Analysis
-
max time kernel
149s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 20:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2a550dc03af2aad2b58b332103f99610_NEIKI.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
2a550dc03af2aad2b58b332103f99610_NEIKI.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
2a550dc03af2aad2b58b332103f99610_NEIKI.exe
-
Size
89KB
-
MD5
2a550dc03af2aad2b58b332103f99610
-
SHA1
02af83ac7aac7089a2d38a456263be862ae63975
-
SHA256
b731fbd5749fa4e161d5bf9ce238a0ce9dee5f366307017b8b70b26dc3fda6bf
-
SHA512
f655c07e9e0b00fa6919f28385da67dff3a7bc37553370a32403766f007341094f454d8d0071d4f73572804a266625fcf446580c834831249dace939f277926f
-
SSDEEP
1536:GP0FP0sOqwCvp8zF3OPp4WIpeXGJ1mMBa/k+LoXv4YMAccalExkg8Fk:PFPNDv2JixIs6m5/khdnccalakgwk
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iklgkmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djmima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iickdgpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqdnjfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfcbcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flhoinbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbcffk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbhcdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plokgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaajoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bddjijia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnjdigpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqmnpk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqkmpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajndbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpodhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibgmldnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jijaef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbodj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kigoeagd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfhgdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjbdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdmpck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbljaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plcmiofg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdafg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iildfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aiclodaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdeqaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjadck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdhkefnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohlifj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djcfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plhgdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckiipa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnmmmbll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahakhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejojljqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icachjbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgaboa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmhmko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiqkmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adadbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhiodm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chphhn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icgqqmib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgknlmgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcpdidol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmolbene.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkencn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfgjcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoiihcde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cikkga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebnocpfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdhklgnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gflapl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooaghe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doidql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhgbomfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgbfhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhhldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdkmgali.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ophbja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmnpah32.exe -
