Analysis
-
max time kernel
142s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 04:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c6c374b4fdde220024f380301c0d2410_NEIKI.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
c6c374b4fdde220024f380301c0d2410_NEIKI.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
c6c374b4fdde220024f380301c0d2410_NEIKI.exe
-
Size
1.4MB
-
MD5
c6c374b4fdde220024f380301c0d2410
-
SHA1
65a342c0a49c27997ef17c31b6ad60f37dd90b9d
-
SHA256
3aa3d3296a7dd8f6ecd6bbe27bb38494116cc1cdc52f5003c4c7c79d6a19fbf8
-
SHA512
6a7081b12d5b0e149a53ff0b9ff8f0a1751153bb4939492f9727709c84e4b32c130492d29e2965adf9d5c8c8e09121fda047a088a96cd87ba765482dd93db307
-
SSDEEP
6144:QPe/L6vlRZVJYYI49O2or9tqlFAr9a2MDmaH1a/wVUWdZeBQTbsJ:Ce/GvF/vUWLSKmaH1a/XWdZeBQTy
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocnfbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcefji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcojjmea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffpmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lldlqakb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjqhmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkiogn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oopnlacm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphbeplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppoqge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfagipa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaceodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kblhgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhfagipa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkafo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmgbdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbplbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfiale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llnofpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cclkfdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dookgcij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fllnlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgagfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckjkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiekid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbllihbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndpfkdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjmaaddo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcefji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbmmcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcbellac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbllihbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leonofpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjbpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odeiibdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afkdakjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdoclk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmahdggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkcdafqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmoipopd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceclqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aehboi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coelaaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cddaphkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqacic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebinic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alnqqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oancnfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncjqhmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdlhjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqlafm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebpkce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elmigj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peiepfgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpcmpijk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agdjkogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdacop32.exe -
Executes dropped EXE 64 IoCs
