Analysis
-
max time kernel
146s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 22:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4c8a588672a71f1b42ff5e63f8d68370_NEIKI.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
4c8a588672a71f1b42ff5e63f8d68370_NEIKI.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
4c8a588672a71f1b42ff5e63f8d68370_NEIKI.exe
-
Size
136KB
-
MD5
4c8a588672a71f1b42ff5e63f8d68370
-
SHA1
7d722d9a0e825e9f2ee6b9240d92527cc96f0db9
-
SHA256
6fd33c89dfce081aad16f54921e2a4112024b10fd383e99d51fa3c94268484f3
-
SHA512
050653df60794417eb3ee742aa17caeda268fc2d3f9eeffc2a71c6727c124cd5e6d2897eb4104211cb1e9a1f5b2caadf4692bb3665b1b5c558ba9bbb56312919
-
SSDEEP
3072:APG2XXkDQMsohLwdNbw+Y92xQuohLwdNbw5bxH0zVWccA:AuU0DQMsohxd2Quohdbd0zscj
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdeeqehb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnbhek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqelenlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqmcpahh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aemkjiem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqjepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leajdfnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfgmhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lliflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piphee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlblkhei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkodhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgknheej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmhodf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhnfkigh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aepojo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebinic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojfaijcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbdnoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohigamf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiinen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdccfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okikfagn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgbhabjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odegpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plfamfpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pabjem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elmigj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apimacnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpnojioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcbakpdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Monhhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nncahjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olmhdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddigjkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijgdngmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pklhlael.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bioqclil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolnad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oklkmnbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qabcjgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqqapjnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igihbknb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijgdngmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfegbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqdajkkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejoiedd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqideepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmanoifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgilchkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llkbap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppmdbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpecfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbnbobin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dngoibmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcbakpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kihqkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aipddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aajpelhl.exe -
Executes dropped EXE 64 IoCs
