Analysis
-
max time kernel
145s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 00:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7c7e548f4eece455dbb83a131c5a3c80_NEIKI.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
7c7e548f4eece455dbb83a131c5a3c80_NEIKI.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
7c7e548f4eece455dbb83a131c5a3c80_NEIKI.exe
-
Size
1024KB
-
MD5
7c7e548f4eece455dbb83a131c5a3c80
-
SHA1
045e8a48880685fd35e13ffec3fdc300c3bb1dea
-
SHA256
4cc1007cd3e88204a211e1308f97924350e99c5a73a2c69401fc54d474142c98
-
SHA512
8fe2cbdfcf6f6156e654d157ed88fed3bdc61ccc603ac73a4fc585c60013a6e6a3d3329753531f33bb915960a6a43de7f5967041114384fc2cd8b1035dbe8575
-
SSDEEP
12288:8qL7RkY660fIaDZkY660f8jTK/XhdAwlt01PBExKN4P6IfKTLR+6CwUkEoH:8q/RgsaDZgQjGkwlks/6HnEO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmqdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbmmcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ambmpmln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpocfncj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gicbeald.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eidmqdmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hqbgfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbpjiphi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blmdlhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfkkimlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmnhfjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfbhnaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egamfkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikekmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onphoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgdmmgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfgmhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aiinen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Begeknan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnpnndgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkjdhpea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbgpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcodno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndjdlffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pijbfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdfflm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmbefbck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgenhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loapim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qeqbkkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bagpopmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmgdddmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hchmdklc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oelmai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcmgfkeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhnfkigh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odegpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlhnbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hakmph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jklanp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhlqhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lipjejgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nplkfgoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cphlljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgmglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jagmpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhcdaibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dflkdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejoiedd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgfbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aplpai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkeib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdianmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hheelbjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nghphaeo.exe -
Executes dropped EXE 64 IoCs
pid Process 2172 Dncipddb.exe 2040 Djjjee32.exe 2648 Dipgfa32.exe 2964 Dibdla32.exe 2528 Didqaqji.exe 2604 Dnaijghp.exe 1660 Eabbkbea.exe 1720 Ehljhmmn.exe 2940 Emkofcic.exe 2788 Ehqccl32.exe 2728 Efcdoipc.exe 2896 Eiapkdog.exe 1444 Eaihlapi.exe 2100 Edgdhmom.exe 2368 Efeqdhnq.exe 2988 Eidmqdmd.exe 1060 Elbimplh.exe 620 Fdianmmj.exe 1144 Fblaii32.exe 2192 Fekneebh.exe 1540 Fmbefbck.exe 1884 Flefbo32.exe 624 Fbonoiab.exe 1984 Femjkdqf.exe 1648 Fhlfgppj.exe 2228 Hchmdklc.exe 2632 Hakmph32.exe 2644 Hheelbjj.exe 2776 Hlpamq32.exe 2660 Hnandi32.exe 2200 Hdkfacpo.exe 2960 Hgjbmoob.exe 2732 Haogkgoh.exe 2516 Hqbgfd32.exe 864 Hhioga32.exe 2592 Hjkkojlc.exe 2868 Hbbcpg32.exe 1488 Hdpplb32.exe 1716 Hgolhn32.exe 1612 Imkdqe32.exe 2680 Idblbb32.exe 1104 Igainn32.exe 1952 Imnafd32.exe 1740 Igcecmfg.exe 1480 Ijaapifk.exe 636 Iqljlb32.exe 1560 Icjfhn32.exe 1944 Ibmfdkcf.exe 2972 Ifhbdj32.exe 2224 Ijdnehci.exe 488 Imbkadcl.exe 3064 Ikekmq32.exe 2112 Ioagno32.exe 2628 Iclcnnji.exe 1980 Ibocjk32.exe 2380 Ifkojiim.exe 2560 Imeggc32.exe 1632 Jeplkf32.exe 2668 Jilhldfn.exe 976 Jkjdhpea.exe 2992 Jnhqdkde.exe 1244 Jbdlejmn.exe 2936 Jagmpg32.exe 2416 Jinead32.exe -