Executes dropped EXE 64 IoCs
pid Process 516 Ejojljqa.exe 2828 Fnjocf32.exe 2860 Hbdgec32.exe 2004 Hchqbkkm.exe 3540 Hegmlnbp.exe 2176 Igjbci32.exe 3904 Ibpgqa32.exe 4656 Icachjbb.exe 2232 Iholohii.exe 3452 Inkaqb32.exe 2792 Ijbbfc32.exe 3316 Jblflp32.exe 556 Jlfhke32.exe 1980 Jaemilci.exe 4944 Kdkoef32.exe 4052 Leabphmp.exe 3648 Lhdggb32.exe 4840 Loopdmpk.exe 2348 Nefdbekh.exe 4980 Napameoi.exe 4160 Ocfdgg32.exe 408 Pdngpo32.exe 1908 Poidhg32.exe 3364 Acbmjcgd.exe 2308 Aehbmk32.exe 4244 Cmmgof32.exe 3524 Cmgjee32.exe 4960 Digmqe32.exe 4732 Epaemojk.exe 3000 Ecfhji32.exe 940 Flcfnn32.exe 1156 Flhoinbl.exe 228 Glmhdm32.exe 1812 Gqmnpk32.exe 4924 Gnanioad.exe 1100 Gglpgd32.exe 1352 Hnehdo32.exe 2428 Hgbfhc32.exe 1972 Hqmggi32.exe 4872 Jakchf32.exe 3612 Jghhjq32.exe 3696 Jnapgjdo.exe 1860 Khonkogj.exe 1200 Kfidgk32.exe 1372 Lhmjlm32.exe 2100 Mehafq32.exe 3652 Mgngih32.exe 2172 Pnfdnnbo.exe 872 Qhekaejj.exe 4072 Abgcqjhp.exe 752 Aiqkmd32.exe 1032 Anncek32.exe 852 Aeglbeea.exe 2504 Bomppneg.exe 3844 Bngfli32.exe 3692 Ceehcc32.exe 4348 Dfngcdhi.exe 4412 Dhgjll32.exe 4928 Gcfjfqah.exe 2168 Lmkipncc.exe 1464 Mabdlk32.exe 1684 Nhhldc32.exe 1624 Ndomiddc.exe 4424 Oahgnh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Igbaeh32.exe Iphihnjk.exe File created C:\Windows\SysWOW64\Pmhjhh32.dll Anmfkane.exe File created C:\Windows\SysWOW64\Ehqabj32.dll Ebifha32.exe File created C:\Windows\SysWOW64\Hoonjjgk.exe Hfgjad32.exe File opened for modification C:\Windows\SysWOW64\Lblakh32.exe Licmbccm.exe File opened for modification C:\Windows\SysWOW64\Mojhphij.exe Mbchkg32.exe File created C:\Windows\SysWOW64\Pldnki32.dll Hqmggi32.exe File opened for modification C:\Windows\SysWOW64\Jbnopbdl.exe Jomeoggk.exe File opened for modification C:\Windows\SysWOW64\Icgqqmib.exe Iiblcdil.exe File created C:\Windows\SysWOW64\Ioakpf32.dll Nacmnlkd.exe File created C:\Windows\SysWOW64\Niiaae32.exe Njceqili.exe File created C:\Windows\SysWOW64\Elkqqjac.dll Gfqjkljn.exe File opened for modification C:\Windows\SysWOW64\Jbjciano.exe Jmmjpjpg.exe File created C:\Windows\SysWOW64\Hkehdd32.exe Hbmclobc.exe File created C:\Windows\SysWOW64\Mmnadddj.dll Flfjdn32.exe File created C:\Windows\SysWOW64\Gkkoeo32.dll Gbnobf32.exe File created C:\Windows\SysWOW64\Lboeknkf.exe Lmbmbgmo.exe File opened for modification C:\Windows\SysWOW64\Bglefdke.exe Andqnn32.exe File created C:\Windows\SysWOW64\Pgaboa32.exe Phqbaj32.exe File opened for modification C:\Windows\SysWOW64\Olangmod.exe Ojbamj32.exe File created C:\Windows\SysWOW64\Nmhgmd32.dll Opdiobod.exe File created C:\Windows\SysWOW64\Befenoqg.dll Hnaqqj32.exe File opened for modification C:\Windows\SysWOW64\Ocbhjjqn.exe Nnfpbcbf.exe File created C:\Windows\SysWOW64\Poodicio.exe Pjbkal32.exe File opened for modification C:\Windows\SysWOW64\Ghdoae32.exe Fajgekol.exe File opened for modification C:\Windows\SysWOW64\Iphihnjk.exe Iildfd32.exe File opened for modification C:\Windows\SysWOW64\Ipjocgdm.exe Igajka32.exe File opened for modification C:\Windows\SysWOW64\Hmhphqoe.exe Hhkgpjqn.exe File created C:\Windows\SysWOW64\Fbgjeohk.dll Efnennjc.exe File opened for modification C:\Windows\SysWOW64\Nddkaddm.exe Nnjbdj32.exe File opened for modification C:\Windows\SysWOW64\Lgmnqmam.exe Liimgh32.exe File created C:\Windows\SysWOW64\Onhmhc32.exe Ocbhjjqn.exe File created C:\Windows\SysWOW64\Fgfqmlko.dll Qkpmcddi.exe File created C:\Windows\SysWOW64\Gcggjp32.exe Giacmggo.exe File created C:\Windows\SysWOW64\Ddpgfjhm.dll Icgqqmib.exe File created C:\Windows\SysWOW64\Ekdafekm.dll Dieilepc.exe File created C:\Windows\SysWOW64\Cifhmeli.dll Phombg32.exe File opened for modification C:\Windows\SysWOW64\Dnhgidka.exe Dofgklcb.exe File created C:\Windows\SysWOW64\Mplapkoj.exe Mbhafgpp.exe File created C:\Windows\SysWOW64\Dpckclld.exe Dclknkfp.exe