Analysis
-
max time kernel
132s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 22:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4b3ee67e7d6a84f2e7f929805bb6d490_NEIKI.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
4b3ee67e7d6a84f2e7f929805bb6d490_NEIKI.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
4b3ee67e7d6a84f2e7f929805bb6d490_NEIKI.exe
-
Size
359KB
-
MD5
4b3ee67e7d6a84f2e7f929805bb6d490
-
SHA1
77b8e099df6dc07bca2268ed1920793f5744ca58
-
SHA256
0d2d6d2d503e14d25982e12f02913b028796342dd0a1ec23f2a89c65e7bb9167
-
SHA512
620097435cbd399475082f610c6bb7e8decd08b88cd47d75c980fca9c463c9e865962f0f7af7914952bc210a57d1b5911df51ee2bc1d6cdfabc08cd55b65cac1
-
SSDEEP
3072:0cImGHh3xyEQ30kQI8Va3CkfUVuyelbvP5lkzmQ1o0Otw44KmfpKivFM6WpqXWwC:+HHh3c3prba4Yb31/do
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahhblemi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afoeiklb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogogoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfdie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmngqdpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgekbljc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnfdcjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jifhaenk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdfibe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcddpdpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbmhlihl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndhmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmqmma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnpemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Angddopp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbgmcnhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncfdie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpmfddnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcmnpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Camphf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgfqmfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bapiabak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkncdifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clnjjpod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cefoce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ippggbck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcebhoii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hccglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhkapp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kknafn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fakdpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faihkbci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqncedbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofnckp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjkombfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdkldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgfqmfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Danecp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agffge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clpgpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nilcjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klgqcqkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojgbfocc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfaloa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibqpimpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldaeka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqpnombl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jefbfgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hibljoco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpjjod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adcmmeog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgqdlnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfdcjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldmlpbbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgemphmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfffjqdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpnlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eefhjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofcmfodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qceiaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibljoco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhidjpqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqbdjfln.exe -
Executes dropped EXE 64 IoCs
