Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 01:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bc743c93bb8ed7a4ea5efeabc130b9a0_NEIKI.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
bc743c93bb8ed7a4ea5efeabc130b9a0_NEIKI.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
bc743c93bb8ed7a4ea5efeabc130b9a0_NEIKI.exe
-
Size
74KB
-
MD5
bc743c93bb8ed7a4ea5efeabc130b9a0
-
SHA1
74d30e2f88a3381e4a97bc0c4f1f8b96b651b225
-
SHA256
4cf60da733ee032703236c7dd6efe51b79233e2ca5d38ff792749c74dee8c03b
-
SHA512
57aea479fda4bb5cbe9dd8d233151e44a4e2dc503ed4ee263351f15d2f94655a12b64aeb81793656e15809e1e14199f589cb590bd6e8ebab48aade168b6dc3c8
-
SSDEEP
1536:pVz5YiakmVM/z6HsLxYM5TeZ4fQK9QcNCnQi9qccFINm:p5G8mO/zTYMwZ4fQKyQi9Ei
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bloqah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhjgal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eajaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffnphf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqhhknjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emeopn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gicbeald.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pijbfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankdiqih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cobbhfhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkpbgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Faokjpfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghkllmoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqbndpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bopicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cobbhfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddeaalpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhffaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gopkmhjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iaeiieeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhcmgnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddeaalpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Faagpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gldkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djefobmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eajaoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hogmmjfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnpmipql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dngoibmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddagfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chemfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbbkja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ealnephf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlnkmha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epaogi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hckcmjep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adeplhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhhnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgbdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjdbnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coklgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnneja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gangic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gobgcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aenbdoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieqeidnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkihhhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Goddhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Affhncfc.exe -
Executes dropped EXE 64 IoCs
pid Process 2316 Pfiidobe.exe 2396 Phjelg32.exe 2152 Ppamme32.exe 2628 Pndniaop.exe 2732 Pabjem32.exe 2476 Penfelgm.exe 2656 Pijbfj32.exe 2560 Qlhnbf32.exe 2960 Qjknnbed.exe 1088 Qaefjm32.exe 1968 Qeqbkkej.exe 2024 Qdccfh32.exe 2780 Qljkhe32.exe 1924 Qnigda32.exe 2680 Qagcpljo.exe 952 Qecoqk32.exe 676 Adeplhib.exe 1304 Afdlhchf.exe 2936 Ajphib32.exe 1296 Ankdiqih.exe 2880 Aajpelhl.exe 1668 Aplpai32.exe 1820 Adhlaggp.exe 1232 Ahchbf32.exe 1580 Affhncfc.exe 2088 Aiedjneg.exe 2192 Apomfh32.exe 1696 Abmibdlh.exe 2592 Afiecb32.exe 2612 Ajdadamj.exe 2824 Alenki32.exe 2996 Apajlhka.exe 2708 Admemg32.exe 2724 Afkbib32.exe 2032 Aenbdoii.exe 1996 Aiinen32.exe 1740 Apcfahio.exe 808 Aoffmd32.exe 576 Abbbnchb.exe 1332 Aepojo32.exe 2952 Ailkjmpo.exe 1640 Aljgfioc.exe 2296 Bbdocc32.exe 1536 Bagpopmj.exe 848 Bingpmnl.exe 1248 Bhahlj32.exe 2424 Blmdlhmp.exe 3028 Bkodhe32.exe 2640 Bdhhqk32.exe 2736 Bhcdaibd.exe 3000 Bloqah32.exe 2020 Bommnc32.exe 2720 Bnpmipql.exe 2444 Balijo32.exe 2660 Begeknan.exe 2864 Bdjefj32.exe 2508 Bhfagipa.exe 2768 Bghabf32.exe 2016 Bkdmcdoe.exe 1908 Bopicc32.exe 1612 Bnbjopoi.exe 748 Banepo32.exe 1076 Bpafkknm.exe 2956 Bdlblj32.exe -
