Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 20:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1d2b19148bfc8339813959579d8ad480_NEIKI.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1d2b19148bfc8339813959579d8ad480_NEIKI.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
1d2b19148bfc8339813959579d8ad480_NEIKI.exe
-
Size
95KB
-
MD5
1d2b19148bfc8339813959579d8ad480
-
SHA1
390f03b7b619e4fd15cc5756196f54a7ff05356a
-
SHA256
406b4c4f5faf3215d9c06924e2b2f36dce3f904ce6187e2549071aebced2f066
-
SHA512
54f5e2626ab2d40813dcca1b36905ce350300ce8e3e78303334d18f1dad2f0a0334eff36b6b3725f2568f253884db61094612045c731feedb3f842c911943b5d
-
SSDEEP
1536:xvRhn2CqBFsk0tEQmd5Pw2dFqaWWypRQrdRVRoRch1dROrwpOudRirVtFsrTpMG8:xvRYCqBGRtZmMCqaWWypeJTWM1dQrTOE
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Meiioonj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhdhon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahcajk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfqmpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fafkecel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ageolo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gddbcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpablkhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pflplnlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjlgdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cajcbgml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifllil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhlhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbkhfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Coknoaic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gekcaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcmofolg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckajehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkpbin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkbkdkpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdokdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahgjejhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbbagk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpodlbng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkmioc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmlilh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioambknl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ophjiaql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohghgodi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncgkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdfbibnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mchhggno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjhfpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agdhbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpejlmcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poodpmca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jklphekp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbapjafe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmcojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gipdap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 4212 Dofpgqji.exe 3212 Dadlclim.exe 4664 Dljqpd32.exe 3672 Dcdimopp.exe 3936 Djnaji32.exe 4348 Dokjbp32.exe 2976 Dfdbojmq.exe 4068 Dpjflb32.exe 2968 Efgodj32.exe 2860 Epmcab32.exe 4676 Ejegjh32.exe 2620 Epopgbia.exe 1952 Ebploj32.exe 5104 Eqalmafo.exe 1556 Ecphimfb.exe 1844 Ehlaaddj.exe 4304 Eqciba32.exe 3232 Efpajh32.exe 1444 Eqfeha32.exe 1760 Ffbnph32.exe 4020 Fhajlc32.exe 2060 Fokbim32.exe 1080 Fjqgff32.exe 2336 Fcikolnh.exe 2324 Ffggkgmk.exe 3944 Fckhdk32.exe 2028 Fjepaecb.exe 4352 Fobiilai.exe 4384 Fijmbb32.exe 1608 Gcpapkgp.exe 2984 Gimjhafg.exe 2740 Gqdbiofi.exe 3476 Gmkbnp32.exe 3528 Gqfooodg.exe 1652 Gjocgdkg.exe 4112 Gpklpkio.exe 2332 Gbjhlfhb.exe 1864 Gidphq32.exe 5112 Gcidfi32.exe 396 Gjclbc32.exe 1168 Gppekj32.exe 1892 Hboagf32.exe 5048 Hmdedo32.exe 3988 Hcnnaikp.exe 384 Hbanme32.exe 372 Habnjm32.exe 664 Hpenfjad.exe 4692 Hmioonpn.exe 3572 Hpgkkioa.exe 4048 Hfachc32.exe 1128 Haggelfd.exe 5028 Hcedaheh.exe 4280 Hmmhjm32.exe 3556 Icgqggce.exe 4748 Impepm32.exe 1120 Ibmmhdhm.exe 4108 Iiffen32.exe 4672 Imbaemhc.exe 232 Ipqnahgf.exe 3348 Ijfboafl.exe 3632 Imdnklfp.exe 4892 Ipckgh32.exe 3800 Ifmcdblq.exe 3924 Imgkql32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Biepfnpi.dll Process not Found File created C:\Windows\SysWOW64\Cdbinofi.dll Jidklf32.exe File created C:\Windows\SysWOW64\Adgbpc32.exe Ajanck32.exe File created C:\Windows\SysWOW64\Hmcldf32.dll Dlkbjqgm.exe File opened for modification C:\Windows\SysWOW64\Mjokgg32.exe Mkmkkjko.exe File opened for modification C:\Windows\SysWOW64\Nncccnol.exe Process not Found File created C:\Windows\SysWOW64\Bdfpkm32.exe Process not Found File