Analysis
-
max time kernel
148s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 02:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a1478c23686852cb0008c50e51b751f0_NEIKI.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
a1478c23686852cb0008c50e51b751f0_NEIKI.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
a1478c23686852cb0008c50e51b751f0_NEIKI.exe
-
Size
576KB
-
MD5
a1478c23686852cb0008c50e51b751f0
-
SHA1
c01fe50b65f76275d876ec12b731b8dbd1769adc
-
SHA256
2c0dcdef01bf02f93c49574db8f42e15c6482de65c602fd56c9b1e27b3c0185b
-
SHA512
2b64cd5fc2b9c8c78614ece4b7077b5da4e7e3ea4e6f720c3123ba4885889d185988f307c8c89c83c7137d720c6f93cafb14b4292aa9fc235d08f94aaa166c9a
-
SSDEEP
12288:jAsI3/lKmGyXu1jGG1wsGeBgRTGAzciETdqvZNemWrsiLk6mqgSgRDO:jpI3/lKmGyXsGG1wsLUT3IipX6
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgicg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmdepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iflmjihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Deenjpcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhdegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdpkbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beackp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lncfcgeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdnfjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Daacecfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llmmpcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anadojlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqdiga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccmpce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocphf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfkhndca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfohgepi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aakjdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgedmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Heliepmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjohmbpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnipkkdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfpfdeon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kajiigba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeaqig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjpdjjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipeaco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eddeladm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcpgdhpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gepafc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmoofdea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmgbao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdhefpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jckgicnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emdeok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeckfndj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgblmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmfmojcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjfkmdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcpgdhpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmmfaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfjann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aohdmdoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmfgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngbmlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hqiqjlga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Debplg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elipgofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjpaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Einjdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbobkol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehnfpifm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgjjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajnpecbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Piliii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcabd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fibcoalf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Momfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlnklcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jikeeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldpbpgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epbbkf32.exe -
