Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/05/2024, 07:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
00788a44bfb80a675ec1f1f073f7a980_NEIKI.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
00788a44bfb80a675ec1f1f073f7a980_NEIKI.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
00788a44bfb80a675ec1f1f073f7a980_NEIKI.exe
-
Size
347KB
-
MD5
00788a44bfb80a675ec1f1f073f7a980
-
SHA1
49680d72d8eed49b661616165420c8057ca52f2a
-
SHA256
75366e9bc32050c0155160e9720dee47a592ffa5325babac39ed584790ca9229
-
SHA512
77b05c5bb8addfd904c8ef07b18833da4a2b2bd04c5e0a4d837ff490a1cb70dce59ca0830baf0de9108c58ffb5b51754a4dab126f69ee95d7d3d1a695c6d6bd6
-
SSDEEP
6144:Yx8pOnPwZUljOsT2Zwo5ix4brq2Ah1FM6234lKm3mo8Yvi4KsLTFM6234lKm3qk9:O8pOIZUljJ2ZwPx4brRGFB24lwR45FBn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfknbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mponel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnpinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdlgpgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgmalg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjcbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekhhadmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joaeeklp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Keednado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knmhgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pklhlael.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppbfpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdcpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngibaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhljdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdehon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjifhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leljop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lojomkdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ooeggp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bppoqeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfhladfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdniqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdehon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcagpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdcpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" 00788a44bfb80a675ec1f1f073f7a980_NEIKI.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emieil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knpemf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oobjaqaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnjdhmdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjdmmdnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpiipf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hipkdnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlaeonld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmolnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihjnom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjljhjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpmlkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idnaoohk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leimip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lccdel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakphqja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkoplhip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kconkibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nialog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kilfcpqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhjbjopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heihnoph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljibgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngdifkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lijjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Haiccald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Meijhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ombapedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blpjegfm.exe -