pid Process 2992 Mpjoqhah.exe 2968 Mkobnqan.exe 2548 Nplkfgoe.exe 2512 Ncjgbcoi.exe 2532 Nkaocp32.exe 2416 Nnplpl32.exe 1612 Nlblkhei.exe 2348 Ncmdhb32.exe 2464 Nfkpdn32.exe 2356 Nnbhek32.exe 992 Nqqdag32.exe 2276 Ncoamb32.exe 1436 Nfmmin32.exe 2752 Nhlifi32.exe 2100 Nlgefh32.exe 2780 Ncancbha.exe 1400 Nbdnoo32.exe 1716 Njkfpl32.exe 2364 Nhnfkigh.exe 2336 Nmjblg32.exe 2820 Nkmbgdfl.exe 956 Nccjhafn.exe 908 Ofbfdmeb.exe 3004 Odegpj32.exe 2476 Ohqbqhde.exe 1628 Okoomd32.exe 3048 Onmkio32.exe 2800 Oicpfh32.exe 1112 Okalbc32.exe 2392 Obkdonic.exe 2712 Oqqapjnk.exe 2564 Ocomlemo.exe 1860 Okfencna.exe 1892 Ondajnme.exe 1648 Oqcnfjli.exe 1836 Oenifh32.exe 1348 Ogmfbd32.exe 2008 Ofpfnqjp.exe 584 Pminkk32.exe 2652 Pphjgfqq.exe 2168 Pgobhcac.exe 1260 Pjmodopf.exe 1568 Pmlkpjpj.exe 1312 Ppjglfon.exe 2036 Pbiciana.exe 1672 Pjpkjond.exe 1524 Pmnhfjmg.exe 2096 Ppmdbe32.exe 2524 Pchpbded.exe 344 Pfflopdh.exe 2400 Peiljl32.exe 2056 Pmqdkj32.exe 2772 Plcdgfbo.exe 2728 Pfiidobe.exe 1668 Pelipl32.exe 2296 Phjelg32.exe 2648 Plfamfpm.exe 1004 Pabjem32.exe 2472 Penfelgm.exe 1856 Qhmbagfa.exe 2816 Qjknnbed.exe 2756 Qnfjna32.exe 744 Qbbfopeg.exe 2304 Qaefjm32.exe -
Loads dropped DLL 64 IoCs
pid Process 2204 4c8a588672a71f1b42ff5e63f8d68370_NEIKI.exe 2204 4c8a588672a71f1b42ff5e63f8d68370_NEIKI.exe 2992 Mpjoqhah.exe 2992 Mpjoqhah.exe 2968 Mkobnqan.exe 2968 Mkobnqan.exe 2548 Nplkfgoe.exe 2548 Nplkfgoe.exe 2512 Ncjgbcoi.exe 2512 Ncjgbcoi.exe 2532 Nkaocp32.exe 2532 Nkaocp32.exe 2416 Nnplpl32.exe 2416 Nnplpl32.exe 1612 Nlblkhei.exe 1612 Nlblkhei.exe 2348 Ncmdhb32.exe 2348 Ncmdhb32.exe 2464 Nfkpdn32.exe 2464 Nfkpdn32.exe 2356 Nnbhek32.exe 2356 Nnbhek32.exe 992 Nqqdag32.exe 992 Nqqdag32.exe 2276 Ncoamb32.exe 2276 Ncoamb32.exe 1436 Nfmmin32.exe 1436 Nfmmin32.exe 2752 Nhlifi32.exe 2752 Nhlifi32.exe 2100 Nlgefh32.exe 2100 Nlgefh32.exe 2780 Ncancbha.exe 2780 Ncancbha.exe 1400 Nbdnoo32.exe 1400 Nbdnoo32.exe 1716 Njkfpl32.exe 1716 Njkfpl32.exe 2364 Nhnfkigh.exe 2364 Nhnfkigh.exe 2336 Nmjblg32.exe 2336 Nmjblg32.exe 2820 Nkmbgdfl.exe 2820 Nkmbgdfl.exe 956 Nccjhafn.exe 956 Nccjhafn.exe 908 Ofbfdmeb.exe 908 Ofbfdmeb.exe 3004 Odegpj32.exe 3004 Odegpj32.exe 2476 Ohqbqhde.exe 2476 Ohqbqhde.exe 1628 Okoomd32.exe 1628 Okoomd32.exe 3048 Onmkio32.exe 3048 Onmkio32.exe 2800 Oicpfh32.exe 2800 Oicpfh32.exe 1112 Okalbc32.exe 1112 Okalbc32.exe 2392 Obkdonic.exe 2392 Obkdonic.exe 2712 Oqqapjnk.exe 2712 Oqqapjnk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fmlapp32.exe Feeiob32.exe File opened for modification C:\Windows\SysWOW64\Lkppbl32.exe Lhbcfa32.exe File created C:\Windows\SysWOW64\Monhhk32.exe Mkclhl32.exe File created C:\Windows\SysWOW64\Lblqijln.dll Ncjqhmkm.exe File opened for modification C:\Windows\SysWOW64\Nfkpdn32.exe Ncmdhb32.exe File opened for modification C:\Windows\SysWOW64\Aajpelhl.exe Ankdiqih.exe File opened for modification C:\Windows\SysWOW64\Aalmklfi.exe Ampqjm32.exe File opened for modification C:\Windows\SysWOW64\Djbiicon.exe Dfgmhd32.exe File created C:\Windows\SysWOW64\Fjkhohik.dll Obcccl32.exe File created C:\Windows\SysWOW64\Inegme32.dll Eibbcm32.exe File opened for modification C:\Windows\SysWOW64\Cndbcc32.exe Ckffgg32.exe File opened for modification C:\Windows\SysWOW64\Aadloj32.exe Amhpnkch.exe File opened for modification C:\Windows\SysWOW64\Cdlgpgef.exe Cldooj32.exe File created C:\Windows\SysWOW64\Kqmoql32.dll Plfamfpm.exe File created C:\Windows\SysWOW64\Pienahqb.dll Aenbdoii.exe File created C:\Windows\SysWOW64\Fbeccf32.dll Abbbnchb.exe File opened for modification C:\Windows\SysWOW64\Cphlljge.exe Cllpkl32.exe File created C:\Windows\SysWOW64\Mcaiqm32.dll Oikojfgk.exe File created C:\Windows\SysWOW64\Geemiobo.dll Edkcojga.exe File created C:\Windows\SysWOW64\Adhlaggp.exe Aajpelhl.exe File created C:\Windows\SysWOW64\Abpfhcje.exe Alenki32.exe File opened for modification C:\Windows\SysWOW64\Cllpkl32.exe Cfbhnaho.exe File created C:\Windows\SysWOW64\Hckcmjep.exe Hlakpp32.exe File created C:\Windows\SysWOW64\Bnpanefm.dll Kbqecg32.exe File created C:\Windows\SysWOW64\Pjadmnic.exe Pgbhabjp.exe File created C:\Windows\SysWOW64\Djihnh32.dll Pjhknm32.exe File created C:\Windows\SysWOW64\Dnoomqbg.exe Dolnad32.exe File opened for modification C:\Windows\SysWOW64\Enkece32.exe Epieghdk.exe File created C:\Windows\SysWOW64\Gmgdddmq.exe Gkihhhnm.exe File opened for modification C:\Windows\SysWOW64\Inqcif32.exe Ihdkao32.exe File created C:\Windows\SysWOW64\Jifdebic.exe Jejhecaj.exe File created C:\Windows\SysWOW64\Oqcnfjli.exe Ondajnme.exe File created C:\Windows\SysWOW64\Cfbhnaho.exe Cgpgce32.exe File opened for modification C:\Windows\SysWOW64\Moiklogi.exe Mmhodf32.exe File created C:\Windows\SysWOW64\Haloha32.dll Bekkcljk.exe File created C:\Windows\SysWOW64\Cabknqko.dll Hlakpp32.exe File created C:\Windows\SysWOW64\Bgmefakc.dll Onhgbmfb.exe File created C:\Windows\SysWOW64\Bbhela32.exe Bdeeqehb.exe File created C:\Windows\SysWOW64\Elgkkpon.dll Cpkbdiqb.exe File opened for modification C:\Windows\SysWOW64\Pfflopdh.exe Pchpbded.exe File opened for modification C:\Windows\SysWOW64\Ampqjm32.exe Ajbdna32.exe File opened for modification C:\Windows\SysWOW64\Dnilobkm.exe Dkkpbgli.exe File created C:\Windows\SysWOW64\Fmjejphb.exe Fjlhneio.exe File opened for modification C:\Windows\SysWOW64\Cnaocmmi.exe Cjfccn32.exe File