Analysis
-
max time kernel
139s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 05:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dc3bfad623cc143e725dab27f7951db0_NEIKI.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
dc3bfad623cc143e725dab27f7951db0_NEIKI.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
dc3bfad623cc143e725dab27f7951db0_NEIKI.exe
-
Size
704KB
-
MD5
dc3bfad623cc143e725dab27f7951db0
-
SHA1
fc3022584f7f2663ff2e3f233a24594f19f77154
-
SHA256
0c5cd662b4488e9392bfb34ef8b558ccd163cd0032e21ad8f657d5118eed6459
-
SHA512
67fedde49f432a499acc670382d4f0aff248ae8215e69806f2c1dac529a820de045cd2688262e2e9e53df051a0516aaac7f8dd8045a54b749ffc75b37a78aed6
-
SSDEEP
12288:huGaph2kkkkK4kXkkkkkkkkl888888888888888888nusMH0QiRLsR4P377a20Rw:huGaph2kkkkK4kXkkkkkkkkhLX3a20Rw
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqpgdfnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpocjdld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkjmlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgdbkohf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liekmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcepkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkncdifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pclneicb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaqcbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njljefql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjjppmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpocjdld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkbchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chpada32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clpgpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifllil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgidml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bopgjmhe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjlklok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpjkojk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kckbqpnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cahfmgoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekjfcipa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcfqfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdmga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nngokoej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofnckp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnnjen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdhbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahhblemi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iicbehnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ippggbck.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdbhcck.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lphoelqn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acqimo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcgohig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgghhlhq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gododflk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lphoelqn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfaigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcckif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmpgldhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llgjjnlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icgjmapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndokbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbgqohi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migjoaaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbddcoei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgokmgjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jplmmfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiikak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pengdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dldpkoil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfolbmje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aepefb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdmegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nacbfdao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjpaooda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Migjoaaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfaigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peimil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Himldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leihbeib.exe -
Executes dropped EXE 64 IoCs