Executes dropped EXE 64 IoCs
pid Process 2480 Gkihhhnm.exe 2676 Gaemjbcg.exe 2520 Hcifgjgc.exe 2632 Hdhbam32.exe 2388 Hellne32.exe 2428 Hacmcfge.exe 2456 Iaeiieeb.exe 2692 Ikpjgkjq.exe 2808 Iggkllpe.exe 764 Inqcif32.exe 320 Jofiln32.exe 2316 Jbgbni32.exe 2816 Jkpgfn32.exe 1992 Jgidao32.exe 2424 Joplbl32.exe 2784 Kemejc32.exe 2108 Kjjmbj32.exe 3028 Keoapb32.exe 1952 Kjljhjkl.exe 240 Keanebkb.exe 932 Kjnfniii.exe 1472 Kpkofpgq.exe 792 Kjqccigf.exe 2472 Kpmlkp32.exe 1944 Kjcpii32.exe 1520 Lpphap32.exe 2528 Lemaif32.exe 2536 Lpbefoai.exe 2856 Lijjoe32.exe 2524 Logbhl32.exe 2404 Limfed32.exe 2128 Lojomkdn.exe 1508 Lhbcfa32.exe 2736 Lmolnh32.exe 2196 Mhdplq32.exe 1888 Mmahdggc.exe 2280 Mdkqqa32.exe 2732 Mihiih32.exe 2748 Mbpnanch.exe 2580 Mmfbogcn.exe 1948 Mcbjgn32.exe 1900 Mmhodf32.exe 448 Mcegmm32.exe 2208 Miooigfo.exe 988 Nolhan32.exe 1112 Nialog32.exe 1664 Ncjqhmkm.exe 1432 Nhfipcid.exe 2004 Nncahjgl.exe 1632 Nnennj32.exe 1408 Npdjje32.exe 2184 Ngnbgplj.exe 2560 Nnhkcj32.exe 2464 Ndbcpd32.exe 2612 Ojolhk32.exe 1588 Olmhdf32.exe 2656 Oddpfc32.exe 804 Ojahnj32.exe 632 Olpdjf32.exe 1264 Ocimgp32.exe 2932 Ojcecjee.exe 1564 Ombapedi.exe 2252 Obojhlbq.exe 428 Ojfaijcc.exe -
Loads dropped DLL 64 IoCs
pid Process 2180 00788a44bfb80a675ec1f1f073f7a980_NEIKI.exe 2180 00788a44bfb80a675ec1f1f073f7a980_NEIKI.exe 2480 Gkihhhnm.exe 2480 Gkihhhnm.exe 2676 Gaemjbcg.exe 2676 Gaemjbcg.exe 2520 Hcifgjgc.exe 2520 Hcifgjgc.exe 2632 Hdhbam32.exe 2632 Hdhbam32.exe 2388 Hellne32.exe 2388 Hellne32.exe 2428 Hacmcfge.exe 2428 Hacmcfge.exe 2456 Iaeiieeb.exe 2456 Iaeiieeb.exe 2692 Ikpjgkjq.exe 2692 Ikpjgkjq.exe 2808 Iggkllpe.exe 2808 Iggkllpe.exe 764 Inqcif32.exe 764 Inqcif32.exe 320 Jofiln32.exe 320 Jofiln32.exe 2316 Jbgbni32.exe 2316 Jbgbni32.exe 2816 Jkpgfn32.exe 2816 Jkpgfn32.exe 1992 Jgidao32.exe 1992 Jgidao32.exe 2424 Joplbl32.exe 2424 Joplbl32.exe 2784 Kemejc32.exe 2784 Kemejc32.exe 2108 Kjjmbj32.exe 2108 Kjjmbj32.exe 3028 Keoapb32.exe 3028 Keoapb32.exe 1952 Kjljhjkl.exe 1952 Kjljhjkl.exe 240 Keanebkb.exe 240 Keanebkb.exe 932 Kjnfniii.exe 932 Kjnfniii.exe 1472 Kpkofpgq.exe 1472 Kpkofpgq.exe 792 Kjqccigf.exe 792 Kjqccigf.exe 2472 Kpmlkp32.exe 2472 Kpmlkp32.exe 1944 Kjcpii32.exe 1944 Kjcpii32.exe 1520 Lpphap32.exe 1520 Lpphap32.exe 2528 Lemaif32.exe 2528 Lemaif32.exe 2536 Lpbefoai.exe 2536 Lpbefoai.exe 2856 Lijjoe32.exe 2856 Lijjoe32.exe 2524 Logbhl32.exe 2524 Logbhl32.exe 2404 Limfed32.exe 2404 Limfed32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lfmnmlid.dll Cgcmlcja.exe File created C:\Windows\SysWOW64\Imfegi32.dll Jkmcfhkc.exe File created C:\Windows\SysWOW64\Djmffb32.dll Labkdack.exe File opened for modification C:\Windows\SysWOW64\Limfed32.exe Logbhl32.exe File opened for modification C:\Windows\SysWOW64\Nhfipcid.exe Ncjqhmkm.exe File opened for modification C:\Windows\SysWOW64\Amkpegnj.exe Qbelgood.exe File created C:\Windows\SysWOW64\Ahikqd32.exe Adnopfoj.exe File created C:\Windows\SysWOW64\Haloha32.dll Bghjhp32.exe File created C:\Windows\SysWOW64\Mbnipnaf.dll Haiccald.exe File created C:\Windows\SysWOW64\Fmhbhf32.dll Hdnepk32.exe File opened for modification C:\Windows\SysWOW64\Ocimgp32.exe Olpdjf32.exe File opened for modification C:\Windows\SysWOW64\Edkcojga.exe Eqpgol32.exe File created C:\Windows\SysWOW64\Mlaeonld.exe Mmneda32.exe File created C:\Windows\SysWOW64\Obojhlbq.exe Ombapedi.exe File opened for modification C:\Windows\SysWOW64\Pefijfii.exe Pnlqnl32.exe File opened for modification C:\Windows\SysWOW64\Fikejl32.exe Fadminnn.exe File opened for modification C:\Windows\SysWOW64\Hapicp32.exe Hoamgd32.exe File opened for modification C:\Windows\SysWOW64\Ijbdha32.exe Igchlf32.exe File created C:\Windows\SysWOW64\Ejbgljdk.dll Aibajhdn.exe File opened for modification C:\Windows\SysWOW64\Hakphqja.exe Homclekn.exe File created C:\Windows\SysWOW64\Icfofg32.exe Ipgbjl32.exe File created C:\Windows\SysWOW64\Ogikcfnb.dll Lgmcqkkh.exe File opened for modification C:\Windows\SysWOW64\Lpphap32.exe Kjcpii32.exe File created C:\Windows\SysWOW64\Pflomnkb.exe