pid Process 2768 Pjmodopf.exe 2588 Pjpkjond.exe 2584 Ppoqge32.exe 2472 Pbmmcq32.exe 2348 Pndniaop.exe 2608 Qjknnbed.exe 1984 Qaefjm32.exe 2704 Adjigg32.exe 2876 Afiecb32.exe 1672 Ajdadamj.exe 1220 Admemg32.exe 852 Bbflib32.exe 1164 Begeknan.exe 2224 Bhfagipa.exe 592 Bnefdp32.exe 1516 Bdooajdc.exe 1920 Cjpqdp32.exe 2404 Clomqk32.exe 1328 Cjbmjplb.exe 1580 Ckdjbh32.exe 280 Copfbfjj.exe 1932 Cfinoq32.exe 788 Clcflkic.exe 1776 Ckffgg32.exe 2076 Dqhhknjp.exe 1068 Dkmmhf32.exe 2520 Djpmccqq.exe 2532 Dmoipopd.exe 2596 Dchali32.exe 2616 Dfgmhd32.exe 2436 Djbiicon.exe 2640 Dqlafm32.exe 2572 Doobajme.exe 2256 Dgfjbgmh.exe 2040 Epaogi32.exe 2328 Ebpkce32.exe 2456 Ejgcdb32.exe 2116 Emeopn32.exe 2980 Epdkli32.exe 608 Ebbgid32.exe 112 Eilpeooq.exe 1900 Ekklaj32.exe 412 Ebedndfa.exe 3016 Elmigj32.exe 1180 Eajaoq32.exe 924 Egdilkbf.exe 792 Ennaieib.exe 2996 Ebinic32.exe 892 Ealnephf.exe 1964 Fckjalhj.exe 1728 Fnpnndgp.exe 2592 Faokjpfd.exe 2816 Fhhcgj32.exe 2900 Ffkcbgek.exe 2828 Fjgoce32.exe 1904 Fmekoalh.exe 2912 Fpdhklkl.exe 2720 Fdoclk32.exe 2796 Ffnphf32.exe 2672 Fjilieka.exe 2908 Filldb32.exe 1096 Facdeo32.exe 2780 Ffpmnf32.exe 1004 Ffpmnf32.exe -
Loads dropped DLL 64 IoCs
pid Process 2808 c6c374b4fdde220024f380301c0d2410_NEIKI.exe 2808 c6c374b4fdde220024f380301c0d2410_NEIKI.exe 2768 Pjmodopf.exe 2768 Pjmodopf.exe 2588 Pjpkjond.exe 2588 Pjpkjond.exe 2584 Ppoqge32.exe 2584 Ppoqge32.exe 2472 Pbmmcq32.exe 2472 Pbmmcq32.exe 2348 Pndniaop.exe 2348 Pndniaop.exe 2608 Qjknnbed.exe 2608 Qjknnbed.exe 1984 Qaefjm32.exe 1984 Qaefjm32.exe 2704 Adjigg32.exe 2704 Adjigg32.exe 2876 Afiecb32.exe 2876 Afiecb32.exe 1672 Ajdadamj.exe 1672 Ajdadamj.exe 1220 Admemg32.exe 1220 Admemg32.exe 852 Bbflib32.exe 852 Bbflib32.exe 1164 Begeknan.exe 1164 Begeknan.exe 2224 Bhfagipa.exe 2224 Bhfagipa.exe 592 Bnefdp32.exe 592 Bnefdp32.exe 1516 Bdooajdc.exe 1516 Bdooajdc.exe 1920 Cjpqdp32.exe 1920 Cjpqdp32.exe 2404 Clomqk32.exe 2404 Clomqk32.exe 1328 Cjbmjplb.exe 1328 Cjbmjplb.exe 1580 Ckdjbh32.exe 1580 Ckdjbh32.exe 280 Copfbfjj.exe 280 Copfbfjj.exe 1932 Cfinoq32.exe 1932 Cfinoq32.exe 788 Clcflkic.exe 788 Clcflkic.exe 1776 Ckffgg32.exe 1776 Ckffgg32.exe 2076 Dqhhknjp.exe 2076 Dqhhknjp.exe 1068 Dkmmhf32.exe 1068 Dkmmhf32.exe 2520 Djpmccqq.exe 2520 Djpmccqq.exe 2532 Dmoipopd.exe 2532 Dmoipopd.exe 2596 Dchali32.exe 2596 Dchali32.exe 2616 Dfgmhd32.exe 2616 Dfgmhd32.exe 2436 Djbiicon.exe 2436 Djbiicon.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bdeeqehb.exe Bmkmdk32.exe File created C:\Windows\SysWOW64\Cgmgbeon.dll Mholen32.exe File created C:\Windows\SysWOW64\Gbdalp32.dll Nkpegi32.exe File created C:\Windows\SysWOW64\Oecbjjic.dll Fddmgjpo.exe File created C:\Windows\SysWOW64\Gelppaof.exe Gaqcoc32.exe File created C:\Windows\SysWOW64\Fbbkkjih.dll Mgnfhlin.exe File created C:\Windows\SysWOW64\Opacnnhp.dll Boplllob.exe File created C:\Windows\SysWOW64\Ongbcmlc.dll Fjgoce32.exe File created C:\Windows\SysWOW64\Ndpfkdmf.exe Npdjje32.exe File opened for modification C:\Windows\SysWOW64\Lndohedg.exe Ljibgg32.exe File created C:\Windows\SysWOW64\Pinfim32.dll Ennaieib.exe File opened for modification C:\Windows\SysWOW64\Hlfdkoin.exe Hhjhkq32.exe File created C:\Windows\SysWOW64\Hbfcml32.dll Lhpfqama.exe File created C:\Windows\SysWOW64\Negpnjgm.dll Mbkmlh32.exe File created C:\Windows\SysWOW64\Nadpgggp.exe Nofdklgl.exe File created C:\Windows\SysWOW64\Gmfkdm32.dll Afkdakjb.exe File created C:\Windows\SysWOW64\Lckdanld.exe Lldlqakb.exe File opened for modification C:\Windows\SysWOW64\Jgagfi32.exe Jqgoiokm.exe File created C:\Windows\SysWOW64\Lfmffhde.exe Lcojjmea.exe File opened for modification C:\Windows\SysWOW64\Blkioa32.exe Bilmcf32.exe File created C:\Windows\SysWOW64\Cqljpedj.dll Kjjmbj32.exe File created C:\Windows\SysWOW64\Ocgpappk.exe Oddpfc32.exe File opened for modification C:\Windows\SysWOW64\Qlkdkd32.exe Qfokbnip.exe File created C:\Windows\SysWOW64\Blgpef32.exe Bhkdeggl.exe File created C:\Windows\SysWOW64\Mhfkbo32.dll Henidd32.exe File opened for modification C:\Windows\SysWOW64\Jnclnihj.exe Joplbl32.exe File created C:\Windows\SysWOW64\Ohhkga32.dll Pqkmjh32.exe File created C:\Windows\SysWOW64\Mkklljmg.exe Mdacop32.exe File opened for modification C:\Windows\SysWOW64\Hiekid32.exe Hggomh32.exe File opened for modification C:\Windows\SysWOW64\Qpgpkcpp.exe Qlkdkd32.exe File created C:\Windows\SysWOW64\Epjomppp.dll Dhnmij32.exe File created C:\Windows\SysWOW64\Djbiicon.exe Dfgmhd32.exe File opened for modification C:\Windows\SysWOW64\Flmefm32.exe Fmjejphb.exe File created C:\Windows\SysWOW64\Hojopmqk.dll Hjhhocjj.exe File created C:\Windows\SysWOW64\Blleofcd.dll Llkbap32.exe File created C:\Windows\SysWOW64\Qmhccl32.dll Bfenbpec.exe File created C:\Windows\SysWOW64\Qkhgoi32.dll Jchhkjhn.exe File created C:\Windows\SysWOW64\Nmbknddp.exe Nckjkl32.exe File created C:\Windows\SysWOW64\Bmfmjjgm.dll Abjebn32.exe File created C:\Windows\SysWOW64\Lmgocb32.exe Lndohedg.exe File created C:\Windows\SysWOW64\Pndaof32.dll Pbmmcq32.exe File opened for modification C:\Windows\SysWOW64\Eilpeooq.exe Ebbgid32.exe File opened for modification C:\Windows\SysWOW64\Fenmdm32.exe Ffklhqao.exe File opened for modification C:\Windows\SysWOW64\Pkdgpo32.exe Piekcd32.exe File opened for modification C:\Windows\SysWOW64\Logbhl32.exe Lijjoe32.exe File created