File created C:\Windows\SysWOW64\Ejegjh32.exe Efikji32.exe File created C:\Windows\SysWOW64\Gcggpj32.exe Gpklpkio.exe File opened for modification C:\Windows\SysWOW64\Gcidfi32.exe Gpnhekgl.exe File created C:\Windows\SysWOW64\Gddfpk32.dll Fcikolnh.exe File created C:\Windows\SysWOW64\Fckhdk32.exe Fopldmcl.exe File opened for modification C:\Windows\SysWOW64\Gbldaffp.exe Gcidfi32.exe File created C:\Windows\SysWOW64\Ijaida32.exe Iffmccbi.exe File opened for modification C:\Windows\SysWOW64\Ldmlpbbj.exe Laopdgcg.exe File opened for modification C:\Windows\SysWOW64\Hjfihc32.exe Hboagf32.exe File created C:\Windows\SysWOW64\Hjjbcbqj.exe Hbckbepg.exe File created C:\Windows\SysWOW64\Mnnkcb32.dll Imihfl32.exe File created C:\Windows\SysWOW64\Qdqjmdmd.dll Aedpaoif.exe File opened for modification C:\Windows\SysWOW64\Cakjmm32.exe Cchiaqjm.exe File opened for modification C:\Windows\SysWOW64\Hcnnaikp.exe Hpbaqj32.exe File created C:\Windows\SysWOW64\Lkiqbl32.exe Lgneampk.exe File created C:\Windows\SysWOW64\Icnmgkke.dll Digkijmd.exe File created C:\Windows\SysWOW64\Djnaji32.exe Debeijoc.exe File opened for modification C:\Windows\SysWOW64\Ejgdpg32.exe Eflhoigi.exe File opened for modification C:\Windows\SysWOW64\Mjeddggd.exe Mkbchk32.exe File opened for modification C:\Windows\SysWOW64\Lddbqa32.exe Lphfpbdi.exe File created C:\Windows\SysWOW64\Pbcfgejn.dll Mncmjfmk.exe File created C:\Windows\SysWOW64\Oilmnbpg.exe b4b7d966464624bedb1a98bb33fb5a50_NEIKI.exe File opened for modification C:\Windows\SysWOW64\Aafgkpcp.exe Apekch32.exe File created C:\Windows\SysWOW64\Fbllkh32.exe Fcikolnh.exe File created C:\Windows\SysWOW64\Ppmeid32.dll Hippdo32.exe File opened for modification C:\Windows\SysWOW64\Lcpllo32.exe Ldmlpbbj.exe File created C:\Windows\SysWOW64\Ckegia32.dll Laciofpa.exe File created C:\Windows\SysWOW64\Maaepd32.exe Mnfipekh.exe File created C:\Windows\SysWOW64\Bobgoedj.dll Ehekqe32.exe File created C:\Windows\SysWOW64\Gbjgbh32.dll Eqalmafo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10364 11048 WerFault.exe 544 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pniomgpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoeniefo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fflaff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fodeolof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpdelajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eceakm32.dll" Dcalgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgaem32.dll" Hadkpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqalmafo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Himcoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jagqlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofnpim32.dll" Coojfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejbkehcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqqjmnii.dll" Ejgdpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmdfpmb.dll" Gbjhlfhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfhbppbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjcgohig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mamleegg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll" Lilanioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcbahlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlkmcgqh.dll" Oajohd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plfiflen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpidngil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofqcl32.dll" Fokbim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkfkfohj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcpllo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgnnhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkpjfn32.dll" Bekfan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beppmmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dchbhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mglack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpacnh32.dll" Qnlkcfni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bemcgmak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibgnfha.dll" Fcgoilpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnocof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plkbak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhgehi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcnoenkc.dll" Bockjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjjbcbqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laalifad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aodldljj.dll" Commqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Debeijoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll" Fjcclf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fijmbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqiogp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aejmkpaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifoip32.dll" Ceblbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhcnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpacnb32.dll" Gqkhjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkokhc32.dll" Dcfebonm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmclmabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll" Nqfbaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibnmeecd.dll" Alkkhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blennh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iabgaklg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqmhbpba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlojkddn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll" Lnhmng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chgoogfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dagiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaqcbi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2436 wrote to memory of 1812 2436 b4b7d966464624bedb1a98bb33fb5a50_NEIKI.exe 82 PID 2436 wrote to memory of 1812 2436 b4b7d966464624bedb1a98bb33fb5a50_NEIKI.exe 82 PID 2436 wrote to memory of 1812 2436 b4b7d966464624bedb1a98bb33fb5a50_NEIKI.exe 82 PID 1812 wrote to memory of 1688 1812 Oilmnbpg.exe 83 PID 1812 wrote to memory of 1688 1812 Oilmnbpg.exe 83 PID 1812 wrote to memory of 1688 1812 Oilmnbpg.exe 83 PID 1688 wrote to memory of 4488 1688 Oagbbdnb.exe 84 PID 1688 wrote to memory of 4488 1688 Oagbbdnb.exe 84 PID 1688 wrote to memory of 4488 1688 Oagbbdnb.exe 84 PID 4488 wrote to memory of 4744 4488 Oecncc32.exe 85 PID 4488 wrote to memory of 4744 4488 Oecncc32.exe 85 PID 4488 wrote to memory of 4744 4488 Oecncc32.exe 85 PID 4744 wrote to memory of 4352 4744 Okmfpm32.exe 86 PID 4744 wrote to memory of 4352 4744 Okmfpm32.exe 86 PID 4744 wrote to memory of 4352 4744 Okmfpm32.exe 86 PID 4352 wrote to memory of 4164 4352 Onkbli32.exe 87 PID 4352 wrote to memory of 4164 4352 Onkbli32.exe 87 PID 4352 wrote to memory of 4164 4352 Onkbli32.exe 87 PID 4164 wrote to memory of 4080 4164 Oajohd32.exe 88 PID 4164 wrote to memory of 4080 4164 Oajohd32.exe 88 PID 4164 wrote to memory of 4080 4164 Oajohd32.exe 88 PID 4080 wrote to memory of 5024 4080 Olocem32.exe 90 PID 4080 wrote to memory of 5024 4080 Olocem32.exe 90 PID 4080 wrote to memory of 5024 4080 Olocem32.exe 90 PID 5024 wrote to memory of 2300 5024 Onnoah32.exe 91 PID 5024 wrote to memory of 2300 5024 Onnoah32.exe 91 PID 5024 wrote to memory of 2300 5024 Onnoah32.exe 91 PID 2300 wrote to memory of 4520 2300 Obikbgbb.exe 92 PID 2300 wrote to memory of 4520 2300 Obikbgbb.exe 92 PID 2300 wrote to memory of 4520 2300 Obikbgbb.exe 92 PID 4520 wrote to memory of 1868 4520 Oiccoa32.exe 93 PID 4520 wrote to memory of 1868 4520 Oiccoa32.exe 93 PID 4520 wrote to memory of 1868 4520 Oiccoa32.exe 93 PID 1868 wrote to memory of 2444 1868 Ogfcjnaj.exe 94 PID 1868 wrote to memory of 2444 1868 Ogfcjnaj.exe 94 PID 1868 wrote to memory of 2444 1868 Ogfcjnaj.exe 94 PID 2444 wrote to memory of 3200 2444 Pnplghhf.exe 95 PID 2444 wrote to memory of 3200 2444 Pnplghhf.exe 95 PID 2444 wrote to memory of 3200 2444 Pnplghhf.exe 95 PID 3200 wrote to memory of 3536 3200 Paohccgj.exe 97 PID 3200 wrote to memory of 3536 3200 Paohccgj.exe 97 PID 3200 wrote to memory of 3536 3200 Paohccgj.exe 97 PID 3536 wrote to memory of 4836 3536 Phhqpn32.exe 98 PID 3536 wrote to memory of 4836 3536 Phhqpn32.exe 98 PID 3536 wrote to memory of 4836 3536 Phhqpn32.exe 98 PID 4836 wrote to memory of 4316 4836 Ppphak32.exe 