File opened for modification C:\Windows\SysWOW64\Idoknmfj.exe Ikfgeh32.exe File created C:\Windows\SysWOW64\Eicemccc.exe Eiahhdee.exe File created C:\Windows\SysWOW64\Gibeidka.dll Apeabg32.exe File opened for modification C:\Windows\SysWOW64\Elepei32.exe Eoapldei.exe File opened for modification C:\Windows\SysWOW64\Boflfiai.exe Ahbacq32.exe File opened for modification C:\Windows\SysWOW64\Dblgja32.exe Diccal32.exe File created C:\Windows\SysWOW64\Lcjjghoe.dll Bojogb32.exe File opened for modification C:\Windows\SysWOW64\Epaemojk.exe Digmqe32.exe File created C:\Windows\SysWOW64\Dfikjkob.dll Dmnpah32.exe File opened for modification C:\Windows\SysWOW64\Igabdekb.exe Ininloda.exe File created C:\Windows\SysWOW64\Epdaneff.exe Dcnqid32.exe File created C:\Windows\SysWOW64\Peajngoi.exe Pbpall32.exe File opened for modification C:\Windows\SysWOW64\Capikhgh.exe Cjfaon32.exe File opened for modification C:\Windows\SysWOW64\Hocqkc32.exe Hkehdd32.exe File opened for modification C:\Windows\SysWOW64\Fofigd32.exe Efnennjc.exe File opened for modification C:\Windows\SysWOW64\Hmoehojj.exe Gokdoj32.exe File created C:\Windows\SysWOW64\Mflgff32.exe Llgcin32.exe File created C:\Windows\SysWOW64\Bhehjcme.dll Oaqbdc32.exe File opened for modification C:\Windows\SysWOW64\Eocegn32.exe Ehimkd32.exe File created C:\Windows\SysWOW64\Jlocei32.dll Hoonjjgk.exe File created C:\Windows\SysWOW64\Mcikmdne.dll Andqnn32.exe File created C:\Windows\SysWOW64\Cooolhin.exe Cfgjcb32.exe File created C:\Windows\SysWOW64\Oldlbmob.dll Njmopj32.exe File opened for modification C:\Windows\SysWOW64\Qbddmejf.exe Nkncno32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8420 1200 WerFault.exe 891 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iamoon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jojboa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fofigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jijaef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mflgff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhflhcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceeojndk.dll" Gbcffk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jflgfpkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhkgpjqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgkqpd32.dll" Cjfaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Giacmggo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qpjifl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aecloegl.dll" Daolgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhnnoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okjnhpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejjelnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iehialmj.dll" Lkqliaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oeclockl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmcgllb.dll" Addabl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadeofnh.dll" Hbdgec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmheahf.dll" Hchqbkkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opdiobod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldpmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndndef32.dll" Mjjbjjdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hagnihom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnjbdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clnopg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceehcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hobcgdjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pecefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nopoighe.dll" Glmhdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhemfbnq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmmjpjpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oejngm32.dll" Poomom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojmhaklf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckealm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acbmjcgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgknlmgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oaajoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjbepgej.dll" Pgpmdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akjgdjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnelhffc.dll" Pbpall32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Endbmcal.dll" Eocegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppinkfal.dll" Edcqojqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmbflc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnfoac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oplmdnpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eckfaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjhdkajh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deboiojb.dll" Kknhjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oiagcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpfboe32.dll" Phfcdcfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iboogh32.dll" Hapancai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmpnppap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckiipa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efgehe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbgjeohk.dll" Efnennjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjnjjlog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eamhhjbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkqdhnom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdkdqinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amcpdgbe.dll" Ojbamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akqfef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjmmjng.dll" Gnanioad.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 8 wrote to memory of 516 8 2a550dc03af2aad2b58b332103f99610_NEIKI.exe 89 PID 8 wrote to memory of 516 8 2a550dc03af2aad2b58b332103f99610_NEIKI.exe 89 PID 8 wrote to memory of 516 8 2a550dc03af2aad2b58b332103f99610_NEIKI.exe 89 PID 516 wrote to memory of 2828 516 Ejojljqa.exe 90 PID 516 wrote to memory of 2828 516 Ejojljqa.exe 90 PID 516 wrote to memory of 2828 516 Ejojljqa.exe 90 PID 2828 wrote to memory of 2860 2828 Fnjocf32.exe 91 PID 2828 wrote to memory of 2860 2828 Fnjocf32.exe 91 PID 2828 wrote to memory of 2860 2828 Fnjocf32.exe 91 PID 2860 wrote to memory of 2004 2860 Hbdgec32.exe 221 PID 2860 wrote to memory of 2004 2860 Hbdgec32.exe 221 PID 2860 wrote to memory of 2004 2860 Hbdgec32.exe 221 PID 2004 wrote to memory of 3540 2004 Hchqbkkm.exe 93 PID 2004 wrote to memory of 3540 2004 Hchqbkkm.exe 93 PID 2004 wrote to memory of 3540 2004 Hchqbkkm.exe 93 PID 3540 wrote to memory of 2176 3540 Hegmlnbp.exe 94 PID 3540 wrote to memory of 2176 3540 Hegmlnbp.exe 94 PID 3540 wrote to memory of 2176 3540 Hegmlnbp.exe 94 PID 2176 wrote to memory of 3904 2176 Igjbci32.exe 95 PID 2176 wrote to memory of 3904 2176 Igjbci32.exe 95 PID 2176 wrote to memory of 3904 2176 Igjbci32.exe 95 PID 3904 wrote to memory of 4656 3904 Ibpgqa32.exe 96 PID 3904 wrote to memory of 4656 3904 Ibpgqa32.exe 96 PID 3904 wrote to memory of 4656 3904 Ibpgqa32.exe 96 PID 4656 wrote to memory of 2232 4656 Icachjbb.exe 97 PID 4656 wrote to memory of 2232 4656 Icachjbb.exe 97 PID 4656 wrote to memory of 2232 4656 Icachjbb.exe 97 PID 2232 wrote to memory of 3452 2232 Iholohii.exe 98 PID 2232 wrote to memory of 3452 2232 Iholohii.exe 98 PID 2232 wrote to memory of 3452 2232 Iholohii.exe 98 PID 3452 wrote to memory of 2792 3452 Inkaqb32.exe 99 PID 3452 wrote to memory of 2792 3452 Inkaqb32.exe 99 PID 3452 wrote to memory of 2792 3452 Inkaqb32.exe 99 PID 2792 wrote to memory of 3316 2792 Ijbbfc32.exe 100 PID 2792 wrote to memory of 3316 2792 Ijbbfc32.exe 100 PID 2792 wrote to memory of 3316 2792 Ijbbfc32.exe 100 PID 3316 wrote to memory of 556 3316 Jblflp32.exe 101 PID 3316 wrote to memory of 556 3316 Jblflp32.exe 101 PID 3316 wrote to memory of 556 3316 Jblflp32.exe 101 PID 556 wrote to memory of 1980 556 Jlfhke32.exe 210 PID 556 wrote to memory of 1980 556 Jlfhke32.exe 210 PID 556 wrote to memory of 1980 556 Jlfhke32.exe 210 PID 1980 wrote to memory of 4944 1980 Jaemilci.exe 103 PID 1980 wrote to memory of 4944 1980 Jaemilci.exe 103 PID 1980 wrote to memory of 4944 1980 Jaemilci.exe 103 PID 4944 wrote to memory of 4052 4944 Kdkoef32.exe 