Loads dropped DLL 64 IoCs
pid Process 2360 bc743c93bb8ed7a4ea5efeabc130b9a0_NEIKI.exe 2360 bc743c93bb8ed7a4ea5efeabc130b9a0_NEIKI.exe 2316 Pfiidobe.exe 2316 Pfiidobe.exe 2396 Phjelg32.exe 2396 Phjelg32.exe 2152 Ppamme32.exe 2152 Ppamme32.exe 2628 Pndniaop.exe 2628 Pndniaop.exe 2732 Pabjem32.exe 2732 Pabjem32.exe 2476 Penfelgm.exe 2476 Penfelgm.exe 2656 Pijbfj32.exe 2656 Pijbfj32.exe 2560 Qlhnbf32.exe 2560 Qlhnbf32.exe 2960 Qjknnbed.exe 2960 Qjknnbed.exe 1088 Qaefjm32.exe 1088 Qaefjm32.exe 1968 Qeqbkkej.exe 1968 Qeqbkkej.exe 2024 Qdccfh32.exe 2024 Qdccfh32.exe 2780 Qljkhe32.exe 2780 Qljkhe32.exe 1924 Qnigda32.exe 1924 Qnigda32.exe 2680 Qagcpljo.exe 2680 Qagcpljo.exe 952 Qecoqk32.exe 952 Qecoqk32.exe 676 Adeplhib.exe 676 Adeplhib.exe 1304 Afdlhchf.exe 1304 Afdlhchf.exe 2936 Ajphib32.exe 2936 Ajphib32.exe 1296 Ankdiqih.exe 1296 Ankdiqih.exe 2880 Aajpelhl.exe 2880 Aajpelhl.exe 1668 Aplpai32.exe 1668 Aplpai32.exe 1820 Adhlaggp.exe 1820 Adhlaggp.exe 1232 Ahchbf32.exe 1232 Ahchbf32.exe 1580 Affhncfc.exe 1580 Affhncfc.exe 2088 Aiedjneg.exe 2088 Aiedjneg.exe 2192 Apomfh32.exe 2192 Apomfh32.exe 1696 Abmibdlh.exe 1696 Abmibdlh.exe 2592 Afiecb32.exe 2592 Afiecb32.exe 2612 Ajdadamj.exe 2612 Ajdadamj.exe 2824 Alenki32.exe 2824 Alenki32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bkfjhd32.exe Bhhnli32.exe File opened for modification C:\Windows\SysWOW64\Hgilchkf.exe Hcnpbi32.exe File created C:\Windows\SysWOW64\Bnpmipql.exe Bommnc32.exe File opened for modification C:\Windows\SysWOW64\Bjijdadm.exe Bkfjhd32.exe File opened for modification C:\Windows\SysWOW64\Cgpgce32.exe Ccdlbf32.exe File opened for modification C:\Windows\SysWOW64\Dcfdgiid.exe Ddcdkl32.exe File created C:\Windows\SysWOW64\Gfoihbdp.dll Globlmmj.exe File created C:\Windows\SysWOW64\Apcfahio.exe Aiinen32.exe File created C:\Windows\SysWOW64\Comimg32.exe Cpjiajeb.exe File created C:\Windows\SysWOW64\Jmloladn.dll Fjdbnf32.exe File created C:\Windows\SysWOW64\Jbelkc32.dll Flmefm32.exe File created C:\Windows\SysWOW64\Fglhobmg.dll Dbbkja32.exe File opened for modification C:\Windows\SysWOW64\Fmekoalh.exe Fnbkddem.exe File created C:\Windows\SysWOW64\Gogangdc.exe Gogangdc.exe File created C:\Windows\SysWOW64\Gcaciakh.dll Gmjaic32.exe File opened for modification C:\Windows\SysWOW64\Ankdiqih.exe Ajphib32.exe File created C:\Windows\SysWOW64\Aimcgn32.dll Ajphib32.exe File opened for modification C:\Windows\SysWOW64\Dkkpbgli.exe Dgodbh32.exe File opened for modification C:\Windows\SysWOW64\Fhffaj32.exe Fckjalhj.exe File opened for modification C:\Windows\SysWOW64\Febhomkh.dll Gmgdddmq.exe File created C:\Windows\SysWOW64\Aoffmd32.exe Apcfahio.exe File opened for modification C:\Windows\SysWOW64\Cckace32.exe Copfbfjj.exe File created C:\Windows\SysWOW64\Hjjddchg.exe Henidd32.exe File created C:\Windows\SysWOW64\Cbkeib32.exe Cciemedf.exe File opened for modification C:\Windows\SysWOW64\Ebinic32.exe Ennaieib.exe File created C:\Windows\SysWOW64\Ongbcmlc.dll Fnbkddem.exe File opened for modification C:\Windows\SysWOW64\Hkpnhgge.exe Hgdbhi32.exe File opened for modification C:\Windows\SysWOW64\Begeknan.exe Balijo32.exe File created C:\Windows\SysWOW64\Hfbenjka.dll Ddokpmfo.exe File created C:\Windows\SysWOW64\Alogkm32.dll Hcplhi32.exe File created C:\Windows\SysWOW64\Egamfkdh.exe Eiomkn32.exe File opened for modification C:\Windows\SysWOW64\Fjlhneio.exe Ffpmnf32.exe File opened for modification C:\Windows\SysWOW64\Gobgcg32.exe Gkgkbipp.exe File created C:\Windows\SysWOW64\Dqlafm32.exe Dmafennb.exe File created C:\Windows\SysWOW64\Djefobmk.exe Dfijnd32.exe File created C:\Windows\SysWOW64\Alenki32.exe Ajdadamj.exe File opened for modification C:\Windows\SysWOW64\Eflgccbp.exe Ebpkce32.exe File created C:\Windows\SysWOW64\Cgqjffca.dll Ejgcdb32.exe File created C:\Windows\SysWOW64\Ahcocb32.dll Glfhll32.exe File created C:\Windows\SysWOW64\Bnbjopoi.exe Bopicc32.exe File created C:\Windows\SysWOW64\Hellne32.exe