pid Process 2292 Fokbim32.exe 3564 Fbioei32.exe 552 Fcikolnh.exe 2552 Ffggkgmk.exe 384 Fbnhphbp.exe 4808 Fihqmb32.exe 3024 Fbqefhpm.exe 2456 Fqaeco32.exe 3712 Gmhfhp32.exe 1184 Gcbnejem.exe 1864 Gqfooodg.exe 912 Gcekkjcj.exe 1428 Gqikdn32.exe 5056 Gjapmdid.exe 4436 Gbldaffp.exe 2196 Gjclbc32.exe 3212 Hboagf32.exe 1404 Hcnnaikp.exe 3080 Hmfbjnbp.exe 5084 Hbckbepg.exe 2252 Himcoo32.exe 900 Hccglh32.exe 2216 Hmklen32.exe 2296 Hbhdmd32.exe 3988 Hibljoco.exe 3188 Ipldfi32.exe 1712 Ibjqcd32.exe 2792 Ijaida32.exe 224 Ijdeiaio.exe 4956 Icljbg32.exe 4476 Ifjfnb32.exe 3284 Idofhfmm.exe 3556 Ifmcdblq.exe 4240 Iabgaklg.exe 4212 Idacmfkj.exe 3492 Ifopiajn.exe 4684 Iinlemia.exe 4656 Jaedgjjd.exe 1552 Jdcpcf32.exe 2300 Jfaloa32.exe 4052 Jmkdlkph.exe 3196 Jagqlj32.exe 1296 Jbhmdbnp.exe 4876 Jjpeepnb.exe 3500 Jaimbj32.exe 4920 Jdhine32.exe 708 Jfffjqdf.exe 4136 Jmpngk32.exe 4724 Jpojcf32.exe 1452 Jbmfoa32.exe 4960 Jmbklj32.exe 3636 Jdmcidam.exe 5068 Jbocea32.exe 2404 Jkfkfohj.exe 2324 Jiikak32.exe 2376 Kaqcbi32.exe 452 Kbapjafe.exe 4420 Kkihknfg.exe 4288 Kmgdgjek.exe 4472 Kpepcedo.exe 3032 Kbdmpqcb.exe 4480 Kkkdan32.exe 1412 Kaemnhla.exe 5072 Kdcijcke.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bffkij32.exe Beeoaapl.exe File opened for modification C:\Windows\SysWOW64\Jbocea32.exe Jdmcidam.exe File opened for modification C:\Windows\SysWOW64\Gcimkc32.exe Gkaejf32.exe File opened for modification C:\Windows\SysWOW64\Immapg32.exe Hbgmcnhf.exe File created C:\Windows\SysWOW64\Jplfcpin.exe Jmmjgejj.exe File created C:\Windows\SysWOW64\Pqbdjfln.exe Pcncpbmd.exe File created C:\Windows\SysWOW64\Ojmcld32.exe Ogogoi32.exe File created C:\Windows\SysWOW64\Eegdfm32.dll Ahkobekf.exe File opened for modification C:\Windows\SysWOW64\Hmklen32.exe Hccglh32.exe File created C:\Windows\SysWOW64\Ekemhj32.exe Ehgqln32.exe File opened for modification C:\Windows\SysWOW64\Liimncmf.exe Lboeaifi.exe File created C:\Windows\SysWOW64\Fokbim32.exe 4b3ee67e7d6a84f2e7f929805bb6d490_NEIKI.exe File created C:\Windows\SysWOW64\Njogjfoj.exe Ndbnboqb.exe File created C:\Windows\SysWOW64\Bjdkjo32.exe Bhfonc32.exe File created C:\Windows\SysWOW64\Pjkolmml.dll Fakdpb32.exe File created C:\Windows\SysWOW64\Kgngca32.dll Qjoankoi.exe File created C:\Windows\SysWOW64\Bgdpie32.dll Bajjli32.exe File created C:\Windows\SysWOW64\Oijgnaaa.dll Fbnafb32.exe File created C:\Windows\SysWOW64\Efjecajf.dll Klljnp32.exe File opened for modification C:\Windows\SysWOW64\Qnhahj32.exe Pgnilpah.exe File created C:\Windows\SysWOW64\Ghilmi32.dll Cdfkolkf.exe File opened for modification C:\Windows\SysWOW64\Aqncedbp.exe Anogiicl.exe File opened for modification C:\Windows\SysWOW64\Hbhdmd32.exe Hmklen32.exe File opened for modification C:\Windows\SysWOW64\Kkbkamnl.exe Kpmfddnf.exe File created C:\Windows\SysWOW64\Hbcaee32.dll Cdainc32.exe File opened for modification C:\Windows\SysWOW64\Gdjjckag.exe Gcimkc32.exe File opened for modification C:\Windows\SysWOW64\Ndhmhh32.exe Nnneknob.exe File opened for modification C:\Windows\SysWOW64\Ehgqln32.exe Eeidoc32.exe File created C:\Windows\SysWOW64\Kldggoeb.dll Fojlngce.exe File opened for modification C:\Windows\SysWOW64\Pdifoehl.exe Pnonbk32.exe File created C:\Windows\SysWOW64\Jjjald32.dll Danecp32.exe File created C:\Windows\SysWOW64\Jflepa32.dll Jkfkfohj.exe File created C:\Windows\SysWOW64\Ddbbeade.exe Dkjmlk32.exe File opened for modification C:\Windows\SysWOW64\Jbhfjljd.exe Jpijnqkp.exe File created C:\Windows\SysWOW64\Kibgmdcn.exe Kpjcdn32.exe File created C:\Windows\SysWOW64\Hppdbdbc.dll Ofcmfodb.exe File created C:\Windows\SysWOW64\Idacmfkj.exe Iabgaklg.exe File created C:\Windows\SysWOW64\Opbnic32.dll Nkqpjidj.exe File created C:\Windows\SysWOW64\Immapg32.exe Hbgmcnhf.exe File opened for modification C:\Windows\SysWOW64\Cnkplejl.exe Cfdhkhjj.exe File opened for modification C:\Windows\SysWOW64\Kmnjhioc.exe Kkpnlm32.exe File created C:\Windows\SysWOW64\Bpflfc32.dll Anpncp32.exe File opened for modification C:\Windows\SysWOW64\Bdolhc32.exe Baaplhef.exe File created C:\Windows\SysWOW64\Jcbldglg.dll Daaicfgd.exe File created C:\Windows\SysWOW64\Eonefj32.dll Mchhggno.exe File created C:\Windows\SysWOW64\Pqpgdfnp.exe Pnakhkol.exe File created C:\Windows\SysWOW64\Eimmfkfe.dll Qgallfcq.exe File created C:\Windows\SysWOW64\Mgqddl32.dll Ceaehfjj.exe File created C:\Windows\SysWOW64\Dahode32.exe Dkoggkjo.exe File created C:\Windows\SysWOW64\Fqqlehck.dll Hfifmnij.exe File opened for modification C:\Windows\SysWOW64\Jpnchp32.exe Jlbgha32.exe File created C:\Windows\SysWOW64\Mfogkh32.dll Hmklen32.exe File created C:\Windows\SysWOW64\Hfifmnij.exe Hopnqdan.exe File opened for modification C:\Windows\SysWOW64\Lboeaifi.exe Lmbmibhb.exe File created C:\Windows\SysWOW64\Bhbopgfn.dll Nnlhfn32.exe File opened for modification C:\Windows\SysWOW64\Iabgaklg.exe Ifmcdblq.exe File created C:\Windows\SysWOW64\Bnjdmn32.dll Kmnjhioc.exe File created C:\Windows\SysWOW64\Kpihae32.dll Gfembo32.exe File created C:\Windows\SysWOW64\Dammlf32.dll Heocnk32.exe File created C:\Windows\SysWOW64\Jpnchp32.exe Jlbgha32.exe File opened for modification C:\Windows\SysWOW64\Anogiicl.exe Afhohlbj.exe File created C:\Windows\SysWOW64\Bpqnnk32.dll Iabgaklg.exe File created C:\Windows\SysWOW64\Cajcbgml.exe Colffknh.exe File created