pid Process 2656 Iabgaklg.exe 1728 Imihfl32.exe 1852 Jfaloa32.exe 2780 Jplmmfmi.exe 5032 Jbkjjblm.exe 1704 Jfhbppbc.exe 1800 Jkdnpo32.exe 2512 Jangmibi.exe 1552 Jdmcidam.exe 2908 Jfkoeppq.exe 4804 Jiikak32.exe 2264 Kaqcbi32.exe 3720 Kbapjafe.exe 4580 Kkihknfg.exe 1204 Kacphh32.exe 316 Kpepcedo.exe 1516 Kbdmpqcb.exe 3704 Kinemkko.exe 1748 Kmjqmi32.exe 3432 Kphmie32.exe 4216 Kdcijcke.exe 4584 Kgbefoji.exe 4300 Kknafn32.exe 2480 Kipabjil.exe 400 Kagichjo.exe 1272 Kpjjod32.exe 4644 Kdffocib.exe 1388 Kgdbkohf.exe 3140 Kibnhjgj.exe 4412 Kajfig32.exe 1936 Kdhbec32.exe 1384 Kckbqpnj.exe 3976 Liekmj32.exe 4292 Lalcng32.exe 4568 Lpocjdld.exe 4912 Lcmofolg.exe 1464 Lgikfn32.exe 4256 Liggbi32.exe 1896 Lmccchkn.exe 4432 Lpappc32.exe 5060 Ldmlpbbj.exe 2600 Lgkhlnbn.exe 3928 Lijdhiaa.exe 4440 Laalifad.exe 536 Ldohebqh.exe 5056 Lgneampk.exe 616 Lnhmng32.exe 1056 Lpfijcfl.exe 3948 Ldaeka32.exe 1248 Lgpagm32.exe 4428 Ljnnch32.exe 2568 Laefdf32.exe 1656 Lddbqa32.exe 2584 Lgbnmm32.exe 4928 Lknjmkdo.exe 2644 Mnlfigcc.exe 3636 Mpkbebbf.exe 1504 Mciobn32.exe 3572 Mkpgck32.exe 1224 Mjcgohig.exe 3664 Majopeii.exe 5012 Mdiklqhm.exe 2576 Mgghhlhq.exe 2080 Mkbchk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mkepnjng.exe Mgidml32.exe File created C:\Windows\SysWOW64\Ophfae32.dll Fooeif32.exe File opened for modification C:\Windows\SysWOW64\Llemdo32.exe Ligqhc32.exe File created C:\Windows\SysWOW64\Nphhmj32.exe Ngpccdlj.exe File opened for modification C:\Windows\SysWOW64\Kacphh32.exe Kkihknfg.exe File created C:\Windows\SysWOW64\Legdcg32.dll Njljefql.exe File created C:\Windows\SysWOW64\Clkooklb.dll Ghlcnk32.exe File created C:\Windows\SysWOW64\Kmncnb32.exe Kfckahdj.exe File opened for modification C:\Windows\SysWOW64\Bmngqdpj.exe Bcebhoii.exe File created C:\Windows\SysWOW64\Mfpoqooh.dll Jdmcidam.exe File created C:\Windows\SysWOW64\Kdhbec32.exe Kajfig32.exe File created C:\Windows\SysWOW64\Lpocjdld.exe Lalcng32.exe File created C:\Windows\SysWOW64\Dajbcgdm.dll Baocghgi.exe File opened for modification C:\Windows\SysWOW64\Klgqcqkl.exe Kemhff32.exe File created C:\Windows\SysWOW64\Miemjaci.exe Mdhdajea.exe File created C:\Windows\SysWOW64\Oddmdf32.exe Oqfdnhfk.exe File created C:\Windows\SysWOW64\Kipabjil.exe Kknafn32.exe File opened for modification C:\Windows\SysWOW64\Okeieh32.exe Nbmelbid.exe File opened for modification C:\Windows\SysWOW64\Heapdjlp.exe Hcpclbfa.exe File opened for modification C:\Windows\SysWOW64\Pkaiqf32.exe Pcjapi32.exe File created C:\Windows\SysWOW64\Ahhblemi.exe Acmflf32.exe File created C:\Windows\SysWOW64\Acbmpm32.dll Eapedd32.exe File created C:\Windows\SysWOW64\Kngpec32.dll Deagdn32.exe File created C:\Windows\SysWOW64\Laalifad.exe Lijdhiaa.exe File opened for modification C:\Windows\SysWOW64\Majopeii.exe Mjcgohig.exe File opened for modification C:\Windows\SysWOW64\Qajadlja.exe Qnkdhpjn.exe File created C:\Windows\SysWOW64\Cklaknjd.exe Cliaoq32.exe File opened for modification C:\Windows\SysWOW64\Dkoggkjo.exe Dhpjkojk.exe File opened for modification C:\Windows\SysWOW64\Lbabgh32.exe Llgjjnlj.exe File created C:\Windows\SysWOW64\Kmfiloih.dll Acqimo32.exe File created C:\Windows\SysWOW64\Ejdofn32.dll Cbjoljdo.exe File opened for modification C:\Windows\SysWOW64\Hmjdjgjo.exe Hecmijim.exe File created C:\Windows\SysWOW64\Ippohl32.dll Jmmjgejj.exe File created C:\Windows\SysWOW64\Pmdfog32.dll Kbceejpf.exe File opened for modification C:\Windows\SysWOW64\Lalcng32.exe Liekmj32.exe File opened for modification C:\Windows\SysWOW64\Pbmncp32.exe Pjffbc32.exe File opened for modification C:\Windows\SysWOW64\Alabgd32.exe Aegikj32.exe File created C:\Windows\SysWOW64\Bjbndobo.exe Bhdbhcck.exe File created C:\Windows\SysWOW64\Nhdlom32.dll Fdnjgmle.exe File created C:\Windows\SysWOW64\Kkbljp32.dll Pgefeajb.exe File opened for modification C:\Windows\SysWOW64\Jbjcolha.exe Jplfcpin.exe File opened for modification C:\Windows\SysWOW64\Jiikak32.exe Jfkoeppq.exe File created C:\Windows\SysWOW64\Ichhhi32.dll Jiikak32.exe File opened for modification C:\Windows\SysWOW64\Laalifad.exe Lijdhiaa.exe File created C:\Windows\SysWOW64\Jbllbm32.dll Pbmncp32.exe File created C:\Windows\SysWOW64\Dohfbj32.exe Dlijfneg.exe File opened for modification C:\Windows\SysWOW64\Jimekgff.exe Jfoiokfb.exe File created C:\Windows\SysWOW64\Eifbkgjd.dll Jimekgff.exe File created C:\Windows\SysWOW64\Lbabgh32.exe Llgjjnlj.exe File created C:\Windows\SysWOW64\Lljfpnjg.exe Likjcbkc.exe File opened for modification C:\Windows\SysWOW64\Pgefeajb.exe Ojaelm32.exe File opened for modification C:\Windows\SysWOW64\Balpgb32.exe Bmngqdpj.exe File created C:\Windows\SysWOW64\Mjmcmj32.dll Pqpnombl.exe File created C:\Windows\SysWOW64\Aneonqmj.dll Bjdkjo32.exe File created C:\Windows\SysWOW64\Jfnbea32.dll Klljnp32.exe File created C:\Windows\SysWOW64\Libddmim.dll Bnnjen32.exe File created C:\Windows\SysWOW64\Iemkcl32.dll Pkaiqf32.exe File opened for modification C:\Windows\SysWOW64\Iefioj32.exe Hcdmga32.exe File opened for modification C:\Windows\SysWOW64\Ngpccdlj.exe Nngokoej.exe File created C:\Windows\SysWOW64\Nacbfdao.exe Njljefql.exe File opened for modification C:\Windows\SysWOW64\Ajfoiqll.exe