Hgilchkf.exe File created C:\Windows\SysWOW64\Ilknfn32.exe Ihoafpmp.exe File created C:\Windows\SysWOW64\Efjcibje.dll Enkece32.exe File opened for modification C:\Windows\SysWOW64\Lpbjlbfp.dll Eloemi32.exe File opened for modification C:\Windows\SysWOW64\Efncicpm.exe Ebbgid32.exe File opened for modification C:\Windows\SysWOW64\Fnpnndgp.exe Fjdbnf32.exe File opened for modification C:\Windows\SysWOW64\Kifjcn32.dll Feeiob32.exe File created C:\Windows\SysWOW64\Njmekj32.dll Hmlnoc32.exe File opened for modification C:\Windows\SysWOW64\Dgmglh32.exe Dhjgal32.exe File created C:\Windows\SysWOW64\Gmibbifn.dll Icbimi32.exe File created C:\Windows\SysWOW64\Pdmaibnf.dll Clomqk32.exe File created C:\Windows\SysWOW64\Dlcdphdj.dll Claifkkf.exe File opened for modification C:\Windows\SysWOW64\Hghmjpap.dll Gfefiemq.exe File created C:\Windows\SysWOW64\Hahjpbad.exe Hmlnoc32.exe File opened for modification C:\Windows\SysWOW64\Gbkgnfbd.exe Gopkmhjk.exe File created C:\Windows\SysWOW64\Copfbfjj.exe Ckdjbh32.exe File created C:\Windows\SysWOW64\Ekklaj32.exe Emhlfmgj.exe File created C:\Windows\SysWOW64\Glaoalkh.exe Ghfbqn32.exe File opened for modification C:\Windows\SysWOW64\Fmlapp32.exe Fiaeoang.exe File created C:\Windows\SysWOW64\Hknach32.exe Hknach32.exe File created C:\Windows\SysWOW64\Gkddnkjk.dll Ajdadamj.exe File created C:\Windows\SysWOW64\Bghabf32.exe Bhfagipa.exe File opened for modification C:\Windows\SysWOW64\Ckffgg32.exe Chhjkl32.exe File created C:\Windows\SysWOW64\Ddokpmfo.exe Dflkdp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4796 4772 WerFault.exe 351 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpeofk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eijcpoac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkkalk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpcbqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkkpbgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gldkfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgodbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjcibje.dll" Enkece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Globlmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll" Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll" Hiqbndpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Doobajme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll" Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll" Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjhhocjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qecoqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefmambf.dll" Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djbiicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Facdeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pndaof32.dll" Ppamme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfmal32.dll" Cpjiajeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dngoibmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahch32.dll" Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdlblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcmiimi.dll" Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcfok32.dll" Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eajaoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ealnephf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fioija32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gicbeald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll" Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afdlhchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdphdj.dll" Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbnccfpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgdmmgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enkece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhcecp32.dll" Apomfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjndop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Affhncfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afiecb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bagpopmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpjiajeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbndm32.dll" Dhjgal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkmmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll" Hknach32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhjgal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebinic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlfdkoin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hacmcfge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Henidd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2360 