created C:\Windows\SysWOW64\Blopagpd.dll Dbfabp32.exe File created C:\Windows\SysWOW64\Dggcffhg.exe Ddigjkid.exe File created C:\Windows\SysWOW64\Ncgdbmmp.exe Mpigfa32.exe File created C:\Windows\SysWOW64\Naajoinb.exe Nocnbmoo.exe File opened for modification C:\Windows\SysWOW64\Okikfagn.exe Oikojfgk.exe File created C:\Windows\SysWOW64\Jicdaj32.dll Qmicohqm.exe File created C:\Windows\SysWOW64\Apomfh32.exe Aalmklfi.exe File created C:\Windows\SysWOW64\Cgpgce32.exe Cljcelan.exe File opened for modification C:\Windows\SysWOW64\Dflkdp32.exe Cndbcc32.exe File opened for modification C:\Windows\SysWOW64\Eihfjo32.exe Djefobmk.exe File created C:\Windows\SysWOW64\Ajdplfmo.dll Alegac32.exe File created C:\Windows\SysWOW64\Ekhhadmk.exe Ecqqpgli.exe File opened for modification C:\Windows\SysWOW64\Ejmebq32.exe Edpmjj32.exe File opened for modification C:\Windows\SysWOW64\Emnndlod.exe Eibbcm32.exe File opened for modification C:\Windows\SysWOW64\Bingpmnl.exe Bebkpn32.exe File opened for modification C:\Windows\SysWOW64\Bkaqmeah.exe Bloqah32.exe File created C:\Windows\SysWOW64\Nhlhki32.dll Kfegbj32.exe File created C:\Windows\SysWOW64\Fkeemhpn.dll Mpigfa32.exe File created C:\Windows\SysWOW64\Dqjepm32.exe Djpmccqq.exe File opened for modification C:\Windows\SysWOW64\Eqonkmdh.exe Eihfjo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5836 5860 WerFault.exe 537 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebjglbml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohqbqhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmgdddmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkgmgmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolpjf32.dll" Pjadmnic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiondcpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqkqkdne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjadmnic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkpagq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fonfbi32.dll" Ncjgbcoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogmfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbiciana.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbcmlc.dll" Fnbkddem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkpagq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcbllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aamfnkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecenlqh.dll" Bkommo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibkki32.dll" Leajdfnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aelcmdee.dll" Qfahhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dogefd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 4c8a588672a71f1b42ff5e63f8d68370_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhpoo32.dll" Nqqdag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnneja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbnhng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqalka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmpkjkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkahhbbj.dll" Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgnamk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbcnhjnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nadddkfi.dll" Oqideepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obkdonic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdjgej32.dll" Pmqdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opanhd32.dll" Bloqah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmaibnf.dll" Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanjadqp.dll" Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anojbobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhpiojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obljmlpp.dll" Njkfpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ompoljfn.dll" Obkdonic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll" Gdopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hobcak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpfdalii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgnamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnqphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loeebl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbbfopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accikb32.dll" Bjijdadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njqaac32.dll" Ebpkce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjbla32.dll" Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhhpp32.dll" Ceaadk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcaiqm32.dll" Oikojfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkemkhcd.dll" Pefijfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpecfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bldcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flmpfjke.dll" Kcfkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaeldika.dll" Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blleofcd.dll" Lecgje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkppbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkhgfq32.dll" Dkcofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hokokc32.dll" Bioqclil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geemiobo.dll" Edkcojga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jonplmcb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2992 