Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 08:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
22550716e3c79b79763a5b9d74da2be0_NEIKI.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
22550716e3c79b79763a5b9d74da2be0_NEIKI.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
22550716e3c79b79763a5b9d74da2be0_NEIKI.exe
-
Size
208KB
-
MD5
22550716e3c79b79763a5b9d74da2be0
-
SHA1
8cdc91bac120cbf1c6ebabcee8b8adc8b449d91c
-
SHA256
7ab309204f377201a8a6fd5183dc2ff3bbba23b4990240267ec103c394bbb0ed
-
SHA512
46977b05612d6adf0486b21bcc4ebd0cf15a917efb470f2056e28bd98fde1dee3afaa3a5dbd5278ff51e35610942bea877ab1a18fe4d0b5a5ce4b2ef03c7a1ff
-
SSDEEP
3072:rG9b56LWUTmr6+oXO56hKpi9poF5aY6+oocpGHHQnNJuIb:rYbIK92+Eu6QnFw5+0pU8b
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llqcfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcfdgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jebiaelb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jedefejo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mochnppo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnpmipql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpocfncj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkaqmeah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldcamcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apajlhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eijcpoac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebinic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpkjko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldenbcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Migpeiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okfencna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoffmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhhnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hiqbndpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbfjdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofbfdmeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebbgid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkkemh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfiidobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndbcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkmmhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckjalhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmekoalh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhkpmjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koocdnai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkhpnnej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qbbfopeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccfhhffh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emcbkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibapoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jiigehkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bloqah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekholjqg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjjddchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lipjejgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjpkjond.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcaomf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcnpbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkdmcdoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjbmjplb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjilieka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmjejphb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmgmjjdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgoacojo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epieghdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkihhhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpdhklkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joepio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngfcca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnbhek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhfagipa.exe -