wrote to memory of 2316 2360 bc743c93bb8ed7a4ea5efeabc130b9a0_NEIKI.exe 28 PID 2360 wrote to memory of 2316 2360 bc743c93bb8ed7a4ea5efeabc130b9a0_NEIKI.exe 28 PID 2360 wrote to memory of 2316 2360 bc743c93bb8ed7a4ea5efeabc130b9a0_NEIKI.exe 28 PID 2360 wrote to memory of 2316 2360 bc743c93bb8ed7a4ea5efeabc130b9a0_NEIKI.exe 28 PID 2316 wrote to memory of 2396 2316 Pfiidobe.exe 29 PID 2316 wrote to memory of 2396 2316 Pfiidobe.exe 29 PID 2316 wrote to memory of 2396 2316 Pfiidobe.exe 29 PID 2316 wrote to memory of 2396 2316 Pfiidobe.exe 29 PID 2396 wrote to memory of 2152 2396 Phjelg32.exe 30 PID 2396 wrote to memory of 2152 2396 Phjelg32.exe 30 PID 2396 wrote to memory of 2152 2396 Phjelg32.exe 30 PID 2396 wrote to memory of 2152 2396 Phjelg32.exe 30 PID 2152 wrote to memory of 2628 2152 Ppamme32.exe 31 PID 2152 wrote to memory of 2628 2152 Ppamme32.exe 31 PID 2152 wrote to memory of 2628 2152 Ppamme32.exe 31 PID 2152 wrote to memory of 2628 2152 Ppamme32.exe 31 PID 2628 wrote to memory of 2732 2628 Pndniaop.exe 32 PID 2628 wrote to memory of 2732 2628 Pndniaop.exe 32 PID 2628 wrote to memory of 2732 2628 Pndniaop.exe 32 PID 2628 wrote to memory of 2732 2628 Pndniaop.exe 32 PID 2732 wrote to memory of 2476 2732 Pabjem32.exe 33 PID 2732 wrote to memory of 2476 2732 Pabjem32.exe 33 PID 2732 wrote to memory of 2476 2732 Pabjem32.exe 33 PID 2732 wrote to memory of 2476 2732 Pabjem32.exe 33 PID 2476 wrote to memory of 2656 2476 Penfelgm.exe 34 PID 2476 wrote to memory of 2656 2476 Penfelgm.exe 34 PID 2476 wrote to memory of 2656 2476 Penfelgm.exe 34 PID 2476 wrote to memory of 2656 2476 Penfelgm.exe 34 PID 2656 wrote to memory of 2560 2656 Pijbfj32.exe 35 PID 2656 wrote to memory of 2560 2656 Pijbfj32.exe 35 PID 2656 wrote to memory of 2560 2656 Pijbfj32.exe 35 PID 2656 wrote to memory of 2560 2656 Pijbfj32.exe 35 PID 2560 wrote to memory of 2960 2560 Qlhnbf32.exe 36 PID 2560 wrote to memory of 2960 2560 Qlhnbf32.exe 36 PID 2560 wrote to memory of 2960 2560 Qlhnbf32.exe 36 PID 2560 wrote to memory of 2960 2560 Qlhnbf32.exe 36 PID 2960 wrote to memory of 1088 2960 Qjknnbed.exe 37 PID 2960 wrote to memory of 1088 2960 Qjknnbed.exe 37 PID 2960 wrote to memory of 1088 2960 Qjknnbed.exe 37 PID 2960 wrote to memory of 1088 2960 Qjknnbed.exe 37 PID 1088 wrote to memory of 1968 1088 Qaefjm32.exe 38 PID 1088 wrote to memory of 1968 1088 Qaefjm32.exe 38 PID 1088 wrote to memory of 1968 1088 Qaefjm32.exe 38 PID 1088 wrote to memory of 1968 1088 Qaefjm32.exe 38 PID 1968 wrote to memory of 2024 1968 Qeqbkkej.exe 39 PID 1968 wrote to memory of 2024 1968 Qeqbkkej.exe 39 PID 1968 wrote to memory of 2024 1968 Qeqbkkej.exe 39 PID 1968 wrote to memory of 2024 1968 Qeqbkkej.exe 39 PID 2024 wrote to memory of 2780 2024 Qdccfh32.exe 40 PID 2024 wrote to memory of 2780 2024 Qdccfh32.exe 40 PID 2024 wrote to memory of 2780 2024 Qdccfh32.exe 40 PID 2024 wrote to memory of 2780 2024 Qdccfh32.exe 40 PID 2780 wrote to memory of 1924 2780 Qljkhe32.exe 41 PID 2780 wrote to memory of 1924 2780 Qljkhe32.exe 41 PID 2780 wrote to memory of 1924 2780 Qljkhe32.exe 41 PID 2780 wrote to memory of 1924 2780 Qljkhe32.exe 41 PID 1924 wrote to memory of 2680 1924 Qnigda32.exe 42 PID 1924 wrote to memory of 2680 1924 Qnigda32.exe 42 PID 1924 wrote to memory of 2680 1924 Qnigda32.exe 42 PID 1924 wrote to memory of 2680 1924 Qnigda32.exe 42 PID 2680 wrote to memory of 952 2680 Qagcpljo.exe 43 PID 2680 wrote to memory of 952 2680 Qagcpljo.exe 43 PID 2680 wrote to memory of 952 2680 Qagcpljo.exe 43 PID 2680 wrote to memory of 952 2680 Qagcpljo.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc743c93bb8ed7a4ea5efeabc130b9a0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\bc743c93bb8ed7a4ea5efeabc130b9a0_NEIKI.