2204 4c8a588672a71f1b42ff5e63f8d68370_NEIKI.exe 28 PID 2204 wrote to memory of 2992 2204 4c8a588672a71f1b42ff5e63f8d68370_NEIKI.exe 28 PID 2204 wrote to memory of 2992 2204 4c8a588672a71f1b42ff5e63f8d68370_NEIKI.exe 28 PID 2204 wrote to memory of 2992 2204 4c8a588672a71f1b42ff5e63f8d68370_NEIKI.exe 28 PID 2992 wrote to memory of 2968 2992 Mpjoqhah.exe 29 PID 2992 wrote to memory of 2968 2992 Mpjoqhah.exe 29 PID 2992 wrote to memory of 2968 2992 Mpjoqhah.exe 29 PID 2992 wrote to memory of 2968 2992 Mpjoqhah.exe 29 PID 2968 wrote to memory of 2548 2968 Mkobnqan.exe 30 PID 2968 wrote to memory of 2548 2968 Mkobnqan.exe 30 PID 2968 wrote to memory of 2548 2968 Mkobnqan.exe 30 PID 2968 wrote to memory of 2548 2968 Mkobnqan.exe 30 PID 2548 wrote to memory of 2512 2548 Nplkfgoe.exe 31 PID 2548 wrote to memory of 2512 2548 Nplkfgoe.exe 31 PID 2548 wrote to memory of 2512 2548 Nplkfgoe.exe 31 PID 2548 wrote to memory of 2512 2548 Nplkfgoe.exe 31 PID 2512 wrote to memory of 2532 2512 Ncjgbcoi.exe 32 PID 2512 wrote to memory of 2532 2512 Ncjgbcoi.exe 32 PID 2512 wrote to memory of 2532 2512 Ncjgbcoi.exe 32 PID 2512 wrote to memory of 2532 2512 Ncjgbcoi.exe 32 PID 2532 wrote to memory of 2416 2532 Nkaocp32.exe 33 PID 2532 wrote to memory of 2416 2532 Nkaocp32.exe 33 PID 2532 wrote to memory of 2416 2532 Nkaocp32.exe 33 PID 2532 wrote to memory of 2416 2532 Nkaocp32.exe 33 PID 2416 wrote to memory of 1612 2416 Nnplpl32.exe 34 PID 2416 wrote to memory of 1612 2416 Nnplpl32.exe 34 PID 2416 wrote to memory of 1612 2416 Nnplpl32.exe 34 PID 2416 wrote to memory of 1612 2416 Nnplpl32.exe 34 PID 1612 wrote to memory of 2348 1612 Nlblkhei.exe 35 PID 1612 wrote to memory of 2348 1612 Nlblkhei.exe 35 PID 1612 wrote to memory of 2348 1612 Nlblkhei.exe 35 PID 1612 wrote to memory of 2348 1612 Nlblkhei.exe 35 PID 2348 wrote to memory of 2464 2348 Ncmdhb32.exe 36 PID 2348 wrote to memory of 2464 2348 Ncmdhb32.exe 36 PID 2348 wrote to memory of 2464 2348 Ncmdhb32.exe 36 PID 2348 wrote to memory of 2464 2348 Ncmdhb32.exe 36 PID 2464 wrote to memory of 2356 2464 Nfkpdn32.exe 37 PID 2464 wrote to memory of 2356 2464 Nfkpdn32.exe 37 PID 2464 wrote to memory of 2356 2464 Nfkpdn32.exe 37 PID 2464 wrote to memory of 2356 2464 Nfkpdn32.exe 37 PID 2356 wrote to memory of 992 2356 Nnbhek32.exe 38 PID 2356 wrote to memory of 992 2356 Nnbhek32.exe 38 PID 2356 wrote to memory of 992 2356 Nnbhek32.exe 38 PID 2356 wrote to memory of 992 2356 Nnbhek32.exe 38 PID 992 wrote to memory of 2276 992 Nqqdag32.exe 39 PID 992 wrote to memory of 2276 992 Nqqdag32.exe 39 PID 992 wrote to memory of 2276 992 Nqqdag32.exe 39 PID 992 wrote to memory of 2276 992 Nqqdag32.exe 39 PID 2276 wrote to memory of 1436 2276 Ncoamb32.exe 40 PID 2276 wrote to memory of 1436 2276 Ncoamb32.exe 40 PID 2276 wrote to memory of 1436 2276 Ncoamb32.exe 40 PID 2276 wrote to memory of 1436 2276 Ncoamb32.exe 40 PID 1436 wrote to memory of 2752 1436 Nfmmin32.exe 41 PID 1436 wrote to memory of 2752 1436 Nfmmin32.exe 41 PID 1436 wrote to memory of 2752 1436 Nfmmin32.exe 41 PID 1436 wrote to memory of 2752 1436 Nfmmin32.exe 41 PID 2752 wrote to memory of 2100 2752 Nhlifi32.exe 42 PID 2752 wrote to memory of 2100 2752 Nhlifi32.exe 42 PID 2752 wrote to memory of 2100 2752 Nhlifi32.exe 42 PID 2752 wrote to memory of 2100 2752 Nhlifi32.exe 42 PID 2100 wrote to memory of 2780 2100 Nlgefh32.exe 43 PID 2100 wrote to memory of 2780 2100 Nlgefh32.exe 43 PID 2100 wrote to memory of 2780 2100 Nlgefh32.exe 43 PID 2100 wrote to memory of 2780 2100 Nlgefh32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c8a588672a71f1b42ff5e63f8d68370_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\4c8a588672a71f1b42ff5e63f8d68370_NEIKI.