Executes dropped EXE 64 IoCs
pid Process 3068 Iiikfehq.exe 2640 Ibapoj32.exe 2836 Jgnhga32.exe 2572 Joepio32.exe 2468 Jnhqdkde.exe 1884 Jagmpg32.exe 2764 Jebiaelb.exe 2800 Jinead32.exe 1620 Jgqemakf.exe 2016 Jjoailji.exe 2504 Jbfijjkl.exe 2896 Jedefejo.exe 1940 Jgcabqic.exe 1728 Jnmjok32.exe 1628 Jakfkfpc.exe 1124 Jegble32.exe 2964 Jfhocmnk.exe 776 Jpqclb32.exe 2116 Jclomamd.exe 1988 Jjfgjk32.exe 1476 Jiigehkl.exe 1560 Kappfeln.exe 764 Kcolba32.exe 1960 Kbalnnam.exe 1740 Kfmhol32.exe 2724 Kikdkh32.exe 2444 Kpemgbqf.exe 2460 Kfoedl32.exe 2792 Kinaqg32.exe 2668 Kmimafop.exe 1500 Knjiin32.exe 1480 Kfaajlfp.exe 624 Kedaeh32.exe 1696 Khcnad32.exe 1460 Klnjbbdh.exe 324 Kakbjibo.exe 2776 Khekgc32.exe 1812 Klqfhbbe.exe 1708 Koocdnai.exe 3012 Kbkodl32.exe 672 Kdlkld32.exe 1280 Lhggmchi.exe 2292 Loapim32.exe 1364 Laplei32.exe 2028 Ldnhad32.exe 2408 Lhjdbcef.exe 2664 Lkhpnnej.exe 2168 Lmgmjjdn.exe 3000 Lpeifeca.exe 2528 Lhlqhb32.exe 1688 Lgoacojo.exe 2096 Lkkmdn32.exe 1624 Lmiipi32.exe 2440 Lpgele32.exe 1080 Ldcamcih.exe 1996 Lganiohl.exe 1036 Lkmjin32.exe 1612 Lipjejgp.exe 2856 Lmkfei32.exe 904 Lpjbad32.exe 2904 Ldenbcge.exe 2232 Lgdjnofi.exe 2816 Lefkjkmc.exe 2712 Llqcfe32.exe -
Loads dropped DLL 64 IoCs
pid Process 3032 22550716e3c79b79763a5b9d74da2be0_NEIKI.exe 3032 22550716e3c79b79763a5b9d74da2be0_NEIKI.exe 3068 Iiikfehq.exe 3068 Iiikfehq.exe 2640 Ibapoj32.exe 2640 Ibapoj32.exe 2836 Jgnhga32.exe 2836 Jgnhga32.exe 2572 Joepio32.exe 2572 Joepio32.exe 2468 Jnhqdkde.exe 2468 Jnhqdkde.exe 1884 Jagmpg32.exe 1884 Jagmpg32.exe 2764 Jebiaelb.exe 2764 Jebiaelb.exe 2800 Jinead32.exe 2800 Jinead32.exe 1620 Jgqemakf.exe 1620 Jgqemakf.exe 2016 Jjoailji.exe 2016 Jjoailji.exe 2504 Jbfijjkl.exe 2504 Jbfijjkl.exe 2896 Jedefejo.exe 2896 Jedefejo.exe 1940 Jgcabqic.exe 1940 Jgcabqic.exe 1728 Jnmjok32.exe 1728 Jnmjok32.exe 1628 Jakfkfpc.exe 1628 Jakfkfpc.exe 1124 Jegble32.exe 1124 Jegble32.exe 2964 Jfhocmnk.exe 2964 Jfhocmnk.exe 776 Jpqclb32.exe 776 Jpqclb32.exe 2116 Jclomamd.exe 2116 Jclomamd.exe 1988 Jjfgjk32.exe 1988 Jjfgjk32.exe 1476 Jiigehkl.exe 1476 Jiigehkl.exe 1560 Kappfeln.exe 1560 Kappfeln.exe 764 Kcolba32.exe 764 Kcolba32.exe 1960 Kbalnnam.exe 1960 Kbalnnam.exe 1740 Kfmhol32.exe 1740 Kfmhol32.exe 2724 Kikdkh32.exe 2724 Kikdkh32.exe 2444 Kpemgbqf.exe 2444 Kpemgbqf.exe 2460 Kfoedl32.exe 2460 Kfoedl32.exe 2792 Kinaqg32.exe 2792 Kinaqg32.exe 2668 Kmimafop.exe 2668 Kmimafop.exe 1500 Knjiin32.exe 1500 Knjiin32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ihomanac.dll Begeknan.exe File opened for modification C:\Windows\SysWOW64\Eqpofkjo.dll Iknnbklc.exe File opened for modification C:\Windows\SysWOW64\Llqcfe32.exe Lefkjkmc.exe File created C:\Windows\SysWOW64\Ncoamb32.exe Nocemcbj.exe File created C:\Windows\SysWOW64\Plcdgfbo.exe Pmqdkj32.exe File opened for modification C:\Windows\SysWOW64\Plfamfpm.exe Phjelg32.exe File created C:\Windows\SysWOW64\Aiedjneg.exe Ajbdna32.exe File created C:\Windows\SysWOW64\Cnbpqb32.dll Baildokg.exe File created C:\Windows\SysWOW64\Gjenmobn.dll Inljnfkg.exe File opened for modification C:\Windows\SysWOW64\Lipjejgp.exe Lkmjin32.exe File created C:\Windows\SysWOW64\Gfhpoo32.dll Nocemcbj.exe File created C:\Windows\SysWOW64\Qmlgonbe.exe Qnigda32.exe File created C:\Windows\SysWOW64\Kpikfj32.dll Afdlhchf.exe File created C:\Windows\SysWOW64\Nobdlg32.dll Ddeaalpg.exe File opened for modification C:\Windows\SysWOW64\Fmhheqje.exe Fjilieka.exe File created C:\Windows\SysWOW64\Chhpdp32.dll Gkgkbipp.exe File created C:\Windows\SysWOW64\Kbalnnam.exe Kcolba32.exe File opened for modification C:\Windows\SysWOW64\Qhmbagfa.exe Penfelgm.exe File created C:\Windows\SysWOW64\Pmddhkao.dll Bebkpn32.exe File created C:\Windows\SysWOW64\Ooahdmkl.dll Bnefdp32.exe File opened for modification C:\Windows\SysWOW64\Cjbmjplb.exe Cbkeib32.exe File created C:\Windows\SysWOW64\Naeqjnho.dll Dnlidb32.exe File created