Loads dropped DLL 64 IoCs
pid Process 944 7c7e548f4eece455dbb83a131c5a3c80_NEIKI.exe 944 7c7e548f4eece455dbb83a131c5a3c80_NEIKI.exe 2172 Dncipddb.exe 2172 Dncipddb.exe 2040 Djjjee32.exe 2040 Djjjee32.exe 2648 Dipgfa32.exe 2648 Dipgfa32.exe 2964 Dibdla32.exe 2964 Dibdla32.exe 2528 Didqaqji.exe 2528 Didqaqji.exe 2604 Dnaijghp.exe 2604 Dnaijghp.exe 1660 Eabbkbea.exe 1660 Eabbkbea.exe 1720 Ehljhmmn.exe 1720 Ehljhmmn.exe 2940 Emkofcic.exe 2940 Emkofcic.exe 2788 Ehqccl32.exe 2788 Ehqccl32.exe 2728 Efcdoipc.exe 2728 Efcdoipc.exe 2896 Eiapkdog.exe 2896 Eiapkdog.exe 1444 Eaihlapi.exe 1444 Eaihlapi.exe 2100 Edgdhmom.exe 2100 Edgdhmom.exe 2368 Efeqdhnq.exe 2368 Efeqdhnq.exe 2988 Eidmqdmd.exe 2988 Eidmqdmd.exe 1060 Elbimplh.exe 1060 Elbimplh.exe 620 Fdianmmj.exe 620 Fdianmmj.exe 1144 Fblaii32.exe 1144 Fblaii32.exe 2192 Fekneebh.exe 2192 Fekneebh.exe 1540 Fmbefbck.exe 1540 Fmbefbck.exe 1884 Flefbo32.exe 1884 Flefbo32.exe 624 Fbonoiab.exe 624 Fbonoiab.exe 1984 Femjkdqf.exe 1984 Femjkdqf.exe 1524 Holacm32.exe 1524 Holacm32.exe 2228 Hchmdklc.exe 2228 Hchmdklc.exe 2632 Hakmph32.exe 2632 Hakmph32.exe 2644 Hheelbjj.exe 2644 Hheelbjj.exe 2776 Hlpamq32.exe 2776 Hlpamq32.exe 2660 Hnandi32.exe 2660 Hnandi32.exe 2200 Hdkfacpo.exe 2200 Hdkfacpo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Balijo32.exe Bkaqmeah.exe File created C:\Windows\SysWOW64\Hicodd32.exe Hdfflm32.exe File opened for modification C:\Windows\SysWOW64\Ikekmq32.exe Imbkadcl.exe File created C:\Windows\SysWOW64\Ghgobd32.dll Laplei32.exe File created C:\Windows\SysWOW64\Pbpjiphi.exe Pndniaop.exe File created C:\Windows\SysWOW64\Mefagn32.dll Qlhnbf32.exe File opened for modification C:\Windows\SysWOW64\Nnplpl32.exe Nkaocp32.exe File created C:\Windows\SysWOW64\Ndjdlffl.exe Npnhlg32.exe File opened for modification C:\Windows\SysWOW64\Pbiciana.exe Pcfcmd32.exe File created C:\Windows\SysWOW64\Hepmggig.dll Hckcmjep.exe File created C:\Windows\SysWOW64\Boiccdnf.exe Bpfcgg32.exe File created C:\Windows\SysWOW64\Hkfmal32.dll Cpjiajeb.exe File created C:\Windows\SysWOW64\Fdapak32.exe Fmhheqje.exe File created C:\Windows\SysWOW64\Iagfoe32.exe Ioijbj32.exe File created C:\Windows\SysWOW64\Mlcple32.exe Midcpj32.exe File opened for modification C:\Windows\SysWOW64\Ocomlemo.exe Oelmai32.exe File opened for modification C:\Windows\SysWOW64\Ppjglfon.exe Paggai32.exe File created C:\Windows\SysWOW64\Kkjjld32.dll Pijbfj32.exe File created C:\Windows\SysWOW64\Jfliao32.dll Fekneebh.exe File created C:\Windows\SysWOW64\Jghknp32.exe Jpqclb32.exe File created C:\Windows\SysWOW64\Kbalnnam.exe Kcolba32.exe File created C:\Windows\SysWOW64\Bdlblj32.exe Bpafkknm.exe File opened for modification C:\Windows\SysWOW64\Jpqclb32.exe Jmbgpg32.exe File opened for modification C:\Windows\SysWOW64\Dchali32.exe Dqjepm32.exe File created C:\Windows\SysWOW64\Nobdlg32.dll Dqjepm32.exe File opened for modification C:\Windows\SysWOW64\Fbonoiab.exe Flefbo32.exe File opened for modification C:\Windows\SysWOW64\Bkaqmeah.exe Bhcdaibd.exe File created C:\Windows\SysWOW64\Cljcelan.exe Cngcjo32.exe File created C:\Windows\SysWOW64\Adeplhib.exe Qecoqk32.exe File created C:\Windows\SysWOW64\Oiahfd32.dll Ailkjmpo.exe File created C:\Windows\SysWOW64\Fmhheqje.exe Filldb32.exe File created C:\Windows\SysWOW64\Imnafd32.exe Igainn32.exe File opened for modification C:\Windows\SysWOW64\Igcecmfg.exe Imnafd32.exe File created C:\Windows\SysWOW64\Glgcjoog.dll Jbfijjkl.exe File created C:\Windows\SysWOW64\Nllkkc32.dll Lpgele32.exe File created C:\Windows\SysWOW64\Dncipddb.exe 7c7e548f4eece455dbb83a131c5a3c80_NEIKI.exe File created C:\Windows\SysWOW64\Kpcpbb32.exe Jiigehkl.exe File created C:\Windows\SysWOW64\Dhjfhhen.dll Onmkio32.exe File created C:\Windows\SysWOW64\Dnilobkm.exe Dkkpbgli.exe File created C:\Windows\SysWOW64\Kjqipbka.dll Blmdlhmp.exe File created C:\Windows\SysWOW64\Oiogaqdb.dll Hhjhkq32.exe File created C:\Windows\SysWOW64\Nnjcpefo.dll Imkdqe32.exe File opened for modification C:\Windows\SysWOW64\Kmimafop.exe Kebepion.exe File created C:\Windows\SysWOW64\Lkkmdn32.exe Lgoacojo.exe File created C:\Windows\SysWOW64\Ojieip32.exe Ocomlemo.exe