C:\Windows\SysWOW64\Aphdelhp.dll Enfenplo.exe File created C:\Windows\SysWOW64\Pljpdpao.dll Hcnpbi32.exe File created C:\Windows\SysWOW64\Phoccb32.dll Jbjochdi.exe File created C:\Windows\SysWOW64\Khknah32.dll Fjaonpnn.exe File created C:\Windows\SysWOW64\Pkdgpo32.exe Piekcd32.exe File created C:\Windows\SysWOW64\Oceaboqg.dll Nkiogn32.exe File opened for modification C:\Windows\SysWOW64\Dpbheh32.exe Dlgldibq.exe File created C:\Windows\SysWOW64\Aloeodfi.dll Ffpmnf32.exe File opened for modification C:\Windows\SysWOW64\Fbopgb32.exe Fbmcbbki.exe File created C:\Windows\SysWOW64\Ihfhdp32.dll Hdqbekcm.exe File created C:\Windows\SysWOW64\Njqaac32.dll Ebpkce32.exe File created C:\Windows\SysWOW64\Fjgoce32.exe Ffkcbgek.exe File created C:\Windows\SysWOW64\Qaefjm32.exe Qjknnbed.exe File opened for modification C:\Windows\SysWOW64\Fpngfgle.exe Fmpkjkma.exe File created C:\Windows\SysWOW64\Lmpgcm32.dll Ollajp32.exe File created C:\Windows\SysWOW64\Dqhhknjp.exe Ckffgg32.exe File opened for modification C:\Windows\SysWOW64\Gangic32.exe Gpmjak32.exe File created C:\Windows\SysWOW64\Pnajilng.exe Pjenhm32.exe File created C:\Windows\SysWOW64\Bhkdeggl.exe Bhigphio.exe -
Program crash 1 IoCs
pid pid_target Process 5768 5884 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fffdil32.dll" Icfofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onmjak32.dll" Ocgpappk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkcdafqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Admemg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cppkph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hipkdnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogbjdmj.dll" Ikhjki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhjbjopf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caknol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoacn32.dll" Maoajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clcflkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdjal32.dll" Dliijipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emdipg32.dll" Ifnechbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Linphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohendqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doobajme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgagfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkihhhnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jofbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nglknl32.dll" Qcpofbjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcjcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgaqoq32.dll" Hanlnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okdkal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcaiqm32.dll" Omfkke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmgjljo.dll" Ieidmbcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgnamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfegbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghelfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aibajhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jchhkjhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almjnp32.dll" Mooaljkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npdjje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlgldibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjcabmga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haloha32.dll" Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkjfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilfila32.dll" Pckoam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blkioa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakqnc32.dll" Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhkdeggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illjbiak.dll" Edpmjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmccjbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joplbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djhphncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmnhocj.dll" Fnpnndgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll" Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmmiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afdignjb.dll" Nhaikn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqalo32.dll" Pfbelipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epjomppp.dll" Dhnmij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdacop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eajaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmjolo32.dll" Fenmdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbjhdo32.dll" Qjknnbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dinhacjp.dll" Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llnofpcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Algdlcdm.dll" Gnmgmbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gljnej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afldcl32.dll" Kgkafo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieqeidnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giieco32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2808 