created C:\Windows\SysWOW64\Bhaebcen.exe Becifhfj.exe File opened for modification C:\Windows\SysWOW64\Kmdqgd32.exe Kfjhkjle.exe File created C:\Windows\SysWOW64\Adfonlkp.dll Process not Found File created C:\Windows\SysWOW64\Mfnoqc32.exe Process not Found File created C:\Windows\SysWOW64\Acnemi32.exe Aqoiqn32.exe File created C:\Windows\SysWOW64\Fbcolk32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cfnqklgh.exe Ckilmcgb.exe File created C:\Windows\SysWOW64\Hlhccj32.exe Hiiggoaf.exe File opened for modification C:\Windows\SysWOW64\Hbhboolf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mdfofakp.exe Mahbje32.exe File created C:\Windows\SysWOW64\Cqpnpgeo.dll Mfaqhp32.exe File created C:\Windows\SysWOW64\Hjhgac32.dll Plejdkmm.exe File created C:\Windows\SysWOW64\Cepjip32.dll Process not Found File created C:\Windows\SysWOW64\Bnckcnhb.dll Kmgdgjek.exe File created C:\Windows\SysWOW64\Liggbi32.exe Lcmofolg.exe File created C:\Windows\SysWOW64\Kkbdni32.dll Poaqemao.exe File opened for modification C:\Windows\SysWOW64\Pdkoch32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qfkqjmdg.exe Process not Found File created C:\Windows\SysWOW64\Ebkbbmqj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ifmcdblq.exe Ipckgh32.exe File opened for modification C:\Windows\SysWOW64\Lnepih32.exe Lkgdml32.exe File created C:\Windows\SysWOW64\Canidb32.dll Kdcbom32.exe File created C:\Windows\SysWOW64\Lnijaa32.dll Ienekbld.exe File created C:\Windows\SysWOW64\Bionkjfo.dll Mjneln32.exe File created C:\Windows\SysWOW64\Famkjfqd.dll Process not Found File created C:\Windows\SysWOW64\Hcedaheh.exe Haggelfd.exe File opened for modification C:\Windows\SysWOW64\Oqdoboli.exe Obangb32.exe File created C:\Windows\SysWOW64\Dlkbjqgm.exe Djjebh32.exe File created C:\Windows\SysWOW64\Ljhnlb32.exe Process not Found File created C:\Windows\SysWOW64\Jfkohq32.dll Igigla32.exe File created C:\Windows\SysWOW64\Nglhld32.exe Process not Found File created C:\Windows\SysWOW64\Cedckdaj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cibain32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pabkdmpi.exe Pndohaqe.exe File created C:\Windows\SysWOW64\Gidjfdep.dll Cdkldb32.exe File created C:\Windows\SysWOW64\Lmldgi32.dll Iehfdi32.exe File created C:\Windows\SysWOW64\Mjddiqoc.dll Jfcbjk32.exe File created C:\Windows\SysWOW64\Ocgkan32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Edopabqn.exe Epcdqd32.exe File created C:\Windows\SysWOW64\Blgifbil.exe Process not Found File created C:\Windows\SysWOW64\Hboagf32.exe Gppekj32.exe File created C:\Windows\SysWOW64\Obangb32.exe Okhfjh32.exe File opened for modification C:\Windows\SysWOW64\Ogaceh32.exe Oqgkhnjf.exe File created C:\Windows\SysWOW64\Flgehc32.dll Cndikf32.exe File opened for modification C:\Windows\SysWOW64\Hfpecg32.exe Hofmfmhj.exe File opened for modification C:\Windows\SysWOW64\Cfadkb32.exe Cadlbk32.exe File created C:\Windows\SysWOW64\Ejphhm32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jilfifme.exe Process not Found File created C:\Windows\SysWOW64\Hpahkbdh.dll Process not Found File created C:\Windows\SysWOW64\Pflplnlg.exe Pcncpbmd.exe File opened for modification C:\Windows\SysWOW64\Adgbpc32.exe Ajanck32.exe File opened for modification C:\Windows\SysWOW64\Hpomcp32.exe Hjedffig.exe File created C:\Windows\SysWOW64\Dphefd32.dll Jjmcnbdm.exe File created C:\Windows\SysWOW64\Phodcg32.exe Process not Found File created C:\Windows\SysWOW64\Gbnoiqdq.exe Process not Found File created C:\Windows\SysWOW64\Modpib32.exe Process not Found File created C:\Windows\SysWOW64\Laopdgcg.exe Liggbi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6492 1552 Process not Found 1644 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aompak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebommi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimgpahk.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eqciba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgbefoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkohe32.dll" Mcqjon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gjclbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndidbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njkoaebi.dll" Oqgkhnjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibpiogmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njghbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knhcpa32.dll" Okgaijaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdmpcdfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnjafgo.dll" Hkdbpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmhqnncg.dll" Cgcmjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjellmbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cglgjeci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ocqnij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkjmlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hbpgbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhoilahe.dll" Jeklag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjfilbnn.dll" Gadqlkep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpabql32.dll" Hnodaecc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiilcp32.dll" Poajkgnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeichoo.dll" Ckkiccep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhafkok.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignjamf.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Olmeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcppfn32.dll" Nbadcpbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pabkdmpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Becbkfdh.dll" Cbgbgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmnoof32.dll" Gicinj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jlpkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajiknpjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpehad32.dll" Ifihif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgpecj32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gppekj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckedalaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojjolnaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idfaefkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Impepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll" Qgcbgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lkgdml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mifljdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieneofbo.dll" Ckfphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aafkfgeh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjmcmj32.dll" Pqpnombl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ngdfdmdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahgjejhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkafmd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4832 wrote to memory of 4212 4832 1d2b19148bfc8339813959579d8ad480_NEIKI.exe 83 PID 4832 wrote to memory of 4212 4832 1d2b19148bfc8339813959579d8ad480_NEIKI.exe 83 PID 4832 wrote to memory of 4212 4832 1d2b19148bfc8339813959579d8ad480_NEIKI.exe 83 PID 4212 wrote to memory of 3212 4212 Dofpgqji.exe 84 PID 4212 wrote to memory of 3212 4212 Dofpgqji.exe 84 PID 4212 wrote to memory of 3212 4212 Dofpgqji.exe 84 PID 3212 wrote to memory of 4664 3212 Dadlclim.exe 85 PID 3212 wrote to memory of 4664 3212 Dadlclim.exe 85 PID 3212 wrote to memory of 4664 3212 Dadlclim.exe 85 PID 4664 wrote to memory of 3672 4664 Dljqpd32.exe 86 PID 4664 wrote to memory of 3672 4664 Dljqpd32.exe 86 PID 4664 wrote to memory of 3672 4664 Dljqpd32.exe 86 PID 3672 wrote to memory of 3936 3672 Dcdimopp.exe 87 PID 3672 wrote to memory of 3936 3672 Dcdimopp.exe 87 PID 3672 wrote to memory of 3936 3672 Dcdimopp.exe 87 PID 3936 wrote to memory of 4348 3936 Djnaji32.exe 88 PID 3936 wrote to memory of 4348 3936 Djnaji32.exe 88 PID 3936 wrote to memory of 4348 3936 Djnaji32.exe 88 PID 4348 wrote to memory of 2976 4348 Dokjbp32.exe 89 PID 4348 wrote to memory of 2976 4348 Dokjbp32.exe 89 PID 4348 wrote to memory of 2976 4348 Dokjbp32.exe 89 PID 2976 wrote to memory of 4068 2976 Dfdbojmq.exe 90 PID 2976 wrote to memory of 4068 2976 Dfdbojmq.exe 90 PID 2976 wrote to memory of 4068 2976 Dfdbojmq.exe 90 PID 4068 wrote to memory of 2968 4068 Dpjflb32.exe 91 PID 4068 wrote to memory of 2968 4068 Dpjflb32.exe 91 PID 4068 wrote to memory of 2968 4068 Dpjflb32.exe 91 PID 2968 wrote to memory of 2860 2968 Efgodj32.exe 92 PID 2968 wrote to memory of 2860 2968 Efgodj32.exe 92 PID 2968 wrote to memory of 2860 2968 Efgodj32.exe 92 PID 2860 wrote to memory of 4676 2860 Epmcab32.exe 93 PID 2860 wrote to memory of 4676 2860 Epmcab32.exe 93 PID 2860 wrote to memory of 4676 2860 Epmcab32.exe 93 PID 4676 wrote to memory of 2620 4676 Ejegjh32.exe 94 PID 4676 wrote to memory of 2620 4676 Ejegjh32.exe 94 PID 4676 wrote to memory of 2620 4676 Ejegjh32.exe 94 PID 2620 wrote to memory of 1952 2620 Epopgbia.exe 95 PID 2620 wrote to memory of 1952 2620 Epopgbia.exe 95 PID 2620 wrote to memory of 1952 2620 Epopgbia.exe 95 PID 1952 wrote to memory of 5104 1952 Ebploj32.exe 96 PID 1952 wrote to memory of 5104 1952 Ebploj32.exe 96 PID 1952 wrote to memory of 5104 1952 Ebploj32.exe 96 PID 5104 wrote to memory of 1556 5104 Eqalmafo.exe 97 PID 5104 wrote to memory of 1556 5104 Eqalmafo.exe 97 PID 5104 wrote to memory of 1556 5104 Eqalmafo.exe 97 PID 1556 wrote to memory of 1844 1556 Ecphimfb.exe 99 PID 1556 wrote to memory of 1844 1556 Ecphimfb.exe 99 PID 1556 wrote to memory of 1844 1556 Ecphimfb.exe 99 PID 1844 wrote to