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1400 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1112 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe33⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe34⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe36⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe37⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe39⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe40⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe41⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe42⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe43⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe44⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe45⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe47⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe48⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe51⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe52⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe54⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe55⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe56⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe57⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe60⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe61⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe62⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe63⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:744 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe65⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1724 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe67⤵PID:1772
-
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe68⤵PID:2620
-
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe69⤵PID:2060
-
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe70⤵PID:3024
-
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe71⤵PID:2412
-
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe72⤵PID:1500
-
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe73⤵
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe75⤵PID:2520
-
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe76⤵PID:1900
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe77⤵
- Drops file in System32 directory
PID:272 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe78⤵
- Drops file in System32 directory
PID:1032 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe79⤵
- Drops file in System32 directory
PID:836 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe80⤵PID:2468
-
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe81⤵PID:2852
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe82⤵PID:1632
-
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe83⤵PID:1544
-
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe84⤵
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe85⤵PID:1696
-
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe86⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2488 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe88⤵PID:2152
-
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe89⤵PID:872
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe90⤵
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe91⤵PID:1468
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:692 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe93⤵PID:1096
-
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe94⤵PID:1396
-
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe95⤵PID:1080
-
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe96⤵PID:2016
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe97⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe98⤵PID:2184
-
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe99⤵PID:2436
-
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1640 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe101⤵PID:312
-
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe102⤵PID:1028
-
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe104⤵PID:2920
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe105⤵PID:2888
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe106⤵PID:3036
-
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe107⤵PID:268
-
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2088 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe109⤵PID:1708
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe110⤵PID:888
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe111⤵PID:2612
-
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2492 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe113⤵
- Modifies registry class
PID:1208 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe114⤵PID:2272
-
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe115⤵PID:1960
-
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe116⤵
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe117⤵
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe118⤵
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe119⤵
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe120⤵PID:2684
-
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe121⤵PID:448
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-