File opened for modification C:\Windows\SysWOW64\Efppoc32.exe Epfhbign.exe File created C:\Windows\SysWOW64\Dlgohm32.dll Ealnephf.exe File opened for modification C:\Windows\SysWOW64\Icjfhn32.exe Iqljlb32.exe File created C:\Windows\SysWOW64\Cgocalod.dll Lipjejgp.exe File opened for modification C:\Windows\SysWOW64\Okchhc32.exe Oghlgdgk.exe File opened for modification C:\Windows\SysWOW64\Amejeljk.exe Aiinen32.exe File opened for modification C:\Windows\SysWOW64\Jklanp32.exe Jinead32.exe File created C:\Windows\SysWOW64\Kpikfj32.dll Afdlhchf.exe File created C:\Windows\SysWOW64\Aoffmd32.exe Amejeljk.exe File opened for modification C:\Windows\SysWOW64\Fmekoalh.exe Fhhcgj32.exe File created C:\Windows\SysWOW64\Higdqfol.dll Pbpjiphi.exe File created C:\Windows\SysWOW64\Glpjaf32.dll Emeopn32.exe File opened for modification C:\Windows\SysWOW64\Hlpamq32.exe Hheelbjj.exe File opened for modification C:\Windows\SysWOW64\Imeggc32.exe Ifkojiim.exe File created C:\Windows\SysWOW64\Nghphaeo.exe Ncmdhb32.exe File created C:\Windows\SysWOW64\Gkgaje32.dll Nohnhc32.exe File created C:\Windows\SysWOW64\Fekneebh.exe Fblaii32.exe File created C:\Windows\SysWOW64\Piddlm32.dll Onphoo32.exe File created C:\Windows\SysWOW64\Elbimplh.exe Eidmqdmd.exe -
Program crash 1 IoCs
pid pid_target Process 4728 4644 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jiigehkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgoacojo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlcple32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mabejlob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Paggai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjjbo32.dll" Ehqccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojkbol32.dll" Hdkfacpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcmhiojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obljmlpp.dll" Njkfpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfmdnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meigpkka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjknnbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghfbqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iaeiieeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncmdhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhnaid32.dll" Qjknnbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Loapim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcgjec32.dll" Lplogdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohgbmh32.dll" Nhnfkigh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbflib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncann32.dll" Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minjlg32.dll" Jnhqdkde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbhbom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gphmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adeplhib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efncicpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 7c7e548f4eece455dbb83a131c5a3c80_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdoqc32.dll" Ogmfbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Komfnnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiahfd32.dll" Ailkjmpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negbaime.dll" Moalhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odifpn32.dll" Nfmmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qecoqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnilobkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkbph32.dll" Efeqdhnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Femjkdqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nocemcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oelmai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipghqomc.dll" Ankdiqih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cobbhfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkbnm32.dll" Fdoclk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gopkmhjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knjiin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnbhek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoipdkgg.dll" Bdlblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmloladn.dll" Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfefiemq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imbkadcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpjbad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpekigf.dll" Jcgfbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kebepion.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbiciana.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfliao32.dll" Fekneebh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Haogkgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeccgbbh.dll" Filldb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oockje32.dll" Cbkeib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eeempocb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Claifkkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kedaeh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 944 wrote to memory of 2172 944 7c7e548f4eece455dbb83a131c5a3c80_NEIKI.exe 28 PID 944 wrote to memory of 2172 944 7c7e548f4eece455dbb83a131c5a3c80_NEIKI.exe 28 PID 944 wrote to memory of 2172 944 7c7e548f4eece455dbb83a131c5a3c80_NEIKI.exe 28 PID 944 wrote to memory of 2172 944 7c7e548f4eece455dbb83a131c5a3c80_NEIKI.exe 28 PID 2172 wrote to memory of 2040 2172 Dncipddb.exe 29 PID 2172 wrote to memory of 2040 2172 Dncipddb.exe 29 PID 2172 wrote to memory of 2040 2172 Dncipddb.exe 29 PID 2172 wrote to memory of 2040 2172 Dncipddb.exe 29 PID 2040 wrote to memory of 2648 2040 Djjjee32.exe 30 PID 2040 wrote to memory of 2648 2040 Djjjee32.exe 30 PID 2040 wrote to memory of 2648 2040 Djjjee32.exe 30 PID 2040 wrote to memory of 2648 2040 Djjjee32.exe 30 PID 2648 wrote to memory of 2964 2648 Dipgfa32.exe 31 PID 2648 wrote to memory of 2964 2648 Dipgfa32.exe 31 PID 2648 wrote to memory of 2964 2648 Dipgfa32.exe 31 PID 2648 wrote to memory of 2964 2648 Dipgfa32.exe 31 PID 2964 wrote to memory of 2528 2964 Dibdla32.exe 32 PID 2964 wrote to memory of 2528 2964 Dibdla32.exe 32 PID 2964 wrote to memory of 2528 2964 Dibdla32.exe 32 PID 2964 wrote to memory of 2528 2964 Dibdla32.exe 32 PID 2528 wrote to memory of 2604 2528 Didqaqji.exe 33 PID 2528 wrote to memory of 2604 2528 Didqaqji.exe 33 PID 2528 wrote to memory of 2604 2528 Didqaqji.exe 33 PID 2528 wrote to memory of 2604 2528 Didqaqji.exe 33 PID 2604 wrote to memory of 1660 2604 Dnaijghp.exe 34 PID 2604 wrote to memory of 1660 2604 Dnaijghp.exe 34 PID 2604 wrote to memory of 1660 2604 Dnaijghp.exe 34 PID 2604 wrote to memory of 1660 2604 Dnaijghp.exe 34 PID 1660 wrote to memory of 1720 1660 Eabbkbea.exe 35 PID 1660 wrote to memory of 1720 1660 Eabbkbea.exe 35 PID 1660 wrote to memory of 1720 1660 Eabbkbea.exe 35 PID 1660 wrote to memory of 1720 1660 Eabbkbea.exe 35 PID 1720 wrote to memory of 2940 1720 Ehljhmmn.exe 36 PID 1720 wrote to memory of 2940 1720 Ehljhmmn.exe 36 PID 1720 wrote to memory of 2940 1720 Ehljhmmn.exe 36 PID 1720 wrote to memory of 2940 1720 Ehljhmmn.exe 36 PID 2940 wrote to memory of 2788 2940 Emkofcic.exe 37 PID 2940 wrote to memory of 2788 2940 Emkofcic.exe 37 PID 2940 wrote to memory of 2788 2940 Emkofcic.exe 37 PID 2940 wrote to memory of 2788 2940 Emkofcic.exe 37 PID 2788 wrote to memory of 2728 2788 Ehqccl32.exe 38 PID 2788 wrote to memory of 2728 2788 Ehqccl32.exe 38 PID 2788 wrote to memory of 2728 2788 Ehqccl32.exe 38 PID 2788 wrote to memory of 2728 2788 Ehqccl32.exe 38 PID 2728 wrote to memory of 2896 2728 Efcdoipc.exe 39 PID 2728 wrote to memory of 2896 2728 Efcdoipc.exe 39 PID 2728 wrote to memory of 2896 2728 Efcdoipc.exe 39 PID 2728 wrote to memory of 2896 2728 Efcdoipc.exe 39 PID 2896 wrote to memory of 1444 2896 Eiapkdog.exe 40 PID 2896 wrote to memory of 1444 2896 Eiapkdog.exe 40 PID 2896 wrote to memory of 1444 2896 Eiapkdog.exe 40 PID 2896 wrote to memory of 1444 2896 Eiapkdog.exe 40 PID 1444 wrote to memory of 2100 1444 Eaihlapi.exe 41 PID 1444 wrote to memory of 2100 1444 Eaihlapi.exe 41 PID 1444 wrote to memory of 2100 1444 Eaihlapi.exe 41 PID 1444 wrote to memory of 2100 1444 Eaihlapi.exe 41 PID 2100 wrote to memory of 2368 2100 Edgdhmom.exe 42 PID 2100 wrote to memory of 2368 2100 Edgdhmom.exe 42 PID 2100 wrote to memory of 2368 2100 Edgdhmom.exe 42 PID 2100 wrote to memory of 2368 2100 Edgdhmom.exe 42 PID 2368 wrote to memory of 2988 2368 Efeqdhnq.exe 43 PID 2368 wrote to memory of 2988 2368 Efeqdhnq.exe 43 PID 2368 wrote to memory of 2988 2368 Efeqdhnq.exe 43 PID 2368 wrote to memory of 2988 2368 Efeqdhnq.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c7e548f4eece455dbb83a131c5a3c80_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\7c7e548f4eece455dbb83a131c5a3c80_NEIKI.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Dncipddb.exeC:\Windows\system32\Dncipddb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Djjjee32.exeC:\Windows\system32\Djjjee32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Dipgfa32.exeC:\Windows\system32\Dipgfa32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Dibdla32.exeC:\Windows\system32\Dibdla32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Didqaqji.exeC:\Windows\system32\Didqaqji.