Ahhblemi.exe File opened for modification C:\Windows\SysWOW64\Bhdbhcck.exe Bdhfhe32.exe File created C:\Windows\SysWOW64\Ipenkiei.dll Ddbbeade.exe File opened for modification C:\Windows\SysWOW64\Gdhmnlcj.exe Gcfqfc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9880 9320 WerFault.exe 479 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll" Jdmcidam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll" Lgikfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll" Lnhmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcjnop32.dll" Imakkfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll" Pmfhig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdhhdlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcmofolg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnepdqjg.dll" Edihepnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqkdcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clpgpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbjoljdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmncnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldleel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chncif32.dll" Edpnfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbcedcn.dll" Ipbdmaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfaklh32.dll" Kemhff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgneampk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lddbqa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkceffcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ienanm32.dll" Cbqlfkmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okeieh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ophfae32.dll" Fooeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdnidn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgmek32.dll" Baaplhef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdiklqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll" Ncgkcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbnafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngpccdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkncdifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfmepi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbfkbhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll" Oneklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oneklm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmccchkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpappc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpkbebbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkmhlekj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngpccdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbllbibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdlnbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdeoemeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmfhig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfaloa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgikfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll" Njogjfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clpgpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iemppiab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfenmm32.dll" Mmpijp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njfmke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcjapi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipknlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbceejpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Balpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmbcpkhj.dll" Bbifelba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkkfn32.dll" Lingibiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll" Oddmdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdofn32.dll" Cbjoljdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjgdmkj.dll" Fkffog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kemhff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebinhj32.dll" Mpjlklok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll" Lmccchkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgllfjld.dll" Pjkombfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmjlcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbgdlq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4812 wrote to memory of 2656 4812 dc3bfad623cc143e725dab27f7951db0_NEIKI.exe 84 PID 4812 wrote to memory of 2656 4812 dc3bfad623cc143e725dab27f7951db0_NEIKI.exe 84 PID 4812 wrote to memory of 2656 4812 dc3bfad623cc143e725dab27f7951db0_NEIKI.exe 84 PID 2656 wrote to memory of 1728 2656 Iabgaklg.exe 85 PID 2656 wrote to memory of 1728 2656 Iabgaklg.exe 85 PID 2656 wrote to memory of 1728 2656 Iabgaklg.exe 85 PID 1728 wrote to memory of 1852 1728 Imihfl32.exe 87 PID 1728 wrote to memory of 1852 1728 Imihfl32.exe 87 PID 