100 PID 4836 wrote to memory of 4316 4836 Ppphak32.exe 100 PID 4836 wrote to memory of 4316 4836 Ppphak32.exe 100 PID 4316 wrote to memory of 4668 4316 Paaeiceg.exe 101 PID 4316 wrote to memory of 4668 4316 Paaeiceg.exe 101 PID 4316 wrote to memory of 4668 4316 Paaeiceg.exe 101 PID 4668 wrote to memory of 940 4668 Pihmjqfj.exe 102 PID 4668 wrote to memory of 940 4668 Pihmjqfj.exe 102 PID 4668 wrote to memory of 940 4668 Pihmjqfj.exe 102 PID 940 wrote to memory of 2820 940 Plfiflen.exe 103 PID 940 wrote to memory of 2820 940 Plfiflen.exe 103 PID 940 wrote to memory of 2820 940 Plfiflen.exe 103 PID 2820 wrote to memory of 5060 2820 Pbpacfmj.exe 104 PID 2820 wrote to memory of 5060 2820 Pbpacfmj.exe 104 PID 2820 wrote to memory of 5060 2820 Pbpacfmj.exe 104 PID 5060 wrote to memory of 2680 5060 Pacaoc32.exe 105 PID 5060 wrote to memory of 2680 5060 Pacaoc32.exe 105 PID 5060 wrote to memory of 2680 5060 Pacaoc32.exe 105 PID 2680 wrote to memory of 4168 2680 Peonoaln.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4b7d966464624bedb1a98bb33fb5a50_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\b4b7d966464624bedb1a98bb33fb5a50_NEIKI.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Oilmnbpg.exeC:\Windows\system32\Oilmnbpg.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Oagbbdnb.exeC:\Windows\system32\Oagbbdnb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Oecncc32.exeC:\Windows\system32\Oecncc32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Okmfpm32.exeC:\Windows\system32\Okmfpm32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Onkbli32.exeC:\Windows\system32\Onkbli32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\Oajohd32.exeC:\Windows\system32\Oajohd32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\Olocem32.exeC:\Windows\system32\Olocem32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\Onnoah32.exeC:\Windows\system32\Onnoah32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Obikbgbb.exeC:\Windows\system32\Obikbgbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Oiccoa32.exeC:\Windows\system32\Oiccoa32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Ogfcjnaj.exeC:\Windows\system32\Ogfcjnaj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Pnplghhf.exeC:\Windows\system32\Pnplghhf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Paohccgj.exeC:\Windows\system32\Paohccgj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\Phhqpn32.exeC:\Windows\system32\Phhqpn32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Ppphak32.exeC:\Windows\system32\Ppphak32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Paaeiceg.exeC:\Windows\system32\Paaeiceg.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\Pihmjqfj.exeC:\Windows\system32\Pihmjqfj.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\Plfiflen.exeC:\Windows\system32\Plfiflen.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\Pbpacfmj.exeC:\Windows\system32\Pbpacfmj.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Pacaoc32.exeC:\Windows\system32\Pacaoc32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Peonoaln.exeC:\Windows\system32\Peonoaln.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Phmjkmka.exeC:\Windows\system32\Phmjkmka.exe23⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Ppdbljkd.exeC:\Windows\system32\Ppdbljkd.exe24⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Paendb32.exeC:\Windows\system32\Paendb32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Pimfep32.exeC:\Windows\system32\Pimfep32.exe26⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Plkbak32.exeC:\Windows\system32\Plkbak32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:4136 -
C:\Windows\SysWOW64\Pniomgpl.exeC:\Windows\system32\Pniomgpl.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:3244 -
C:\Windows\SysWOW64\Pecgja32.exeC:\Windows\system32\Pecgja32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Piockppb.exeC:\Windows\system32\Piockppb.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Plmogkoe.exeC:\Windows\system32\Plmogkoe.exe31⤵
- Executes dropped EXE
PID:3376 -
C:\Windows\SysWOW64\Qnlkcfni.exeC:\Windows\system32\Qnlkcfni.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:4600 -