Ppbfpd32.exe File opened for modification C:\Windows\SysWOW64\Hoamgd32.exe Hgjefg32.exe File created C:\Windows\SysWOW64\Meppiblm.exe Mmihhelk.exe File opened for modification C:\Windows\SysWOW64\Pnomcl32.exe Pkpagq32.exe File opened for modification C:\Windows\SysWOW64\Aamfnkai.exe Anojbobe.exe File created C:\Windows\SysWOW64\Biamilfj.exe Bpiipf32.exe File created C:\Windows\SysWOW64\Dfdjhndl.exe Dknekeef.exe File created C:\Windows\SysWOW64\Mmneda32.exe Legmbd32.exe File created C:\Windows\SysWOW64\Nnhkcj32.exe Ngnbgplj.exe File created C:\Windows\SysWOW64\Amhpnkch.exe Ajjcbpdd.exe File created C:\Windows\SysWOW64\Cgllco32.dll Ejmebq32.exe File opened for modification C:\Windows\SysWOW64\Iheddndj.exe Ijbdha32.exe File created C:\Windows\SysWOW64\Ipllekdl.exe Iheddndj.exe File opened for modification C:\Windows\SysWOW64\Ajhgmpfg.exe Ahikqd32.exe File created C:\Windows\SysWOW64\Ibddljof.dll Lcfqkl32.exe File created C:\Windows\SysWOW64\Ncmfqkdj.exe Ndjfeo32.exe File opened for modification C:\Windows\SysWOW64\Niikceid.exe Nenobfak.exe File created C:\Windows\SysWOW64\Ikpjgkjq.exe Iaeiieeb.exe File created C:\Windows\SysWOW64\Bifjqh32.dll Pimkpfeh.exe File opened for modification C:\Windows\SysWOW64\Bblogakg.exe Blbfjg32.exe File created C:\Windows\SysWOW64\Blgpef32.exe Bemgilhh.exe File created C:\Windows\SysWOW64\Obojmk32.dll Hdildlie.exe File created C:\Windows\SysWOW64\Hiknhbcg.exe Hgmalg32.exe File created C:\Windows\SysWOW64\Cehkbgdf.dll Gpejeihi.exe File created C:\Windows\SysWOW64\Lekjcmbe.dll Jofbag32.exe File created C:\Windows\SysWOW64\Lhajpc32.dll Mmihhelk.exe File opened for modification C:\Windows\SysWOW64\Moidahcn.exe Mgalqkbk.exe File opened for modification C:\Windows\SysWOW64\Nigome32.exe Ngibaj32.exe File created C:\Windows\SysWOW64\Affcmdmb.dll Eqijej32.exe File created C:\Windows\SysWOW64\Fbldmm32.dll Iheddndj.exe File created C:\Windows\SysWOW64\Kiijnq32.exe Jfknbe32.exe File created C:\Windows\SysWOW64\Mdcpdp32.exe Meppiblm.exe File created C:\Windows\SysWOW64\Bqnfen32.dll Gepehphc.exe File created C:\Windows\SysWOW64\Ipgbjl32.exe Illgimph.exe File created C:\Windows\SysWOW64\Ihjnom32.exe Idnaoohk.exe File created C:\Windows\SysWOW64\Apbfblll.dll Lgjfkk32.exe File created C:\Windows\SysWOW64\Eppddhlj.dll Nibebfpl.exe File created C:\Windows\SysWOW64\Mffimglk.exe Mooaljkh.exe File created C:\Windows\SysWOW64\Nibebfpl.exe Ngdifkpi.exe File opened for modification C:\Windows\SysWOW64\Ndjfeo32.exe Nmpnhdfc.exe File created C:\Windows\SysWOW64\Heglio32.exe Hakphqja.exe -
Program crash 1 IoCs
pid pid_target Process 2760 4100 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jghmfhmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lccdel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lghjel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lcagpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpmlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iooklook.dll" Amhpnkch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempblao.dll" Iimjmbae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Igchlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kincipnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Moidahcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Alnqqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ejhlgaeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akbipbbd.dll" Jnpinc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kilfcpqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndjfeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghqnjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhjapjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Niebhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hlqdei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Knmhgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llcefjgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmihhelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kokbpahm.dll" Kpkofpgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdkpbk32.dll" Mmahdggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpdpao.dll" Hdhbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fenmdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgjfkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Moanaiie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Keoapb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nnhkcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pnomcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhpiojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpmbcmh.dll" Ljmlbfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nneloe32.dll" Ndbcpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gmgninie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iompkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhfipcid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bppoqeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gfmemc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ipgbjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpbefoai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgheann.dll" Ipjoplgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ikfmfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Leljop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Labkdack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pamiog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bbjbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijigk32.dll" Hhjapjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncfnmo32.dll" Blpjegfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaklqfem.dll" Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbgafalg.dll" Jnffgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpfdhnai.dll" Jgagfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Joaeeklp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnqkpajk.dll" Mencccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Naimccpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pflomnkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qmfgjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibebkc32.dll" Kgemplap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igdaoinc.dll" Adnopfoj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2480 2180 00788a44bfb80a675ec1f1f073f7a980_NEIKI.exe 28 PID 2180 wrote to memory of 2480 2180 00788a44bfb80a675ec1f1f073f7a980_NEIKI.exe 28 PID 2180 wrote to memory of 2480 2180 00788a44bfb80a675ec1f1f073f7a980_NEIKI.exe 28 PID 2180 wrote to memory of 2480 2180 00788a44bfb80a675ec1f1f073f7a980_NEIKI.exe 28 PID 2480 wrote to memory of 2676 2480 Gkihhhnm.exe 29 PID 2480 wrote to memory of 2676 2480 Gkihhhnm.exe 29 PID 2480 wrote to memory of 2676 2480 Gkihhhnm.exe 29 PID 2480 wrote to memory of 2676 2480 Gkihhhnm.exe 29 PID 2676 wrote to memory of 2520 2676 Gaemjbcg.exe 30 PID 2676 wrote to memory of 2520 2676 Gaemjbcg.exe 30 PID 2676 wrote to memory of 2520 2676 Gaemjbcg.exe 30 PID 2676 wrote to memory of 2520 2676 Gaemjbcg.exe 30 PID 2520 wrote to memory of 2632 2520 Hcifgjgc.exe 31 PID 2520 wrote to memory of 2632 2520 Hcifgjgc.exe 31 PID 2520 wrote to memory of 2632 2520 Hcifgjgc.exe 31 PID 2520 wrote to memory of 2632 2520 Hcifgjgc.exe 31 PID 2632 wrote to memory of 2388 2632 Hdhbam32.exe 32 PID 2632 wrote to memory of 2388 2632 Hdhbam32.exe 32 PID 2632 wrote to memory of 2388 2632 Hdhbam32.exe 32 PID 2632 wrote to memory of 2388 2632 Hdhbam32.exe 32 PID 2388 wrote to memory of 2428 2388 Hellne32.exe 33 PID 2388 wrote to memory of 2428 2388 Hellne32.exe 33 PID 2388 wrote to memory of 2428 2388 Hellne32.exe 33 PID 2388 wrote to memory of 2428 2388 Hellne32.exe 33 PID 2428 wrote to memory of 2456 2428 Hacmcfge.exe 34 PID 2428 wrote to memory of 2456 2428 Hacmcfge.exe 34 PID 2428 wrote to memory of 2456 2428 Hacmcfge.exe 34 PID 2428 wrote to memory of 2456 2428 Hacmcfge.exe 34 PID 2456 wrote to memory of 2692 2456 Iaeiieeb.exe 35 PID 2456 wrote to memory of 2692 2456 Iaeiieeb.exe 35 PID 2456 wrote to memory of 2692 2456 Iaeiieeb.exe 