1728 wrote to memory of 1852 1728 Imihfl32.exe 87 PID 1852 wrote to memory of 2780 1852 Jfaloa32.exe 89 PID 1852 wrote to memory of 2780 1852 Jfaloa32.exe 89 PID 1852 wrote to memory of 2780 1852 Jfaloa32.exe 89 PID 2780 wrote to memory of 5032 2780 Jplmmfmi.exe 90 PID 2780 wrote to memory of 5032 2780 Jplmmfmi.exe 90 PID 2780 wrote to memory of 5032 2780 Jplmmfmi.exe 90 PID 5032 wrote to memory of 1704 5032 Jbkjjblm.exe 92 PID 5032 wrote to memory of 1704 5032 Jbkjjblm.exe 92 PID 5032 wrote to memory of 1704 5032 Jbkjjblm.exe 92 PID 1704 wrote to memory of 1800 1704 Jfhbppbc.exe 93 PID 1704 wrote to memory of 1800 1704 Jfhbppbc.exe 93 PID 1704 wrote to memory of 1800 1704 Jfhbppbc.exe 93 PID 1800 wrote to memory of 2512 1800 Jkdnpo32.exe 94 PID 1800 wrote to memory of 2512 1800 Jkdnpo32.exe 94 PID 1800 wrote to memory of 2512 1800 Jkdnpo32.exe 94 PID 2512 wrote to memory of 1552 2512 Jangmibi.exe 95 PID 2512 wrote to memory of 1552 2512 Jangmibi.exe 95 PID 2512 wrote to memory of 1552 2512 Jangmibi.exe 95 PID 1552 wrote to memory of 2908 1552 Jdmcidam.exe 96 PID 1552 wrote to memory of 2908 1552 Jdmcidam.exe 96 PID 1552 wrote to memory of 2908 1552 Jdmcidam.exe 96 PID 2908 wrote to memory of 4804 2908 Jfkoeppq.exe 97 PID 2908 wrote to memory of 4804 2908 Jfkoeppq.exe 97 PID 2908 wrote to memory of 4804 2908 Jfkoeppq.exe 97 PID 4804 wrote to memory of 2264 4804 Jiikak32.exe 98 PID 4804 wrote to memory of 2264 4804 Jiikak32.exe 98 PID 4804 wrote to memory of 2264 4804 Jiikak32.exe 98 PID 2264 wrote to memory of 3720 2264 Kaqcbi32.exe 99 PID 2264 wrote to memory of 3720 2264 Kaqcbi32.exe 99 PID 2264 wrote to memory of 3720 2264 Kaqcbi32.exe 99 PID 3720 wrote to memory of 4580 3720 Kbapjafe.exe 100 PID 3720 wrote to memory of 4580 3720 Kbapjafe.exe 100 PID 3720 wrote to memory of 4580 3720 Kbapjafe.exe 100 PID 4580 wrote to memory of 1204 4580 Kkihknfg.exe 101 PID 4580 wrote to memory of 1204 4580 Kkihknfg.exe 101 PID 4580 wrote to memory of 1204 4580 Kkihknfg.exe 101 PID 1204 wrote to memory of 316 1204 Kacphh32.exe 102 PID 1204 wrote to memory of 316 1204 Kacphh32.exe 102 PID 1204 wrote to memory of 316 1204 Kacphh32.exe 102 PID 316 wrote to memory of 1516 316 Kpepcedo.exe 103 PID 316 wrote to memory of 1516 316 Kpepcedo.exe 103 PID 316 wrote to memory of 1516 316 Kpepcedo.exe 103 PID 1516 wrote to memory of 3704 1516 Kbdmpqcb.exe 104 PID 1516 wrote to memory of 3704 1516 Kbdmpqcb.exe 104 PID 1516 wrote to memory of 3704 1516 Kbdmpqcb.exe 104 PID 3704 wrote to memory of 1748 3704 Kinemkko.exe 105 PID 3704 wrote to memory of 1748 3704 Kinemkko.exe 105 PID 3704 wrote to memory of 1748 3704 Kinemkko.exe 105 PID 1748 wrote to memory of 3432 1748 Kmjqmi32.exe 106 PID 1748 wrote to memory of 3432 1748 Kmjqmi32.exe 106 PID 1748 wrote to memory of 3432 1748 Kmjqmi32.exe 106 PID 3432 wrote to memory of 4216 3432 Kphmie32.exe 107 PID 3432 wrote to memory of 4216 3432 Kphmie32.exe 107 PID 3432 wrote to memory of 4216 3432 Kphmie32.exe 107 PID 4216 wrote to memory of 4584 4216 Kdcijcke.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc3bfad623cc143e725dab27f7951db0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\dc3bfad623cc143e725dab27f7951db0_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Jfhbppbc.exeC:\Windows\system32\Jfhbppbc.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Jfkoeppq.exeC:\Windows\system32\Jfkoeppq.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Kacphh32.exeC:\Windows\system32\Kacphh32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe23⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4300 -
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe25⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe26⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe27⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe28⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe30⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4412 -
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Liekmj32.exeC:\Windows\system32\Liekmj32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3976 -
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4292 -
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:4912 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1464 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe39⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:4432 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe42⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe43⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3928 -
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe45⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe46⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:5056 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:616 -