wrote to memory of 2768 2808 c6c374b4fdde220024f380301c0d2410_NEIKI.exe 28 PID 2808 wrote to memory of 2768 2808 c6c374b4fdde220024f380301c0d2410_NEIKI.exe 28 PID 2808 wrote to memory of 2768 2808 c6c374b4fdde220024f380301c0d2410_NEIKI.exe 28 PID 2808 wrote to memory of 2768 2808 c6c374b4fdde220024f380301c0d2410_NEIKI.exe 28 PID 2768 wrote to memory of 2588 2768 Pjmodopf.exe 29 PID 2768 wrote to memory of 2588 2768 Pjmodopf.exe 29 PID 2768 wrote to memory of 2588 2768 Pjmodopf.exe 29 PID 2768 wrote to memory of 2588 2768 Pjmodopf.exe 29 PID 2588 wrote to memory of 2584 2588 Pjpkjond.exe 30 PID 2588 wrote to memory of 2584 2588 Pjpkjond.exe 30 PID 2588 wrote to memory of 2584 2588 Pjpkjond.exe 30 PID 2588 wrote to memory of 2584 2588 Pjpkjond.exe 30 PID 2584 wrote to memory of 2472 2584 Ppoqge32.exe 31 PID 2584 wrote to memory of 2472 2584 Ppoqge32.exe 31 PID 2584 wrote to memory of 2472 2584 Ppoqge32.exe 31 PID 2584 wrote to memory of 2472 2584 Ppoqge32.exe 31 PID 2472 wrote to memory of 2348 2472 Pbmmcq32.exe 32 PID 2472 wrote to memory of 2348 2472 Pbmmcq32.exe 32 PID 2472 wrote to memory of 2348 2472 Pbmmcq32.exe 32 PID 2472 wrote to memory of 2348 2472 Pbmmcq32.exe 32 PID 2348 wrote to memory of 2608 2348 Pndniaop.exe 33 PID 2348 wrote to memory of 2608 2348 Pndniaop.exe 33 PID 2348 wrote to memory of 2608 2348 Pndniaop.exe 33 PID 2348 wrote to memory of 2608 2348 Pndniaop.exe 33 PID 2608 wrote to memory of 1984 2608 Qjknnbed.exe 34 PID 2608 wrote to memory of 1984 2608 Qjknnbed.exe 34 PID 2608 wrote to memory of 1984 2608 Qjknnbed.exe 34 PID 2608 wrote to memory of 1984 2608 Qjknnbed.exe 34 PID 1984 wrote to memory of 2704 1984 Qaefjm32.exe 35 PID 1984 wrote to memory of 2704 1984 Qaefjm32.exe 35 PID 1984 wrote to memory of 2704 1984 Qaefjm32.exe 35 PID 1984 wrote to memory of 2704 1984 Qaefjm32.exe 35 PID 2704 wrote to memory of 2876 2704 Adjigg32.exe 36 PID 2704 wrote to memory of 2876 2704 Adjigg32.exe 36 PID 2704 wrote to memory of 2876 2704 Adjigg32.exe 36 PID 2704 wrote to memory of 2876 2704 Adjigg32.exe 36 PID 2876 wrote to memory of 1672 2876 Afiecb32.exe 37 PID 2876 wrote to memory of 1672 2876 Afiecb32.exe 37 PID 2876 wrote to memory of 1672 2876 Afiecb32.exe 37 PID 2876 wrote to memory of 1672 2876 Afiecb32.exe 37 PID 1672 wrote to memory of 1220 1672 Ajdadamj.exe 38 PID 1672 wrote to memory of 1220 1672 Ajdadamj.exe 38 PID 1672 wrote to memory of 1220 1672 Ajdadamj.exe 38 PID 1672 wrote to memory of 1220 1672 Ajdadamj.exe 38 PID 1220 wrote to memory of 852 1220 Admemg32.exe 39 PID 1220 wrote to memory of 852 1220 Admemg32.exe 39 PID 1220 wrote to memory of 852 1220 Admemg32.exe 39 PID 1220 wrote to memory of 852 1220 Admemg32.exe 39 PID 852 wrote to memory of 1164 852 Bbflib32.exe 40 PID 852 wrote to memory of 1164 852 Bbflib32.exe 40 PID 852 wrote to memory of 1164 852 Bbflib32.exe 40 PID 852 wrote to memory of 1164 852 Bbflib32.exe 40 PID 1164 wrote to memory of 2224 1164 Begeknan.exe 41 PID 1164 wrote to memory of 2224 1164 Begeknan.exe 41 PID 1164 wrote to memory of 2224 1164 Begeknan.exe 41 PID 1164 wrote to memory of 2224 1164 Begeknan.exe 41 PID 2224 wrote to memory of 592 2224 Bhfagipa.exe 42 PID 2224 wrote to memory of 592 2224 Bhfagipa.exe 42 PID 2224 wrote to memory of 592 2224 Bhfagipa.exe 42 PID 2224 wrote to memory of 592 2224 Bhfagipa.exe 42 PID 592 wrote to memory of 1516 592 Bnefdp32.exe 43 PID 592 wrote to memory of 1516 592 Bnefdp32.exe 43 PID 592 wrote to memory of 1516 592 Bnefdp32.exe 43 PID 592 wrote to memory of 1516 592 Bnefdp32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6c374b4fdde220024f380301c0d2410_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\c6c374b4fdde220024f380301c0d2410_NEIKI.