Executes dropped EXE 64 IoCs
pid Process 2900 Ancefgfd.exe 2468 Bccjdnbi.exe 2520 Bffpki32.exe 2604 Cemjae32.exe 2532 Cepfgdnj.exe 2436 Cafgle32.exe 592 Caidaeak.exe 1476 Comdkipe.exe 2728 Debplg32.exe 1636 Edlfhc32.exe 1904 Ejkkfjkj.exe 2576 Edclib32.exe 956 Fbmfkkbm.exe 2068 Fkhgip32.exe 2816 Fdpkbf32.exe 268 Fnipkkdl.exe 1096 Gjbmelgm.exe 1808 Gmgpbf32.exe 692 Hfpdkl32.exe 1028 Hnkion32.exe 3044 Hpjeialg.exe 2556 Heikgh32.exe 1584 Hfmddp32.exe 2184 Jkhldafl.exe 1752 Jhlmmfef.exe 1728 Jaijak32.exe 1688 Jckgicnp.exe 2616 Kdjccf32.exe 2516 Kfnmpn32.exe 2668 Kbdmeoob.exe 2384 Kljabgnh.exe 2796 Khabghdl.exe 2348 Kfebambf.exe 2720 Lghlndfa.exe 2984 Lbnpkmfg.exe 2600 Ljieppcb.exe 1088 Lgmeid32.exe 948 Lngnfnji.exe 868 Lohjnf32.exe 2312 Ljnnko32.exe 2920 Lcfbdd32.exe 1396 Mpmcielb.exe 1732 Mmadbjkk.exe 2000 Mbnljqic.exe 1996 Mpamde32.exe 612 Mgmahg32.exe 896 Maefamlh.exe 2024 Nhakcfab.exe 1736 Nmnclmoj.exe 2424 Ndhlhg32.exe 1648 Nallalep.exe 368 Njdqka32.exe 2148 Nenakoho.exe 2628 Nlhjhi32.exe 3032 Nbbbdcgi.exe 2792 Opfbngfb.exe 2540 Oeckfndj.exe 2168 Obgkpb32.exe 1972 Odhhgkib.exe 2256 Omqlpp32.exe 1768 Odjdmjgo.exe 2392 Okdmjdol.exe 2240 Omcifpnp.exe 1952 Ohhmcinf.exe -
Loads dropped DLL 64 IoCs
pid Process 2888 a1478c23686852cb0008c50e51b751f0_NEIKI.exe 2888 a1478c23686852cb0008c50e51b751f0_NEIKI.exe 2900 Ancefgfd.exe 2900 Ancefgfd.exe 2468 Bccjdnbi.exe 2468 Bccjdnbi.exe 2520 Bffpki32.exe 2520 Bffpki32.exe 2604 Cemjae32.exe 2604 Cemjae32.exe 2532 Cepfgdnj.exe 2532 Cepfgdnj.exe 2436 Cafgle32.exe 2436 Cafgle32.exe 592 Caidaeak.exe 592 Caidaeak.exe 1476 Comdkipe.exe 1476 Comdkipe.exe 2728 Debplg32.exe 2728 Debplg32.exe 1636 Edlfhc32.exe 1636 Edlfhc32.exe 1904 Ejkkfjkj.exe 1904 Ejkkfjkj.exe 2576 Edclib32.exe 2576 Edclib32.exe 956 Fbmfkkbm.exe 956 Fbmfkkbm.exe 2068 Fkhgip32.exe 2068 Fkhgip32.exe 2816 Fdpkbf32.exe 2816 Fdpkbf32.exe 268 Fnipkkdl.exe 268 Fnipkkdl.exe 1096 Gjbmelgm.exe 1096 Gjbmelgm.exe 1808 Gmgpbf32.exe 1808 Gmgpbf32.exe 692 Hfpdkl32.exe 692 Hfpdkl32.exe 1028 Hnkion32.exe 1028 Hnkion32.exe 3044 Hpjeialg.exe 3044 Hpjeialg.exe 2556 Heikgh32.exe 2556 Heikgh32.exe 1584 Hfmddp32.exe 1584 Hfmddp32.exe 2184 Jkhldafl.exe 2184 Jkhldafl.exe 1752 Jhlmmfef.exe 1752 Jhlmmfef.exe 1728 Jaijak32.exe 1728 Jaijak32.exe 1688 Jckgicnp.exe 1688 Jckgicnp.exe 2616 Kdjccf32.exe 2616 Kdjccf32.exe 2516 Kfnmpn32.exe 2516 Kfnmpn32.exe 2668 Kbdmeoob.exe 2668 Kbdmeoob.exe 2384 Kljabgnh.exe 2384 Kljabgnh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Qbnphngk.exe Qiflohqk.exe File opened for modification C:\Windows\SysWOW64\Bbhccm32.exe Bhonjg32.exe File created C:\Windows\SysWOW64\Ejaphpnp.exe Dcghkf32.exe File opened for modification C:\Windows\SysWOW64\Ikjhki32.exe Ieponofk.exe File created C:\Windows\SysWOW64\Bleoal32.dll Hgpjhn32.exe File created C:\Windows\SysWOW64\Kcacjhob.dll Lhfefgkg.exe File opened for modification C:\Windows\SysWOW64\Daplkmbg.exe Dfkhndca.exe File created C:\Windows\SysWOW64\Jjfkmdlg.exe Ibfmmb32.exe File created C:\Windows\SysWOW64\Cfibop32.dll Pmkhjncg.exe File created C:\Windows\SysWOW64\Nklcci32.dll Bbhccm32.exe File opened for modification C:\Windows\SysWOW64\Ejaphpnp.exe Dcghkf32.exe File created C:\Windows\SysWOW64\Fiepea32.exe Fckhhgcf.exe File created C:\Windows\SysWOW64\Jkbaci32.exe Jhdegn32.exe File opened for modification C:\Windows\SysWOW64\Ieponofk.exe Icncgf32.exe File opened for modification C:\Windows\SysWOW64\Kmfpmc32.exe Khjgel32.exe File created C:\Windows\SysWOW64\Jckgicnp.exe Jaijak32.exe File created C:\Windows\SysWOW64\Hicapn32.dll Eacljf32.exe File created C:\Windows\SysWOW64\Lkfalipj.dll Elkmmodo.exe File opened for modification C:\Windows\SysWOW64\Koflgf32.exe Khldkllj.exe File opened for modification C:\Windows\SysWOW64\Ajcipc32.exe Adfqgl32.exe File created C:\Windows\SysWOW64\Ibcihh32.dll Bjbndpmd.exe File created C:\Windows\SysWOW64\Ajngeelc.dll Flocfmnl.exe File created C:\Windows\SysWOW64\Lloeec32.dll Boogmgkl.exe File created C:\Windows\SysWOW64\Hnbaif32.exe Hfpfdeon.exe File created C:\Windows\SysWOW64\Gcofmo32.dll Hnbaif32.exe File created C:\Windows\SysWOW64\Bfoeil32.exe Bpbmqe32.exe File created C:\Windows\SysWOW64\Bdmnkd32.dll Emdeok32.exe File opened for modification C:\Windows\SysWOW64\Aggiigmn.exe Ajcipc32.exe File created C:\Windows\SysWOW64\Gcgnnlle.exe Gmmfaa32.exe