C:\Windows\SysWOW64\Nknjccol.dll Edpnfo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10588 10436 WerFault.exe 511 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpjcdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlingkpe.dll" Nnjlpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll" Jpojcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll" Ndbnboqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eimmfkfe.dll" Qgallfcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imdhga32.dll" Cogmkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbnafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcjhi32.dll" Mcpnhfhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll" Ifopiajn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpepcedo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onklabip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daaicfgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpnchp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfjjppmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdfmi32.dll" Fbnhphbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibjqcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll" Ncfdie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll" Onjegled.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beeoaapl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beglgani.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chcddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qalnjkgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nilcjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbmfoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afoeiklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngfmkdl.dll" Ijaida32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaedgjjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjpeepnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbapjafe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfmkjoa.dll" Gdjjckag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjdlbifk.dll" Jbjcolha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndhmhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipldfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll" Iinlemia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll" Ogbipa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll" Pgnilpah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edpnfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leihbeib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Balfaiil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifgbnlmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqbdjfln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll" Kaqcbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpocjdld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njogjfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll" Njogjfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mipaiqmd.dll" Qloebdig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfembo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olcbmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll" Aepefb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcikolnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll" Ldmlpbbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jagqlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anbkio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dldpkoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehnglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njohbh32.dll" Icgjmapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbeidl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fihqmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbldaffp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll" Accfbokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Accfbokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daconoae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnonbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmidog32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2292 2396 4b3ee67e7d6a84f2e7f929805bb6d490_NEIKI.exe 83 PID 2396 wrote to memory of 2292 2396 4b3ee67e7d6a84f2e7f929805bb6d490_NEIKI.exe 83 PID 2396 wrote to memory of 2292 2396 4b3ee67e7d6a84f2e7f929805bb6d490_NEIKI.exe 83 PID 2292 wrote to memory of 3564 2292 Fokbim32.exe 84 PID 2292 wrote to memory of 3564 2292 Fokbim32.exe 84 PID 2292 wrote to memory of 3564 2292 Fokbim32.exe 84 PID 3564 wrote to memory of 552 3564 Fbioei32.exe 85 PID 3564 wrote to memory of 552 3564 Fbioei32.exe 85 PID 3564 wrote to memory of 552 3564 Fbioei32.exe 85 PID 552 wrote to memory of 2552 552 Fcikolnh.exe 86 PID 552 wrote to memory of 2552 552 Fcikolnh.exe 86 PID 552 wrote to memory of 2552 552 Fcikolnh.exe 86 PID 2552 wrote to memory of 384 2552 Ffggkgmk.exe 87 PID 2552 