35 PID 2456 wrote to memory of 2692 2456 Iaeiieeb.exe 35 PID 2692 wrote to memory of 2808 2692 Ikpjgkjq.exe 36 PID 2692 wrote to memory of 2808 2692 Ikpjgkjq.exe 36 PID 2692 wrote to memory of 2808 2692 Ikpjgkjq.exe 36 PID 2692 wrote to memory of 2808 2692 Ikpjgkjq.exe 36 PID 2808 wrote to memory of 764 2808 Iggkllpe.exe 37 PID 2808 wrote to memory of 764 2808 Iggkllpe.exe 37 PID 2808 wrote to memory of 764 2808 Iggkllpe.exe 37 PID 2808 wrote to memory of 764 2808 Iggkllpe.exe 37 PID 764 wrote to memory of 320 764 Inqcif32.exe 38 PID 764 wrote to memory of 320 764 Inqcif32.exe 38 PID 764 wrote to memory of 320 764 Inqcif32.exe 38 PID 764 wrote to memory of 320 764 Inqcif32.exe 38 PID 320 wrote to memory of 2316 320 Jofiln32.exe 39 PID 320 wrote to memory of 2316 320 Jofiln32.exe 39 PID 320 wrote to memory of 2316 320 Jofiln32.exe 39 PID 320 wrote to memory of 2316 320 Jofiln32.exe 39 PID 2316 wrote to memory of 2816 2316 Jbgbni32.exe 40 PID 2316 wrote to memory of 2816 2316 Jbgbni32.exe 40 PID 2316 wrote to memory of 2816 2316 Jbgbni32.exe 40 PID 2316 wrote to memory of 2816 2316 Jbgbni32.exe 40 PID 2816 wrote to memory of 1992 2816 Jkpgfn32.exe 41 PID 2816 wrote to memory of 1992 2816 Jkpgfn32.exe 41 PID 2816 wrote to memory of 1992 2816 Jkpgfn32.exe 41 PID 2816 wrote to memory of 1992 2816 Jkpgfn32.exe 41 PID 1992 wrote to memory of 2424 1992 Jgidao32.exe 42 PID 1992 wrote to memory of 2424 1992 Jgidao32.exe 42 PID 1992 wrote to memory of 2424 1992 Jgidao32.exe 42 PID 1992 wrote to memory of 2424 1992 Jgidao32.exe 42 PID 2424 wrote to memory of 2784 2424 Joplbl32.exe 43 PID 2424 wrote to memory of 2784 2424 Joplbl32.exe 43 PID 2424 wrote to memory of 2784 2424 Joplbl32.exe 43 PID 2424 wrote to memory of 2784 2424 Joplbl32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\00788a44bfb80a675ec1f1f073f7a980_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\00788a44bfb80a675ec1f1f073f7a980_NEIKI.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:240 -
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:932 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1472 -
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:792 -
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe34⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe36⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe38⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe39⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe40⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Mmfbogcn.exeC:\Windows\system32\Mmfbogcn.exe41⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe42⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe43⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe44⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe45⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe46⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe50⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe51⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe56⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe57⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe58⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Ojahnj32.exeC:\Windows\system32\Ojahnj32.exe59⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:632 -
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe61⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Ojcecjee.exeC:\Windows\system32\Ojcecjee.exe62⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe64⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe65⤵
- Executes dropped EXE
PID:428 -
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1008 -
C:\Windows\SysWOW64\Ofmbnkhg.exeC:\Windows\system32\Ofmbnkhg.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1968 -
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe68⤵PID:1116
-
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2908 -
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe70⤵
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1936 -
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1712 -