104 PID 4944 wrote to memory of 4052 4944 Kdkoef32.exe 104 PID 4944 wrote to memory of 4052 4944 Kdkoef32.exe 104 PID 4052 wrote to memory of 3648 4052 Leabphmp.exe 105 PID 4052 wrote to memory of 3648 4052 Leabphmp.exe 105 PID 4052 wrote to memory of 3648 4052 Leabphmp.exe 105 PID 3648 wrote to memory of 4840 3648 Lhdggb32.exe 106 PID 3648 wrote to memory of 4840 3648 Lhdggb32.exe 106 PID 3648 wrote to memory of 4840 3648 Lhdggb32.exe 106 PID 4840 wrote to memory of 2348 4840 Loopdmpk.exe 107 PID 4840 wrote to memory of 2348 4840 Loopdmpk.exe 107 PID 4840 wrote to memory of 2348 4840 Loopdmpk.exe 107 PID 2348 wrote to memory of 4980 2348 Nefdbekh.exe 108 PID 2348 wrote to memory of 4980 2348 Nefdbekh.exe 108 PID 2348 wrote to memory of 4980 2348 Nefdbekh.exe 108 PID 4980 wrote to memory of 4160 4980 Napameoi.exe 109 PID 4980 wrote to memory of 4160 4980 Napameoi.exe 109 PID 4980 wrote to memory of 4160 4980 Napameoi.exe 109 PID 4160 wrote to memory of 408 4160 Ocfdgg32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a550dc03af2aad2b58b332103f99610_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\2a550dc03af2aad2b58b332103f99610_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\Ejojljqa.exeC:\Windows\system32\Ejojljqa.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\Fnjocf32.exeC:\Windows\system32\Fnjocf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Hbdgec32.exeC:\Windows\system32\Hbdgec32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Hchqbkkm.exeC:\Windows\system32\Hchqbkkm.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Hegmlnbp.exeC:\Windows\system32\Hegmlnbp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Igjbci32.exeC:\Windows\system32\Igjbci32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Ibpgqa32.exeC:\Windows\system32\Ibpgqa32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Icachjbb.exeC:\Windows\system32\Icachjbb.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Iholohii.exeC:\Windows\system32\Iholohii.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Inkaqb32.exeC:\Windows\system32\Inkaqb32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Ijbbfc32.exeC:\Windows\system32\Ijbbfc32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Jblflp32.exeC:\Windows\system32\Jblflp32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\Jlfhke32.exeC:\Windows\system32\Jlfhke32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\Jaemilci.exeC:\Windows\system32\Jaemilci.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Kdkoef32.exeC:\Windows\system32\Kdkoef32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Leabphmp.exeC:\Windows\system32\Leabphmp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\Lhdggb32.exeC:\Windows\system32\Lhdggb32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\Loopdmpk.exeC:\Windows\system32\Loopdmpk.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Nefdbekh.exeC:\Windows\system32\Nefdbekh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Napameoi.exeC:\Windows\system32\Napameoi.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Ocfdgg32.exeC:\Windows\system32\Ocfdgg32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\Pdngpo32.exeC:\Windows\system32\Pdngpo32.exe23⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Poidhg32.exeC:\Windows\system32\Poidhg32.exe24⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Acbmjcgd.exeC:\Windows\system32\Acbmjcgd.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:3364 -
C:\Windows\SysWOW64\Aehbmk32.exeC:\Windows\system32\Aehbmk32.exe26⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Cmmgof32.exeC:\Windows\system32\Cmmgof32.exe27⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Cmgjee32.exeC:\Windows\system32\Cmgjee32.exe28⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Digmqe32.exeC:\Windows\system32\Digmqe32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4960 -
C:\Windows\SysWOW64\Epaemojk.exeC:\Windows\system32\Epaemojk.exe30⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Ecfhji32.exeC:\Windows\system32\Ecfhji32.exe31⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Flcfnn32.exeC:\Windows\system32\Flcfnn32.exe32⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Flhoinbl.exeC:\Windows\system32\Flhoinbl.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Glmhdm32.exeC:\Windows\system32\Glmhdm32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:228 -