C:\Windows\SysWOW64\Qajhobmm.exeC:\Windows\system32\Qajhobmm.exe33⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Qiappono.exeC:\Windows\system32\Qiappono.exe34⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Qhdpll32.exeC:\Windows\system32\Qhdpll32.exe35⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Qpkhmi32.exeC:\Windows\system32\Qpkhmi32.exe36⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Qnnhhflf.exeC:\Windows\system32\Qnnhhflf.exe37⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Qamdda32.exeC:\Windows\system32\Qamdda32.exe38⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Qiclfo32.exeC:\Windows\system32\Qiclfo32.exe39⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Albibj32.exeC:\Windows\system32\Albibj32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Apndbici.exeC:\Windows\system32\Apndbici.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3364 -
C:\Windows\SysWOW64\Ablaodbm.exeC:\Windows\system32\Ablaodbm.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1148 -
C:\Windows\SysWOW64\Aejmkpaq.exeC:\Windows\system32\Aejmkpaq.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1224 -
C:\Windows\SysWOW64\Aifiko32.exeC:\Windows\system32\Aifiko32.exe44⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Ahiigkqd.exeC:\Windows\system32\Ahiigkqd.exe45⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Aldegj32.exeC:\Windows\system32\Aldegj32.exe46⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Aocace32.exeC:\Windows\system32\Aocace32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Aaanpa32.exeC:\Windows\system32\Aaanpa32.exe48⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Aihfanhg.exeC:\Windows\system32\Aihfanhg.exe49⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Ahkflk32.exeC:\Windows\system32\Ahkflk32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Algbmjgk.exeC:\Windows\system32\Algbmjgk.exe51⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Aoeniefo.exeC:\Windows\system32\Aoeniefo.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Aackeqeb.exeC:\Windows\system32\Aackeqeb.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Aikbfnfd.exeC:\Windows\system32\Aikbfnfd.exe54⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Aliobieh.exeC:\Windows\system32\Aliobieh.exe55⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Apekch32.exeC:\Windows\system32\Apekch32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1384 -
C:\Windows\SysWOW64\Aafgkpcp.exeC:\Windows\system32\Aafgkpcp.exe57⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Aimoln32.exeC:\Windows\system32\Aimoln32.exe58⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Ahppgjjl.exeC:\Windows\system32\Ahppgjjl.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Alkkhi32.exeC:\Windows\system32\Alkkhi32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:4132 -
C:\Windows\SysWOW64\Apggihko.exeC:\Windows\system32\Apggihko.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4588 -
C:\Windows\SysWOW64\Abedecjb.exeC:\Windows\system32\Abedecjb.exe62⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Aahdqp32.exeC:\Windows\system32\Aahdqp32.exe63⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Aedpaoif.exeC:\Windows\system32\Aedpaoif.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Aiolam32.exeC:\Windows\system32\Aiolam32.exe65⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Blnhni32.exeC:\Windows\system32\Blnhni32.exe66⤵PID:404
-
C:\Windows\SysWOW64\Bpidngil.exeC:\Windows\system32\Bpidngil.exe67⤵
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Boldjd32.exeC:\Windows\system32\Boldjd32.exe68⤵PID:4956
-
C:\Windows\SysWOW64\Bbhqjchp.exeC:\Windows\system32\Bbhqjchp.exe69⤵PID:2612
-
C:\Windows\SysWOW64\Befmfngc.exeC:\Windows\system32\Befmfngc.exe70⤵PID:3764
-
C:\Windows\SysWOW64\Bibigmpl.exeC:\Windows\system32\Bibigmpl.exe71⤵PID:3852
-
C:\Windows\SysWOW64\Bhdibj32.exeC:\Windows\system32\Bhdibj32.exe72⤵PID:1100
-
C:\Windows\SysWOW64\Blpechop.exeC:\Windows\system32\Blpechop.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1896 -
C:\Windows\SysWOW64\Bpladg32.exeC:\Windows\system32\Bpladg32.exe74⤵PID:3508
-
C:\Windows\SysWOW64\Bidemmnj.exeC:\Windows\system32\Bidemmnj.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4008 -