wrote to memory of 384 2552 Ffggkgmk.exe 87 PID 2552 wrote to memory of 384 2552 Ffggkgmk.exe 87 PID 384 wrote to memory of 4808 384 Fbnhphbp.exe 88 PID 384 wrote to memory of 4808 384 Fbnhphbp.exe 88 PID 384 wrote to memory of 4808 384 Fbnhphbp.exe 88 PID 4808 wrote to memory of 3024 4808 Fihqmb32.exe 89 PID 4808 wrote to memory of 3024 4808 Fihqmb32.exe 89 PID 4808 wrote to memory of 3024 4808 Fihqmb32.exe 89 PID 3024 wrote to memory of 2456 3024 Fbqefhpm.exe 91 PID 3024 wrote to memory of 2456 3024 Fbqefhpm.exe 91 PID 3024 wrote to memory of 2456 3024 Fbqefhpm.exe 91 PID 2456 wrote to memory of 3712 2456 Fqaeco32.exe 93 PID 2456 wrote to memory of 3712 2456 Fqaeco32.exe 93 PID 2456 wrote to memory of 3712 2456 Fqaeco32.exe 93 PID 3712 wrote to memory of 1184 3712 Gmhfhp32.exe 94 PID 3712 wrote to memory of 1184 3712 Gmhfhp32.exe 94 PID 3712 wrote to memory of 1184 3712 Gmhfhp32.exe 94 PID 1184 wrote to memory of 1864 1184 Gcbnejem.exe 96 PID 1184 wrote to memory of 1864 1184 Gcbnejem.exe 96 PID 1184 wrote to memory of 1864 1184 Gcbnejem.exe 96 PID 1864 wrote to memory of 912 1864 Gqfooodg.exe 97 PID 1864 wrote to memory of 912 1864 Gqfooodg.exe 97 PID 1864 wrote to memory of 912 1864 Gqfooodg.exe 97 PID 912 wrote to memory of 1428 912 Gcekkjcj.exe 98 PID 912 wrote to memory of 1428 912 Gcekkjcj.exe 98 PID 912 wrote to memory of 1428 912 Gcekkjcj.exe 98 PID 1428 wrote to memory of 5056 1428 Gqikdn32.exe 99 PID 1428 wrote to memory of 5056 1428 Gqikdn32.exe 99 PID 1428 wrote to memory of 5056 1428 Gqikdn32.exe 99 PID 5056 wrote to memory of 4436 5056 Gjapmdid.exe 100 PID 5056 wrote to memory of 4436 5056 Gjapmdid.exe 100 PID 5056 wrote to memory of 4436 5056 Gjapmdid.exe 100 PID 4436 wrote to memory of 2196 4436 Gbldaffp.exe 101 PID 4436 wrote to memory of 2196 4436 Gbldaffp.exe 101 PID 4436 wrote to memory of 2196 4436 Gbldaffp.exe 101 PID 2196 wrote to memory of 3212 2196 Gjclbc32.exe 102 PID 2196 wrote to memory of 3212 2196 Gjclbc32.exe 102 PID 2196 wrote to memory of 3212 2196 Gjclbc32.exe 102 PID 3212 wrote to memory of 1404 3212 Hboagf32.exe 103 PID 3212 wrote to memory of 1404 3212 Hboagf32.exe 103 PID 3212 wrote to memory of 1404 3212 Hboagf32.exe 103 PID 1404 wrote to memory of 3080 1404 Hcnnaikp.exe 104 PID 1404 wrote to memory of 3080 1404 Hcnnaikp.exe 104 PID 1404 wrote to memory of 3080 1404 Hcnnaikp.exe 104 PID 3080 wrote to memory of 5084 3080 Hmfbjnbp.exe 105 PID 3080 wrote to memory of 5084 3080 Hmfbjnbp.exe 105 PID 3080 wrote to memory of 5084 3080 Hmfbjnbp.exe 105 PID 5084 wrote to memory of 2252 5084 Hbckbepg.exe 106 PID 5084 wrote to memory of 2252 5084 Hbckbepg.exe 106 PID 5084 wrote to memory of 2252 5084 Hbckbepg.exe 106 PID 2252 wrote to memory of 900 2252 Himcoo32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b3ee67e7d6a84f2e7f929805bb6d490_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\4b3ee67e7d6a84f2e7f929805bb6d490_NEIKI.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Fbioei32.exeC:\Windows\system32\Fbioei32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\Fcikolnh.exeC:\Windows\system32\Fcikolnh.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Fbqefhpm.exeC:\Windows\system32\Fbqefhpm.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Fqaeco32.exeC:\Windows\system32\Fqaeco32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Gmhfhp32.exeC:\Windows\system32\Gmhfhp32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Gqfooodg.exeC:\Windows\system32\Gqfooodg.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Hcnnaikp.exeC:\Windows\system32\Hcnnaikp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Hmfbjnbp.exeC:\Windows\system32\Hmfbjnbp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe25⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3188 -
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Ijdeiaio.exeC:\Windows\system32\Ijdeiaio.exe30⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe31⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe32⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe33⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3556 -
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4240 -
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe36⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Ifopiajn.exeC:\Windows\system32\Ifopiajn.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:3492 -
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:4684 -
C:\Windows\SysWOW64\Jaedgjjd.exeC:\Windows\system32\Jaedgjjd.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:4656 -
C:\Windows\SysWOW64\Jdcpcf32.exeC:\Windows\system32\Jdcpcf32.exe40⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Jmkdlkph.exeC:\Windows\system32\Jmkdlkph.exe42⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Jagqlj32.exeC:\Windows\system32\Jagqlj32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:3196 -