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe73⤵PID:1284
-
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe75⤵PID:1256
-
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe76⤵
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe77⤵
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Pamiog32.exeC:\Windows\system32\Pamiog32.exe78⤵
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Pfjbgnme.exeC:\Windows\system32\Pfjbgnme.exe79⤵PID:1600
-
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe80⤵PID:1556
-
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:688 -
C:\Windows\SysWOW64\Pflomnkb.exeC:\Windows\system32\Pflomnkb.exe82⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe83⤵
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Qcpofbjl.exeC:\Windows\system32\Qcpofbjl.exe84⤵PID:2132
-
C:\Windows\SysWOW64\Qfokbnip.exeC:\Windows\system32\Qfokbnip.exe85⤵PID:2212
-
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe86⤵PID:1572
-
C:\Windows\SysWOW64\Qpgpkcpp.exeC:\Windows\system32\Qpgpkcpp.exe87⤵PID:1744
-
C:\Windows\SysWOW64\Qbelgood.exeC:\Windows\system32\Qbelgood.exe88⤵
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Amkpegnj.exeC:\Windows\system32\Amkpegnj.exe89⤵PID:2072
-
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe90⤵
- Modifies registry class
PID:352 -
C:\Windows\SysWOW64\Anlmmp32.exeC:\Windows\system32\Anlmmp32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2532 -
C:\Windows\SysWOW64\Aibajhdn.exeC:\Windows\system32\Aibajhdn.exe92⤵
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Ahdaee32.exeC:\Windows\system32\Ahdaee32.exe93⤵PID:768
-
C:\Windows\SysWOW64\Anojbobe.exeC:\Windows\system32\Anojbobe.exe94⤵
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Aamfnkai.exeC:\Windows\system32\Aamfnkai.exe95⤵PID:1884
-
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe96⤵PID:2276
-
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe97⤵PID:2840
-
C:\Windows\SysWOW64\Abmbhn32.exeC:\Windows\system32\Abmbhn32.exe98⤵PID:2624
-
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe99⤵PID:896
-
C:\Windows\SysWOW64\Adnopfoj.exeC:\Windows\system32\Adnopfoj.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Ahikqd32.exeC:\Windows\system32\Ahikqd32.exe101⤵
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe102⤵PID:1692
-
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe103⤵PID:2952
-
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe104⤵PID:2680
-
C:\Windows\SysWOW64\Ajjcbpdd.exeC:\Windows\system32\Ajjcbpdd.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Amhpnkch.exeC:\Windows\system32\Amhpnkch.exe106⤵
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Bpgljfbl.exeC:\Windows\system32\Bpgljfbl.exe107⤵PID:2860
-
C:\Windows\SysWOW64\Bfadgq32.exeC:\Windows\system32\Bfadgq32.exe108⤵PID:2440
-
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe109⤵
- Modifies registry class
PID:1400 -
C:\Windows\SysWOW64\Bmkmdk32.exeC:\Windows\system32\Bmkmdk32.exe110⤵PID:2336
-
C:\Windows\SysWOW64\Bpiipf32.exeC:\Windows\system32\Bpiipf32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:552 -
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe112⤵PID:112
-
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Bdgafdfp.exeC:\Windows\system32\Bdgafdfp.exe114⤵PID:1436
-
C:\Windows\SysWOW64\Bbjbaa32.exeC:\Windows\system32\Bbjbaa32.exe115⤵
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Bidjnkdg.exeC:\Windows\system32\Bidjnkdg.exe116⤵PID:2240
-
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe117⤵
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Bblogakg.exeC:\Windows\system32\Bblogakg.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1220 -
C:\Windows\SysWOW64\Bghjhp32.exeC:\Windows\system32\Bghjhp32.exe119⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Bhigphio.exeC:\Windows\system32\Bhigphio.exe120⤵PID:2312
-
C:\Windows\SysWOW64\Bppoqeja.exeC:\Windows\system32\Bppoqeja.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1144
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-