memory of 4304 1844 Ehlaaddj.exe 100 PID 1844 wrote to memory of 4304 1844 Ehlaaddj.exe 100 PID 1844 wrote to memory of 4304 1844 Ehlaaddj.exe 100 PID 4304 wrote to memory of 3232 4304 Eqciba32.exe 101 PID 4304 wrote to memory of 3232 4304 Eqciba32.exe 101 PID 4304 wrote to memory of 3232 4304 Eqciba32.exe 101 PID 3232 wrote to memory of 1444 3232 Efpajh32.exe 102 PID 3232 wrote to memory of 1444 3232 Efpajh32.exe 102 PID 3232 wrote to memory of 1444 3232 Efpajh32.exe 102 PID 1444 wrote to memory of 1760 1444 Eqfeha32.exe 104 PID 1444 wrote to memory of 1760 1444 Eqfeha32.exe 104 PID 1444 wrote to memory of 1760 1444 Eqfeha32.exe 104 PID 1760 wrote to memory of 4020 1760 Ffbnph32.exe 105 PID 1760 wrote to memory of 4020 1760 Ffbnph32.exe 105 PID 1760 wrote to memory of 4020 1760 Ffbnph32.exe 105 PID 4020 wrote to memory of 2060 4020 Fhajlc32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d2b19148bfc8339813959579d8ad480_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\1d2b19148bfc8339813959579d8ad480_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Dofpgqji.exeC:\Windows\system32\Dofpgqji.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\Dadlclim.exeC:\Windows\system32\Dadlclim.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Dljqpd32.exeC:\Windows\system32\Dljqpd32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Dcdimopp.exeC:\Windows\system32\Dcdimopp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Djnaji32.exeC:\Windows\system32\Djnaji32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Dokjbp32.exeC:\Windows\system32\Dokjbp32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Dfdbojmq.exeC:\Windows\system32\Dfdbojmq.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Dpjflb32.exeC:\Windows\system32\Dpjflb32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Efgodj32.exeC:\Windows\system32\Efgodj32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Epmcab32.exeC:\Windows\system32\Epmcab32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Epopgbia.exeC:\Windows\system32\Epopgbia.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Ebploj32.exeC:\Windows\system32\Ebploj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Eqalmafo.exeC:\Windows\system32\Eqalmafo.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Ecphimfb.exeC:\Windows\system32\Ecphimfb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\Eqfeha32.exeC:\Windows\system32\Eqfeha32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe23⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe24⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Fcikolnh.exeC:\Windows\system32\Fcikolnh.exe25⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe26⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Fckhdk32.exeC:\Windows\system32\Fckhdk32.exe27⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Fjepaecb.exeC:\Windows\system32\Fjepaecb.exe28⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe29⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe30⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Gcpapkgp.exeC:\Windows\system32\Gcpapkgp.exe31⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Gimjhafg.exeC:\Windows\system32\Gimjhafg.exe32⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe33⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe34⤵
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\Gqfooodg.exeC:\Windows\system32\Gqfooodg.exe35⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe36⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Gpklpkio.exeC:\Windows\system32\Gpklpkio.exe37⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Gbjhlfhb.exeC:\Windows\system32\Gbjhlfhb.exe38⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Gidphq32.exeC:\Windows\system32\Gidphq32.exe39⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Gcidfi32.exeC:\Windows\system32\Gcidfi32.exe40⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:396 -
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1168 -
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe43⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Hmdedo32.exeC:\Windows\system32\Hmdedo32.exe44⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Hcnnaikp.exeC:\Windows\system32\Hcnnaikp.exe45⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe46⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe47⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe48⤵
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe49⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Hpgkkioa.exeC:\Windows\system32\Hpgkkioa.exe50⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe51⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1128 -