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe44⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4876 -
C:\Windows\SysWOW64\Jaimbj32.exeC:\Windows\system32\Jaimbj32.exe46⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Jdhine32.exeC:\Windows\system32\Jdhine32.exe47⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe49⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4724 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1452 -
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe52⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3636 -
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe54⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe56⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:452 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe59⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe60⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:4472 -
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe62⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe63⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe64⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe65⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5100 -
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe67⤵PID:2256
-
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3084 -
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe70⤵
- Drops file in System32 directory
PID:3856 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3568 -
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe72⤵PID:3692
-
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe73⤵PID:4368
-
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe74⤵
- Modifies registry class
PID:4924 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe75⤵PID:712
-
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3916 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe77⤵PID:1408
-
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe78⤵PID:1092
-
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2420 -
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe80⤵PID:3608
-
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe81⤵PID:1920
-
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1580 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe83⤵PID:4872
-
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe84⤵PID:5116
-
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe85⤵PID:1308
-
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe86⤵PID:3412
-
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe87⤵PID:2180
-
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:3420 -
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe89⤵
- Modifies registry class
PID:316 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe90⤵PID:4620
-
C:\Windows\SysWOW64\Nkncdifl.exeC:\Windows\system32\Nkncdifl.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4776 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe92⤵PID:2660
-
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe93⤵
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe94⤵PID:3276
-
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe95⤵PID:524
-
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe96⤵PID:4672
-
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe97⤵PID:1616
-
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe98⤵PID:1336
-
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe100⤵PID:5144
-
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe101⤵
- Modifies registry class
PID:5192 -
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe102⤵PID:5236
-
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe103⤵PID:5280
-
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5324 -
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5368 -
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5412 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe107⤵PID:5448
-
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe108⤵PID:5500
-
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe109⤵PID:5540
-
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5580 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe111⤵PID:5628
-
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe112⤵PID:5668
-
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe113⤵PID:5712
-
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe114⤵PID:5756
-
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5796 -
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe116⤵PID:5836
-
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe117⤵PID:5880
-
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe118⤵PID:5924
-
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe119⤵PID:5968
-
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:6012 -
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe121⤵PID:6056
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-