C:\Windows\SysWOW64\Gqmnpk32.exeC:\Windows\system32\Gqmnpk32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Gnanioad.exeC:\Windows\system32\Gnanioad.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4924 -
C:\Windows\SysWOW64\Gglpgd32.exeC:\Windows\system32\Gglpgd32.exe37⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Hnehdo32.exeC:\Windows\system32\Hnehdo32.exe38⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Hgbfhc32.exeC:\Windows\system32\Hgbfhc32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Hqmggi32.exeC:\Windows\system32\Hqmggi32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Jakchf32.exeC:\Windows\system32\Jakchf32.exe41⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Jghhjq32.exeC:\Windows\system32\Jghhjq32.exe42⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Jnapgjdo.exeC:\Windows\system32\Jnapgjdo.exe43⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Khonkogj.exeC:\Windows\system32\Khonkogj.exe44⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Kfidgk32.exeC:\Windows\system32\Kfidgk32.exe45⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Lhmjlm32.exeC:\Windows\system32\Lhmjlm32.exe46⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Mehafq32.exeC:\Windows\system32\Mehafq32.exe47⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Mgngih32.exeC:\Windows\system32\Mgngih32.exe48⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Pnfdnnbo.exeC:\Windows\system32\Pnfdnnbo.exe49⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Qhekaejj.exeC:\Windows\system32\Qhekaejj.exe50⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Abgcqjhp.exeC:\Windows\system32\Abgcqjhp.exe51⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Aiqkmd32.exeC:\Windows\system32\Aiqkmd32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Anncek32.exeC:\Windows\system32\Anncek32.exe53⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Aeglbeea.exeC:\Windows\system32\Aeglbeea.exe54⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Bomppneg.exeC:\Windows\system32\Bomppneg.exe55⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Bngfli32.exeC:\Windows\system32\Bngfli32.exe56⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\SysWOW64\Ceehcc32.exeC:\Windows\system32\Ceehcc32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:3692 -
C:\Windows\SysWOW64\Dfngcdhi.exeC:\Windows\system32\Dfngcdhi.exe58⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Dhgjll32.exeC:\Windows\system32\Dhgjll32.exe59⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Gcfjfqah.exeC:\Windows\system32\Gcfjfqah.exe60⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Lmkipncc.exeC:\Windows\system32\Lmkipncc.exe61⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Mabdlk32.exeC:\Windows\system32\Mabdlk32.exe62⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Nhhldc32.exeC:\Windows\system32\Nhhldc32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Ndomiddc.exeC:\Windows\system32\Ndomiddc.exe64⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Oahgnh32.exeC:\Windows\system32\Oahgnh32.exe65⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Oickbjmb.exeC:\Windows\system32\Oickbjmb.exe66⤵PID:4396
-
C:\Windows\SysWOW64\Pgnblm32.exeC:\Windows\system32\Pgnblm32.exe67⤵PID:4420
-
C:\Windows\SysWOW64\Aqpika32.exeC:\Windows\system32\Aqpika32.exe68⤵PID:2268
-
C:\Windows\SysWOW64\Akjgdjoj.exeC:\Windows\system32\Akjgdjoj.exe69⤵
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Bgjjoi32.exeC:\Windows\system32\Bgjjoi32.exe70⤵PID:1160
-
C:\Windows\SysWOW64\Bnfoac32.exeC:\Windows\system32\Bnfoac32.exe71⤵
- Modifies registry class
PID:624 -
C:\Windows\SysWOW64\Cnkilbni.exeC:\Windows\system32\Cnkilbni.exe72⤵PID:3420
-
C:\Windows\SysWOW64\Cbiabq32.exeC:\Windows\system32\Cbiabq32.exe73⤵PID:880
-
C:\Windows\SysWOW64\Djipbbne.exeC:\Windows\system32\Djipbbne.exe74⤵PID:4272
-
C:\Windows\SysWOW64\Deqqek32.exeC:\Windows\system32\Deqqek32.exe75⤵PID:5104