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:676 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1296 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1820 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1232 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe33⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe34⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe35⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe39⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe40⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe41⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe42⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe43⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe44⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe46⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe47⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe48⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe49⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe50⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe51⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe56⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe57⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe59⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe60⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe62⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe63⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe64⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe67⤵
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe68⤵PID:2848
-
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe69⤵PID:2604
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe70⤵
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe71⤵PID:1532
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe72⤵PID:2272
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe73⤵PID:2004
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe74⤵PID:560
-
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe75⤵
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe76⤵PID:1428
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe77⤵
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe78⤵PID:2576
-
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe79⤵
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe80⤵PID:2852
-
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe81⤵PID:2556
-
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:584 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe83⤵PID:1316
-
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2932 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe85⤵PID:2460
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:536 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe87⤵
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe89⤵PID:2100
-
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe90⤵
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe91⤵PID:2080
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe92⤵PID:956
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe93⤵PID:1172
-
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2388 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe96⤵
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe97⤵PID:1328
-
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe98⤵
- Drops file in System32 directory
PID:904 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe99⤵PID:3036
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe100⤵PID:1680
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe101⤵PID:776
-
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2052 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe103⤵
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe104⤵PID:2844
-
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2616 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe106⤵PID:2800
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe107⤵PID:1572
-
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe108⤵PID:2000
-
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe109⤵
- Drops file in System32 directory
PID:1436 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe110⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe112⤵PID:2448
-
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe114⤵PID:2072
-
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe117⤵PID:2596
-
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1800 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe119⤵PID:1948
-
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2332
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-