File created C:\Windows\SysWOW64\Jhbcjo32.dll Pcljmdmj.exe File opened for modification C:\Windows\SysWOW64\Fhdmph32.exe Fefqdl32.exe File created C:\Windows\SysWOW64\Icncgf32.exe Hfjbmb32.exe File created C:\Windows\SysWOW64\Cnkjnb32.exe Cinafkkd.exe File opened for modification C:\Windows\SysWOW64\Qmhahkdj.exe Qdompf32.exe File created C:\Windows\SysWOW64\Bbhccm32.exe Bhonjg32.exe File opened for modification C:\Windows\SysWOW64\Kbhbai32.exe Kageia32.exe File opened for modification C:\Windows\SysWOW64\Bbgqjdce.exe Bgblmk32.exe File created C:\Windows\SysWOW64\Gepafc32.exe Gjjmijme.exe File created C:\Windows\SysWOW64\Aakjdo32.exe Alnalh32.exe File opened for modification C:\Windows\SysWOW64\Lhnkffeo.exe Lnhgim32.exe File opened for modification C:\Windows\SysWOW64\Fiepea32.exe Fckhhgcf.exe File opened for modification C:\Windows\SysWOW64\Gcmamj32.exe Gnphdceh.exe File created C:\Windows\SysWOW64\Jajmjcoe.exe Jhahanie.exe File created C:\Windows\SysWOW64\Obgnhkkh.exe Olmela32.exe File created C:\Windows\SysWOW64\Qabkpdke.dll Edlfhc32.exe File opened for modification C:\Windows\SysWOW64\Kdklfe32.exe Jondnnbk.exe File created C:\Windows\SysWOW64\Lcjlnpmo.exe Lonpma32.exe File opened for modification C:\Windows\SysWOW64\Pegqpacp.exe Ppkhhjei.exe File created C:\Windows\SysWOW64\Fepjea32.exe Fennoa32.exe File created C:\Windows\SysWOW64\Npepbkgb.dll Ccpeld32.exe File opened for modification C:\Windows\SysWOW64\Ckpckece.exe Cfckcoen.exe File opened for modification C:\Windows\SysWOW64\Demaoj32.exe Dppigchi.exe File created C:\Windows\SysWOW64\Debplg32.exe Comdkipe.exe File created C:\Windows\SysWOW64\Kmhnlgkg.dll Akfkbd32.exe File created C:\Windows\SysWOW64\Ngbmlo32.exe Nqhepeai.exe File opened for modification C:\Windows\SysWOW64\Ndhlhg32.exe Nmnclmoj.exe File created C:\Windows\SysWOW64\Aohdmdoh.exe Qjklenpa.exe File opened for modification C:\Windows\SysWOW64\Fdgdji32.exe Fahhnn32.exe File created C:\Windows\SysWOW64\Hjkcebll.dll Jkhldafl.exe File created C:\Windows\SysWOW64\Njdqka32.exe Nallalep.exe File created C:\Windows\SysWOW64\Pfhmhm32.dll Eihgfd32.exe File created C:\Windows\SysWOW64\Oiafee32.exe Obgnhkkh.exe File opened for modification C:\Windows\SysWOW64\Ohipla32.exe Omckoi32.exe File opened for modification C:\Windows\SysWOW64\Dpnladjl.exe Cehhdkjf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6128 6100 WerFault.exe 454 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfnmpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dldlhdpl.dll" Kdklfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pojecajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okqcnknc.dll" Eeiheo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qbnphngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmma32.dll" Agglbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agihgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inbnhihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adfbpega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adfbpega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npepbkgb.dll" Ccpeld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmdbnnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjclbek.dll" Alnalh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojbbmnhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmmpolof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdgdji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdkjdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipeaco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpfmmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fepjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgkonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljnnko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afdiondb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekfpmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njjhknaf.dll" Odkgec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebenek32.dll" Jedehaea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljnnko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lclicpkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahebaiac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjfkmdlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eddeladm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll" Bjmeiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cepipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll" Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhfcho32.dll" Bnnaoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knnpkl32.dll" Iahkpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jojkco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaaded32.dll" Pdgmlhha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggkibhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbbccgmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhndalhm.dll" Qackpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Decimbli.dll" Kekiphge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhpmg32.dll" Pojecajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diijaiep.dll" Jhahanie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pecikhmn.dll" Ngbmlo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phfoee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fliook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdnfjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caejbmia.dll" Iinhdmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daehjl32.dll" Bccjdnbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jaijak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppkhhjei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egpfmb32.dll" Kpdjaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qiflohqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcbnpgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mommgm32.dll" Dcbnpgkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejaphpnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njdqka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jendoajo.dll" Aakjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknodfcm.dll" Opfegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nklcci32.dll" Bbhccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eopphehb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkbgckgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phqmgg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2888 wrote to memory of 2900 2888 a1478c23686852cb0008c50e51b751f0_NEIKI.exe 28 PID 2888 wrote to memory of 2900 2888 a1478c23686852cb0008c50e51b751f0_NEIKI.exe 28 PID 2888 wrote to memory of 2900 2888 a1478c23686852cb0008c50e51b751f0_NEIKI.exe 28 PID 2888 wrote to memory of 2900 2888 a1478c23686852cb0008c50e51b751f0_NEIKI.exe 28 PID 2900 wrote to memory of 2468 2900 Ancefgfd.exe 424 PID 2900 wrote to memory of 2468 2900 Ancefgfd.exe 424 PID 2900 wrote to memory of 2468 2900 Ancefgfd.exe 424 PID 2900 wrote to memory of 2468 2900 Ancefgfd.exe 424 PID 2468 wrote to memory of 2520 2468 Bccjdnbi.exe 30 PID 2468 wrote to memory of 2520 2468 Bccjdnbi.exe 30 PID 2468 wrote to memory of 2520 2468 Bccjdnbi.exe 30 PID 2468 wrote to memory of 2520 2468 Bccjdnbi.exe 30 PID 2520 wrote to memory of 2604 2520 Bffpki32.exe 408 PID 2520 wrote to memory of 2604 2520 Bffpki32.exe 408 PID 2520 wrote to memory of 2604 2520 Bffpki32.exe 408 PID 2520 wrote to memory of 2604 2520 Bffpki32.exe 408 PID 2604 wrote to memory of 2532 2604 Cemjae32.exe 32 PID 2604 wrote to memory of 2532 2604 Cemjae32.exe 32 PID 2604 wrote to memory of 2532 2604 Cemjae32.exe 32 PID 2604 wrote to memory of 2532 2604 Cemjae32.exe 32 PID 2532 wrote to memory of 2436 2532 Cepfgdnj.exe 33 PID 2532 wrote to memory of 2436 2532 Cepfgdnj.exe 33 PID 2532 wrote to memory of 2436 2532 Cepfgdnj.exe 33 PID 2532 wrote to memory of 2436 2532 Cepfgdnj.exe 33 PID 2436 wrote to memory of 592 2436 Cafgle32.exe 423 PID 2436 wrote to memory of 592 2436 Cafgle32.exe 423 PID 2436 wrote to memory of 592 2436 Cafgle32.exe 423 PID 2436 wrote to memory of 592 2436 Cafgle32.exe 423 PID 592 wrote to memory of 1476 592 Caidaeak.exe 35 PID 592 wrote to memory of 1476 592 Caidaeak.exe 35 PID 592 wrote to memory of 1476 592 Caidaeak.exe 35 PID 592 wrote to memory of 1476 592 Caidaeak.exe 35 PID 1476 wrote to memory of 2728 1476 Comdkipe.exe 36 PID 1476 wrote to memory of 2728 1476 Comdkipe.exe 36 PID 1476 wrote to memory of 2728 1476 Comdkipe.exe 36 PID 1476 wrote to memory of 2728 1476 Comdkipe.exe 36 PID 2728 wrote to memory of 1636 2728 Debplg32.exe 37 PID 2728 wrote to memory of 1636 2728 Debplg32.exe 37 PID 2728 wrote to memory of 1636 2728 