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe53⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe54⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Icgqggce.exeC:\Windows\system32\Icgqggce.exe55⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:4748 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe57⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe58⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe59⤵
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe60⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe61⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Imdnklfp.exeC:\Windows\system32\Imdnklfp.exe62⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4892 -
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe64⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Imgkql32.exeC:\Windows\system32\Imgkql32.exe65⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Ipegmg32.exeC:\Windows\system32\Ipegmg32.exe66⤵PID:4644
-
C:\Windows\SysWOW64\Ibccic32.exeC:\Windows\system32\Ibccic32.exe67⤵PID:2252
-
C:\Windows\SysWOW64\Ifopiajn.exeC:\Windows\system32\Ifopiajn.exe68⤵PID:5020
-
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe69⤵PID:4076
-
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe70⤵PID:4920
-
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe71⤵PID:2788
-
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe72⤵PID:1744
-
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe73⤵PID:2856
-
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe74⤵PID:3792
-
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe75⤵PID:3164
-
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe76⤵PID:1548
-
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe77⤵PID:3824
-
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe78⤵PID:3756
-
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe79⤵PID:1144
-
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe80⤵PID:2092
-
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe81⤵PID:4176
-
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe82⤵PID:1428
-
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe83⤵PID:4596
-
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe84⤵PID:1676
-
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe85⤵PID:3752
-
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe86⤵PID:1092
-
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe87⤵PID:5136
-
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe88⤵PID:5180
-
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe89⤵PID:5228
-
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5288 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe91⤵PID:5348
-
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe92⤵
- Drops file in System32 directory
PID:5380 -
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe93⤵PID:5436
-
C:\Windows\SysWOW64\Kgphpo32.exeC:\Windows\system32\Kgphpo32.exe94⤵PID:5500
-
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe95⤵PID:5560
-
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe96⤵PID:5608
-
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe97⤵PID:5652
-
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe98⤵PID:5728
-
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe99⤵
- Modifies registry class
PID:5788 -
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe100⤵PID:5852
-
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe101⤵PID:5904
-
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe102⤵PID:5940
-
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe103⤵PID:5980
-
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe104⤵PID:6032
-
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe105⤵PID:6088
-
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe106⤵PID:6132
-
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe107⤵PID:5188
-
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe108⤵PID:5272
-
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe109⤵PID:5368
-
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe110⤵PID:5456
-
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5552 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe112⤵
- Drops file in System32 directory
PID:5624 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe113⤵PID:5720
-
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe114⤵PID:5812
-
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:5896 -
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe116⤵PID:5968
-
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe117⤵PID:6040
-
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe118⤵PID:6116
-
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe119⤵PID:5216
-
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe120⤵PID:5324
-
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe121⤵PID:5496
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-