-
C:\Windows\SysWOW64\Djmima32.exeC:\Windows\system32\Djmima32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4908 -
C:\Windows\SysWOW64\Dagajlal.exeC:\Windows\system32\Dagajlal.exe77⤵PID:3732
-
C:\Windows\SysWOW64\Eihlahjd.exeC:\Windows\system32\Eihlahjd.exe78⤵PID:4332
-
C:\Windows\SysWOW64\Ejiiippb.exeC:\Windows\system32\Ejiiippb.exe79⤵PID:464
-
C:\Windows\SysWOW64\Eeomfioh.exeC:\Windows\system32\Eeomfioh.exe80⤵PID:3892
-
C:\Windows\SysWOW64\Eliecc32.exeC:\Windows\system32\Eliecc32.exe81⤵PID:5172
-
C:\Windows\SysWOW64\Fhflhcfa.exeC:\Windows\system32\Fhflhcfa.exe82⤵
- Modifies registry class
PID:5212 -
C:\Windows\SysWOW64\Fblpflfg.exeC:\Windows\system32\Fblpflfg.exe83⤵PID:5264
-
C:\Windows\SysWOW64\Fifhbf32.exeC:\Windows\system32\Fifhbf32.exe84⤵PID:5312
-
C:\Windows\SysWOW64\Foenplji.exeC:\Windows\system32\Foenplji.exe85⤵PID:5356
-
C:\Windows\SysWOW64\Ghmbib32.exeC:\Windows\system32\Ghmbib32.exe86⤵PID:5400
-
C:\Windows\SysWOW64\Gbcffk32.exeC:\Windows\system32\Gbcffk32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5444 -
C:\Windows\SysWOW64\Gknkkmmj.exeC:\Windows\system32\Gknkkmmj.exe88⤵PID:5528
-
C:\Windows\SysWOW64\Hadcce32.exeC:\Windows\system32\Hadcce32.exe89⤵PID:5580
-
C:\Windows\SysWOW64\Jomeoggk.exeC:\Windows\system32\Jomeoggk.exe90⤵
- Drops file in System32 directory
PID:5616 -
C:\Windows\SysWOW64\Jbnopbdl.exeC:\Windows\system32\Jbnopbdl.exe91⤵PID:5660
-
C:\Windows\SysWOW64\Jflgfpkc.exeC:\Windows\system32\Jflgfpkc.exe92⤵
- Modifies registry class
PID:5716 -
C:\Windows\SysWOW64\Kiomnk32.exeC:\Windows\system32\Kiomnk32.exe93⤵PID:5788
-
C:\Windows\SysWOW64\Kcikfcab.exeC:\Windows\system32\Kcikfcab.exe94⤵PID:5864
-
C:\Windows\SysWOW64\Lpinac32.exeC:\Windows\system32\Lpinac32.exe95⤵PID:5904
-
C:\Windows\SysWOW64\Lmmokgne.exeC:\Windows\system32\Lmmokgne.exe96⤵PID:5952
-
C:\Windows\SysWOW64\Mjaodkmo.exeC:\Windows\system32\Mjaodkmo.exe97⤵PID:6008
-
C:\Windows\SysWOW64\Mcicma32.exeC:\Windows\system32\Mcicma32.exe98⤵PID:6064
-
C:\Windows\SysWOW64\Mmahff32.exeC:\Windows\system32\Mmahff32.exe99⤵PID:6112
-
C:\Windows\SysWOW64\Mfjlolpp.exeC:\Windows\system32\Mfjlolpp.exe100⤵PID:5132
-
C:\Windows\SysWOW64\Mflidl32.exeC:\Windows\system32\Mflidl32.exe101⤵PID:5260
-
C:\Windows\SysWOW64\Mjjbjjdd.exeC:\Windows\system32\Mjjbjjdd.exe102⤵
- Modifies registry class
PID:5344 -
C:\Windows\SysWOW64\Ncbfcp32.exeC:\Windows\system32\Ncbfcp32.exe103⤵PID:5428
-
C:\Windows\SysWOW64\Njmopj32.exeC:\Windows\system32\Njmopj32.exe104⤵
- Drops file in System32 directory
PID:5456 -
C:\Windows\SysWOW64\Nbhcdl32.exeC:\Windows\system32\Nbhcdl32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4524 -
C:\Windows\SysWOW64\Niblafgi.exeC:\Windows\system32\Niblafgi.exe106⤵PID:3708
-
C:\Windows\SysWOW64\Nbjpjl32.exeC:\Windows\system32\Nbjpjl32.exe107⤵PID:1648
-
C:\Windows\SysWOW64\Nlbdba32.exeC:\Windows\system32\Nlbdba32.exe108⤵PID:5576
-
C:\Windows\SysWOW64\Njceqili.exeC:\Windows\system32\Njceqili.exe109⤵
- Drops file in System32 directory
PID:4772 -
C:\Windows\SysWOW64\Niiaae32.exeC:\Windows\system32\Niiaae32.exe110⤵PID:2060
-
C:\Windows\SysWOW64\Odnfonag.exeC:\Windows\system32\Odnfonag.exe111⤵PID:5640
-
C:\Windows\SysWOW64\Oplmdnpc.exeC:\Windows\system32\Oplmdnpc.exe112⤵
- Modifies registry class
PID:5712 -
C:\Windows\SysWOW64\Plcmiofg.exeC:\Windows\system32\Plcmiofg.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3684 -
C:\Windows\SysWOW64\Plhgdn32.exeC:\Windows\system32\Plhgdn32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5824 -
C:\Windows\SysWOW64\Pgmkbg32.exeC:\Windows\system32\Pgmkbg32.exe115⤵PID:2852
-
C:\Windows\SysWOW64\Pdchakoo.exeC:\Windows\system32\Pdchakoo.exe116⤵PID:1980
-
C:\Windows\SysWOW64\Qkmqne32.exeC:\Windows\system32\Qkmqne32.exe117⤵PID:6016
-
C:\Windows\SysWOW64\Qpjifl32.exeC:\Windows\system32\Qpjifl32.exe118⤵
- Modifies registry class
PID:6092 -
C:\Windows\SysWOW64\Qkpmcddi.exeC:\Windows\system32\Qkpmcddi.exe119⤵
- Drops file in System32 directory
PID:6136 -
C:\Windows\SysWOW64\Qpmfklbq.exeC:\Windows\system32\Qpmfklbq.exe120⤵PID:5256
-
C:\Windows\SysWOW64\Adjnaj32.exeC:\Windows\system32\Adjnaj32.exe121⤵PID:5364
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-