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Dnaijghp.exeC:\Windows\system32\Dnaijghp.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Eabbkbea.exeC:\Windows\system32\Eabbkbea.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Ehljhmmn.exeC:\Windows\system32\Ehljhmmn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Emkofcic.exeC:\Windows\system32\Emkofcic.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Ehqccl32.exeC:\Windows\system32\Ehqccl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Efcdoipc.exeC:\Windows\system32\Efcdoipc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Eiapkdog.exeC:\Windows\system32\Eiapkdog.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Eaihlapi.exeC:\Windows\system32\Eaihlapi.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Edgdhmom.exeC:\Windows\system32\Edgdhmom.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Efeqdhnq.exeC:\Windows\system32\Efeqdhnq.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Eidmqdmd.exeC:\Windows\system32\Eidmqdmd.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Elbimplh.exeC:\Windows\system32\Elbimplh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1060 -
C:\Windows\SysWOW64\Fdianmmj.exeC:\Windows\system32\Fdianmmj.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:620 -
C:\Windows\SysWOW64\Fblaii32.exeC:\Windows\system32\Fblaii32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1144 -
C:\Windows\SysWOW64\Fekneebh.exeC:\Windows\system32\Fekneebh.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Fmbefbck.exeC:\Windows\system32\Fmbefbck.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Flefbo32.exeC:\Windows\system32\Flefbo32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Fbonoiab.exeC:\Windows\system32\Fbonoiab.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:624 -
C:\Windows\SysWOW64\Femjkdqf.exeC:\Windows\system32\Femjkdqf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Fhlfgppj.exeC:\Windows\system32\Fhlfgppj.exe26⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Holacm32.exeC:\Windows\system32\Holacm32.exe27⤵
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Hchmdklc.exeC:\Windows\system32\Hchmdklc.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Hakmph32.exeC:\Windows\system32\Hakmph32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Hheelbjj.exeC:\Windows\system32\Hheelbjj.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Hlpamq32.exeC:\Windows\system32\Hlpamq32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Hnandi32.exeC:\Windows\system32\Hnandi32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Hdkfacpo.exeC:\Windows\system32\Hdkfacpo.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Hgjbmoob.exeC:\Windows\system32\Hgjbmoob.exe34⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Haogkgoh.exeC:\Windows\system32\Haogkgoh.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Hqbgfd32.exeC:\Windows\system32\Hqbgfd32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Hhioga32.exeC:\Windows\system32\Hhioga32.exe37⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Hjkkojlc.exeC:\Windows\system32\Hjkkojlc.exe38⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Hbbcpg32.exeC:\Windows\system32\Hbbcpg32.exe39⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Hdpplb32.exeC:\Windows\system32\Hdpplb32.exe40⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Hgolhn32.exeC:\Windows\system32\Hgolhn32.exe41⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Imkdqe32.exeC:\Windows\system32\Imkdqe32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Idblbb32.exeC:\Windows\system32\Idblbb32.exe43⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Igainn32.exeC:\Windows\system32\Igainn32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\Imnafd32.exeC:\Windows\system32\Imnafd32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Igcecmfg.exeC:\Windows\system32\Igcecmfg.exe46⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Ijaapifk.exeC:\Windows\system32\Ijaapifk.exe47⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Iqljlb32.exeC:\Windows\system32\Iqljlb32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:636 -
C:\Windows\SysWOW64\Icjfhn32.exeC:\Windows\system32\Icjfhn32.exe49⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Ibmfdkcf.exeC:\Windows\system32\Ibmfdkcf.exe50⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Ifhbdj32.exeC:\Windows\system32\Ifhbdj32.exe51⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Ijdnehci.exeC:\Windows\system32\Ijdnehci.exe52⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Imbkadcl.exeC:\Windows\system32\Imbkadcl.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:488 -