C:\Windows\SysWOW64\Bhgehi32.exeC:\Windows\system32\Bhgehi32.exe76⤵
- Modifies registry class
PID:388 -
C:\Windows\SysWOW64\Blbaihmn.exeC:\Windows\system32\Blbaihmn.exe77⤵PID:3684
-
C:\Windows\SysWOW64\Boanecla.exeC:\Windows\system32\Boanecla.exe78⤵PID:2380
-
C:\Windows\SysWOW64\Bbljeb32.exeC:\Windows\system32\Bbljeb32.exe79⤵PID:2212
-
C:\Windows\SysWOW64\Bekfan32.exeC:\Windows\system32\Bekfan32.exe80⤵
- Modifies registry class
PID:3304 -
C:\Windows\SysWOW64\Bifbbllg.exeC:\Windows\system32\Bifbbllg.exe81⤵PID:2808
-
C:\Windows\SysWOW64\Blennh32.exeC:\Windows\system32\Blennh32.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Bpqjofcd.exeC:\Windows\system32\Bpqjofcd.exe83⤵PID:588
-
C:\Windows\SysWOW64\Bockjc32.exeC:\Windows\system32\Bockjc32.exe84⤵
- Modifies registry class
PID:3936 -
C:\Windows\SysWOW64\Baaggo32.exeC:\Windows\system32\Baaggo32.exe85⤵PID:2084
-
C:\Windows\SysWOW64\Bemcgmak.exeC:\Windows\system32\Bemcgmak.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3440 -
C:\Windows\SysWOW64\Bhlocipo.exeC:\Windows\system32\Bhlocipo.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3292 -
C:\Windows\SysWOW64\Bpcgdfaa.exeC:\Windows\system32\Bpcgdfaa.exe88⤵PID:4580
-
C:\Windows\SysWOW64\Bbacqape.exeC:\Windows\system32\Bbacqape.exe89⤵
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Beppmmoi.exeC:\Windows\system32\Beppmmoi.exe90⤵
- Modifies registry class
PID:3164 -
C:\Windows\SysWOW64\Cpedjf32.exeC:\Windows\system32\Cpedjf32.exe91⤵PID:964
-
C:\Windows\SysWOW64\Cohdebfi.exeC:\Windows\system32\Cohdebfi.exe92⤵PID:1984
-
C:\Windows\SysWOW64\Cccpfa32.exeC:\Windows\system32\Cccpfa32.exe93⤵PID:2560
-
C:\Windows\SysWOW64\Ceblbm32.exeC:\Windows\system32\Ceblbm32.exe94⤵
- Modifies registry class
PID:5020 -
C:\Windows\SysWOW64\Cimhckeo.exeC:\Windows\system32\Cimhckeo.exe95⤵PID:4788
-
C:\Windows\SysWOW64\Chphoh32.exeC:\Windows\system32\Chphoh32.exe96⤵PID:5148
-
C:\Windows\SysWOW64\Cpgqpe32.exeC:\Windows\system32\Cpgqpe32.exe97⤵PID:5188
-
C:\Windows\SysWOW64\Cojqkbdf.exeC:\Windows\system32\Cojqkbdf.exe98⤵PID:5232
-
C:\Windows\SysWOW64\Ccfmla32.exeC:\Windows\system32\Ccfmla32.exe99⤵PID:5280
-
C:\Windows\SysWOW64\Caimgncj.exeC:\Windows\system32\Caimgncj.exe100⤵PID:5316
-
C:\Windows\SysWOW64\Cedihl32.exeC:\Windows\system32\Cedihl32.exe101⤵PID:5364
-
C:\Windows\SysWOW64\Cipehkcl.exeC:\Windows\system32\Cipehkcl.exe102⤵PID:5408
-
C:\Windows\SysWOW64\Chbedh32.exeC:\Windows\system32\Chbedh32.exe103⤵
- Drops file in System32 directory
PID:5444 -
C:\Windows\SysWOW64\Cpjmee32.exeC:\Windows\system32\Cpjmee32.exe104⤵PID:5488
-
C:\Windows\SysWOW64\Commqb32.exeC:\Windows\system32\Commqb32.exe105⤵
- Modifies registry class
PID:5528 -
C:\Windows\SysWOW64\Cchiaqjm.exeC:\Windows\system32\Cchiaqjm.exe106⤵
- Drops file in System32 directory
PID:5572 -
C:\Windows\SysWOW64\Cakjmm32.exeC:\Windows\system32\Cakjmm32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5608 -
C:\Windows\SysWOW64\Cefemliq.exeC:\Windows\system32\Cefemliq.exe108⤵PID:5656
-
C:\Windows\SysWOW64\Cibank32.exeC:\Windows\system32\Cibank32.exe109⤵PID:5692
-
C:\Windows\SysWOW64\Chebighd.exeC:\Windows\system32\Chebighd.exe110⤵PID:5740
-
C:\Windows\SysWOW64\Clqnjf32.exeC:\Windows\system32\Clqnjf32.exe111⤵PID:5776
-
C:\Windows\SysWOW64\Cpljkdig.exeC:\Windows\system32\Cpljkdig.exe112⤵PID:5824
-
C:\Windows\SysWOW64\Coojfa32.exeC:\Windows\system32\Coojfa32.exe113⤵
- Modifies registry class
PID:5864 -
C:\Windows\SysWOW64\Camfbm32.exeC:\Windows\system32\Camfbm32.exe114⤵PID:5912
-
C:\Windows\SysWOW64\Ceibclgn.exeC:\Windows\system32\Ceibclgn.exe115⤵PID:5952
-
C:\Windows\SysWOW64\Cidncj32.exeC:\Windows\system32\Cidncj32.exe116⤵PID:5992
-
C:\Windows\SysWOW64\Chgoogfa.exeC:\Windows\system32\Chgoogfa.exe117⤵
- Modifies registry class
PID:6028 -
C:\Windows\SysWOW64\Cpofpdgd.exeC:\Windows\system32\Cpofpdgd.exe118⤵
- Drops file in System32 directory
PID:6072 -
C:\Windows\SysWOW64\Coagla32.exeC:\Windows\system32\Coagla32.exe119⤵
- Drops file in System32 directory
PID:6116 -
C:\Windows\SysWOW64\Ccmclp32.exeC:\Windows\system32\Ccmclp32.exe120⤵PID:5128
-
C:\Windows\SysWOW64\Cekohk32.exeC:\Windows\system32\Cekohk32.exe121⤵PID:5172
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-