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1920 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1328 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:280 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:788 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1068 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe35⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe36⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe38⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe39⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe40⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:608 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe42⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe43⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe44⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1180 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe47⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:792 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe50⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe51⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe53⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe54⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe58⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe60⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe61⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe62⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe63⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1004 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe66⤵
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe67⤵
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe68⤵PID:2084
-
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1168 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe70⤵PID:1256
-
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe71⤵PID:2136
-
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe72⤵
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe73⤵PID:384
-
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe74⤵PID:2056
-
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2936 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe76⤵PID:2788
-
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe77⤵
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe78⤵PID:240
-
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe79⤵
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe80⤵
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe81⤵PID:1888
-
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe82⤵
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe83⤵PID:2300
-
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe84⤵PID:2344
-
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe85⤵PID:2164
-
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe86⤵PID:2748
-
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe87⤵PID:2752
-
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe88⤵PID:2760
-
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe89⤵PID:1648
-
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe90⤵
- Drops file in System32 directory
PID:1332 -
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1536 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe92⤵PID:1556
-
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe93⤵PID:2800
-
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe94⤵
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2272 -
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe96⤵
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe97⤵
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe98⤵PID:2452
-
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe99⤵PID:2400
-
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe100⤵
- Drops file in System32 directory
PID:1216 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe101⤵PID:1908
-
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe102⤵PID:2244
-
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe103⤵
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe104⤵PID:472
-
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe105⤵PID:1252
-
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe106⤵PID:2340
-
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe107⤵PID:564
-
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe108⤵PID:3068
-
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe109⤵PID:2576
-
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe110⤵PID:1956
-
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe111⤵PID:2252
-
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe112⤵PID:2020
-
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe113⤵PID:3012
-
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe114⤵
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1972 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe116⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe117⤵PID:2580
-
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe118⤵PID:1772
-
C:\Windows\SysWOW64\Jbjochdi.exeC:\Windows\system32\Jbjochdi.exe119⤵
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe120⤵PID:2820
-
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe121⤵PID:2480
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-