C:\Windows\SysWOW64\Ikekmq32.exeC:\Windows\system32\Ikekmq32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Ioagno32.exeC:\Windows\system32\Ioagno32.exe55⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Iclcnnji.exeC:\Windows\system32\Iclcnnji.exe56⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Ibocjk32.exeC:\Windows\system32\Ibocjk32.exe57⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Imeggc32.exeC:\Windows\system32\Imeggc32.exe59⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Jeplkf32.exeC:\Windows\system32\Jeplkf32.exe60⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe61⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Jkjdhpea.exeC:\Windows\system32\Jkjdhpea.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Jnhqdkde.exeC:\Windows\system32\Jnhqdkde.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe64⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Jagmpg32.exeC:\Windows\system32\Jagmpg32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Jinead32.exeC:\Windows\system32\Jinead32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Jklanp32.exeC:\Windows\system32\Jklanp32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1080 -
C:\Windows\SysWOW64\Jjoailji.exeC:\Windows\system32\Jjoailji.exe68⤵PID:1844
-
C:\Windows\SysWOW64\Jbfijjkl.exeC:\Windows\system32\Jbfijjkl.exe69⤵
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe70⤵PID:2748
-
C:\Windows\SysWOW64\Jcgfbb32.exeC:\Windows\system32\Jcgfbb32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Jnmjok32.exeC:\Windows\system32\Jnmjok32.exe72⤵PID:2564
-
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2584 -
C:\Windows\SysWOW64\Jjdkdl32.exeC:\Windows\system32\Jjdkdl32.exe74⤵PID:1136
-
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe76⤵
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Jghknp32.exeC:\Windows\system32\Jghknp32.exe77⤵PID:1700
-
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2904 -
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Kpcpbb32.exeC:\Windows\system32\Kpcpbb32.exe80⤵PID:2976
-
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe81⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe82⤵PID:2816
-
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe83⤵PID:2768
-
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe85⤵PID:1552
-
C:\Windows\SysWOW64\Kllmmc32.exeC:\Windows\system32\Kllmmc32.exe86⤵PID:2520
-
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe87⤵
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe88⤵PID:1300
-
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe89⤵
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe90⤵PID:856
-
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe91⤵
- Modifies registry class
PID:376 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe92⤵
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe93⤵PID:1736
-
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe94⤵PID:2860
-
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe95⤵PID:2612
-
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe96⤵PID:2900
-
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe97⤵PID:2764
-
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe99⤵
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe100⤵PID:2412
-
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe101⤵
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe102⤵PID:1608
-
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe103⤵PID:1572
-
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe104⤵PID:2180
-
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2760 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe107⤵PID:1792
-
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe108⤵PID:1296
-
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe109⤵
- Drops file in System32 directory
PID:600 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe110⤵PID:1620
-
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe111⤵PID:2304
-
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe113⤵PID:356
-
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe114⤵
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe115⤵PID:1676
-
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe116⤵PID:1176
-
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe117⤵PID:2908
-
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe118⤵PID:324
-
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe119⤵PID:2656
-
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe120⤵
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe121⤵PID:2004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-