Debplg32.exe 37 PID 2728 wrote to memory of 1636 2728 Debplg32.exe 37 PID 1636 wrote to memory of 1904 1636 Edlfhc32.exe 38 PID 1636 wrote to memory of 1904 1636 Edlfhc32.exe 38 PID 1636 wrote to memory of 1904 1636 Edlfhc32.exe 38 PID 1636 wrote to memory of 1904 1636 Edlfhc32.exe 38 PID 1904 wrote to memory of 2576 1904 Ejkkfjkj.exe 39 PID 1904 wrote to memory of 2576 1904 Ejkkfjkj.exe 39 PID 1904 wrote to memory of 2576 1904 Ejkkfjkj.exe 39 PID 1904 wrote to memory of 2576 1904 Ejkkfjkj.exe 39 PID 2576 wrote to memory of 956 2576 Edclib32.exe 40 PID 2576 wrote to memory of 956 2576 Edclib32.exe 40 PID 2576 wrote to memory of 956 2576 Edclib32.exe 40 PID 2576 wrote to memory of 956 2576 Edclib32.exe 40 PID 956 wrote to memory of 2068 956 Fbmfkkbm.exe 41 PID 956 wrote to memory of 2068 956 Fbmfkkbm.exe 41 PID 956 wrote to memory of 2068 956 Fbmfkkbm.exe 41 PID 956 wrote to memory of 2068 956 Fbmfkkbm.exe 41 PID 2068 wrote to memory of 2816 2068 Fkhgip32.exe 42 PID 2068 wrote to memory of 2816 2068 Fkhgip32.exe 42 PID 2068 wrote to memory of 2816 2068 Fkhgip32.exe 42 PID 2068 wrote to memory of 2816 2068 Fkhgip32.exe 42 PID 2816 wrote to memory of 268 2816 Fdpkbf32.exe 43 PID 2816 wrote to memory of 268 2816 Fdpkbf32.exe 43 PID 2816 wrote to memory of 268 2816 Fdpkbf32.exe 43 PID 2816 wrote to memory of 268 2816 Fdpkbf32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1478c23686852cb0008c50e51b751f0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\a1478c23686852cb0008c50e51b751f0_NEIKI.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Ancefgfd.exeC:\Windows\system32\Ancefgfd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Bccjdnbi.exeC:\Windows\system32\Bccjdnbi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Cemjae32.exeC:\Windows\system32\Cemjae32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Cepfgdnj.exeC:\Windows\system32\Cepfgdnj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Cafgle32.exeC:\Windows\system32\Cafgle32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Debplg32.exeC:\Windows\system32\Debplg32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Edclib32.exeC:\Windows\system32\Edclib32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Fkhgip32.exeC:\Windows\system32\Fkhgip32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:268 -
C:\Windows\SysWOW64\Gjbmelgm.exeC:\Windows\system32\Gjbmelgm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:692 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1028 -
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe33⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Kfebambf.exeC:\Windows\system32\Kfebambf.exe34⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe35⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe36⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe37⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe38⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe39⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Lohjnf32.exeC:\Windows\system32\Lohjnf32.exe40⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe42⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe43⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe44⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe45⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Mpamde32.exeC:\Windows\system32\Mpamde32.exe46⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe47⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe48⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Nhakcfab.exeC:\Windows\system32\Nhakcfab.exe49⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe51⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Njdqka32.exeC:\Windows\system32\Njdqka32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:368 -
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe54⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe55⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe56⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe57⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Obgkpb32.exeC:\Windows\system32\Obgkpb32.exe59⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe60⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Omqlpp32.exeC:\Windows\system32\Omqlpp32.exe61⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe62⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Okdmjdol.exeC:\Windows\system32\Okdmjdol.exe63⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Omcifpnp.exeC:\Windows\system32\Omcifpnp.exe64⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe65⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe66⤵PID:696