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe49⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe50⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe51⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe52⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe53⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe55⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe56⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe57⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:3636 -
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe59⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe60⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1224 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe62⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:5012 -
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe66⤵PID:3556
-
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe67⤵PID:336
-
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe68⤵PID:4316
-
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe70⤵PID:2716
-
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe71⤵PID:448
-
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:264 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe73⤵PID:4772
-
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe74⤵PID:744
-
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe75⤵PID:1596
-
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe76⤵PID:5128
-
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe77⤵PID:5164
-
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe78⤵PID:5200
-
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5236 -
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5272 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe81⤵PID:5312
-
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe82⤵PID:5352
-
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe83⤵
- Modifies registry class
PID:5388 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5424 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe85⤵PID:5464
-
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe86⤵
- Modifies registry class
PID:5504 -
C:\Windows\SysWOW64\Nkncdifl.exeC:\Windows\system32\Nkncdifl.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5540 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe88⤵PID:5600
-
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe89⤵PID:5632
-
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe90⤵PID:5668
-
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe91⤵PID:5704
-
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe92⤵PID:5740
-
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe93⤵PID:5776
-
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe94⤵PID:5812
-
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe95⤵
- Modifies registry class
PID:5848 -
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe96⤵
- Drops file in System32 directory
PID:5884 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe97⤵
- Modifies registry class
PID:6056 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe98⤵PID:6112
-
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe99⤵PID:3380
-
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe100⤵PID:1192
-
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe101⤵PID:4056
-
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe102⤵
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe103⤵PID:5228
-
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:5260 -
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe105⤵
- Drops file in System32 directory
PID:5340 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe106⤵PID:5396
-
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe107⤵PID:3428
-
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2220 -
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5524 -
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe110⤵
- Modifies registry class
PID:388 -
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe111⤵
- Drops file in System32 directory
PID:5652 -
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe112⤵
- Drops file in System32 directory
PID:4768 -
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe113⤵
- Drops file in System32 directory
PID:5784 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe114⤵PID:5736
-
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe115⤵PID:4220
-
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe116⤵PID:5840
-
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe117⤵PID:5904
-
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5936 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe119⤵PID:5972
-
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe120⤵PID:5996
-
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe121⤵
- Modifies registry class
PID:6092
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-