-
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1912 -
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe68⤵PID:864
-
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe69⤵PID:2336
-
C:\Windows\SysWOW64\Pgbdodnh.exeC:\Windows\system32\Pgbdodnh.exe70⤵PID:2588
-
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe72⤵PID:2412
-
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe73⤵PID:572
-
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe74⤵PID:2632
-
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe75⤵PID:1092
-
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe76⤵PID:804
-
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe77⤵
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1928 -
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe79⤵PID:952
-
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe80⤵
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe81⤵
- Drops file in System32 directory
PID:1248 -
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe82⤵PID:1640
-
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe83⤵PID:1936
-
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe84⤵PID:2596
-
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1332 -
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2960 -
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe87⤵PID:2488
-
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe88⤵PID:2096
-
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe90⤵PID:2572
-
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe91⤵
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe92⤵PID:800
-
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:840 -
C:\Windows\SysWOW64\Dphmloih.exeC:\Windows\system32\Dphmloih.exe94⤵PID:1724
-
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe95⤵
- Drops file in System32 directory
PID:1128 -
C:\Windows\SysWOW64\Eacljf32.exeC:\Windows\system32\Eacljf32.exe96⤵
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Elipgofb.exeC:\Windows\system32\Elipgofb.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2832 -
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe98⤵PID:1968
-
C:\Windows\SysWOW64\Eddeladm.exeC:\Windows\system32\Eddeladm.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Elkmmodo.exeC:\Windows\system32\Elkmmodo.exe100⤵
- Drops file in System32 directory
PID:1364 -
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe101⤵PID:2724
-
C:\Windows\SysWOW64\Fdiogq32.exeC:\Windows\system32\Fdiogq32.exe102⤵PID:1116
-
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe103⤵
- Modifies registry class
PID:632 -
C:\Windows\SysWOW64\Famope32.exeC:\Windows\system32\Famope32.exe104⤵PID:308
-
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe105⤵PID:3012
-
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe106⤵PID:2524
-
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe107⤵PID:2132
-
C:\Windows\SysWOW64\Ffodjh32.exeC:\Windows\system32\Ffodjh32.exe108⤵PID:2144
-
C:\Windows\SysWOW64\Fqdiga32.exeC:\Windows\system32\Fqdiga32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2584 -
C:\Windows\SysWOW64\Ffaaoh32.exeC:\Windows\system32\Ffaaoh32.exe110⤵PID:2388
-
C:\Windows\SysWOW64\Fmkilb32.exeC:\Windows\system32\Fmkilb32.exe111⤵PID:2548
-
C:\Windows\SysWOW64\Gceailog.exeC:\Windows\system32\Gceailog.exe112⤵PID:3024
-
C:\Windows\SysWOW64\Gfcnegnk.exeC:\Windows\system32\Gfcnegnk.exe113⤵PID:2804
-
C:\Windows\SysWOW64\Gmmfaa32.exeC:\Windows\system32\Gmmfaa32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Gcgnnlle.exeC:\Windows\system32\Gcgnnlle.exe115⤵PID:3036
-
C:\Windows\SysWOW64\Gfejjgli.exeC:\Windows\system32\Gfejjgli.exe116⤵PID:2400
-
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe117⤵PID:2508
-
C:\Windows\SysWOW64\Gblkoham.exeC:\Windows\system32\Gblkoham.exe118⤵PID:1504
-
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe119⤵PID:3048
-
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe120⤵PID:2004
-
C:\Windows\SysWOW64\Gdmdacnn.exeC:\Windows\system32\Gdmdacnn.exe121⤵PID:2064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-