C:\Windows\SysWOW64\Jjoailji.exe Jgqemakf.exe File created C:\Windows\SysWOW64\Bmhljm32.dll Adeplhib.exe File created C:\Windows\SysWOW64\Fabnbook.dll Ambmpmln.exe File created C:\Windows\SysWOW64\Cobbhfhg.exe Ckffgg32.exe File created C:\Windows\SysWOW64\Dmafennb.exe Dnneja32.exe File opened for modification C:\Windows\SysWOW64\Faagpp32.exe Fmekoalh.exe File created C:\Windows\SysWOW64\Ffbicfoc.exe Fbgmbg32.exe File created C:\Windows\SysWOW64\Fpmkde32.dll Gldkfl32.exe File opened for modification C:\Windows\SysWOW64\Jebiaelb.exe Jagmpg32.exe File created C:\Windows\SysWOW64\Hkfeblka.dll Mlcple32.exe File opened for modification C:\Windows\SysWOW64\Mcmhiojk.exe Mpolmdkg.exe File created C:\Windows\SysWOW64\Ambmpmln.exe Aigaon32.exe File created C:\Windows\SysWOW64\Fclomp32.dll Djefobmk.exe File created C:\Windows\SysWOW64\Fehjeo32.exe Ealnephf.exe File opened for modification C:\Windows\SysWOW64\Gacpdbej.exe Gmgdddmq.exe File created C:\Windows\SysWOW64\Hjjddchg.exe Henidd32.exe File opened for modification C:\Windows\SysWOW64\Pjpkjond.exe Pfdpip32.exe File opened for modification C:\Windows\SysWOW64\Peiljl32.exe Pfflopdh.exe File created C:\Windows\SysWOW64\Cdjgej32.dll Pmqdkj32.exe File created C:\Windows\SysWOW64\Bhfbdd32.dll Afiecb32.exe File opened for modification C:\Windows\SysWOW64\Djnpnc32.exe Dgodbh32.exe File created C:\Windows\SysWOW64\Gegfdb32.exe Gfefiemq.exe File opened for modification C:\Windows\SysWOW64\Bkdmcdoe.exe Bghabf32.exe File opened for modification C:\Windows\SysWOW64\Hdhbam32.exe Hpmgqnfl.exe File created C:\Windows\SysWOW64\Nghphaeo.exe Ncmdhb32.exe File opened for modification C:\Windows\SysWOW64\Oomhcbjp.exe Ogfpbeim.exe File opened for modification C:\Windows\SysWOW64\Pccfge32.exe Pphjgfqq.exe File created C:\Windows\SysWOW64\Pipopl32.exe Pjmodopf.exe File created C:\Windows\SysWOW64\Bagpopmj.exe Bbdocc32.exe File opened for modification C:\Windows\SysWOW64\Bkodhe32.exe Blmdlhmp.exe File opened for modification C:\Windows\SysWOW64\Hellne32.exe Hgilchkf.exe File created C:\Windows\SysWOW64\Nofabc32.exe Nqcagfim.exe File opened for modification C:\Windows\SysWOW64\Nbfjdn32.exe Nkmbgdfl.exe File created C:\Windows\SysWOW64\Ggcpkdle.dll 22550716e3c79b79763a5b9d74da2be0_NEIKI.exe File created C:\Windows\SysWOW64\Pfliqila.dll Mkhmma32.exe File created C:\Windows\SysWOW64\Mkjica32.exe Mlgigdoh.exe File created C:\Windows\SysWOW64\Jagbha32.dll Nnnojlpa.exe File created C:\Windows\SysWOW64\Nplhpb32.dll Ncoamb32.exe File created C:\Windows\SysWOW64\Nqcagfim.exe Nhlifi32.exe File created C:\Windows\SysWOW64\Gfoihbdp.dll Globlmmj.exe File created C:\Windows\SysWOW64\Elpbcapg.dll Gmgdddmq.exe File created C:\Windows\SysWOW64\Fcmbeioh.dll Pmnhfjmg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6024 3160 WerFault.exe 539 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oelmai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdmeemc.dll" Plcdgfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajenen32.dll" Plahag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Laplei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncmdhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njgldmdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pndniaop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhhnli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnefdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Magnek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aigaon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbjle32.dll" Nmjblg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amejeljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpfcgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Balijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfgfm32.dll" Kdlkld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nocemcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqcagfim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afiecb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpkjko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpeifeca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ampqjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbkeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnpmlfkm.dll" Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbfijjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nofabc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoflni32.dll" Cciemedf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgmglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhebk32.dll" Pigeqkai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oihfic32.dll" Kmimafop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apajlhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egamfkdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cckace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qaefjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdlkld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpkceld.dll" Bingpmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlhaqogk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkhmma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmeglp.dll" Hkpnhgge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecpgmhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnpmipql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Baqbenep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbpbqda.dll" Dnneja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmkfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okfencna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahakmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcpjl32.dll" Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahgkbeb.dll" Ldcamcih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpemgbqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekholjqg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3032 wrote to memory of 3068 3032 22550716e3c79b79763a5b9d74da2be0_NEIKI.exe 28 PID 3032 wrote to memory of 3068 3032 22550716e3c79b79763a5b9d74da2be0_NEIKI.exe 28 PID 3032 wrote to memory of 3068 3032 22550716e3c79b79763a5b9d74da2be0_NEIKI.exe 28 PID 3032 wrote to memory of 3068 3032 22550716e3c79b79763a5b9d74da2be0_NEIKI.exe 28 PID 3068 wrote to memory of 2640 3068 Iiikfehq.exe 29 PID 3068 wrote to memory of 2640 3068 Iiikfehq.exe 29 PID 3068 wrote to memory of 2640 3068 Iiikfehq.exe 29 PID 3068 wrote to memory of 2640 3068 Iiikfehq.exe 29 PID 2640 wrote to memory of 2836 2640 Ibapoj32.exe 30 PID 2640 wrote to memory of 2836 2640 Ibapoj32.exe 30 PID 2640 wrote to memory of 2836 2640 Ibapoj32.exe 30 PID 2640 wrote to memory of 2836 2640 Ibapoj32.exe 30 PID 2836 wrote to memory of 2572 2836 Jgnhga32.exe 31 PID 2836 wrote to memory of 2572 2836 Jgnhga32.exe 31 PID 2836 wrote to memory of 2572 2836 Jgnhga32.exe 31 PID 2836 wrote to memory of 2572 2836 Jgnhga32.exe 31 PID 2572 wrote to memory of 2468 2572 Joepio32.exe 32 PID 2572 wrote to memory of 2468 2572 Joepio32.exe 32 PID 2572 wrote to memory of 2468 2572 Joepio32.exe 32 PID 2572 wrote to memory of 2468 2572 Joepio32.exe 32 PID 2468 wrote to memory of 1884 2468 Jnhqdkde.exe 33 PID 2468 wrote to memory of 1884 2468 Jnhqdkde.exe 33 PID 2468 wrote to memory of 1884 2468 Jnhqdkde.exe 33 PID 2468 wrote to memory of 1884 2468 Jnhqdkde.exe 33 PID 1884 wrote to memory of 2764 1884 Jagmpg32.exe 34 PID 1884 wrote to memory of 2764 1884 Jagmpg32.exe 34 PID 1884 wrote to memory of 2764 1884 Jagmpg32.exe 34 PID 1884 wrote to memory of 2764 1884 Jagmpg32.exe 34 PID 2764 wrote to memory of 2800 2764 Jebiaelb.exe 35 PID 2764 wrote to memory of 2800 2764 Jebiaelb.exe 35 PID 2764 wrote to memory of 2800 2764 Jebiaelb.exe 35 PID 2764 wrote to memory of 2800 2764 Jebiaelb.exe 35 PID 2800 wrote to memory of 1620 2800 Jinead32.exe 36 PID 2800 wrote to memory of 1620 2800 Jinead32.exe 36 PID 2800 wrote to memory of 1620 2800 Jinead32.exe 36 PID 2800 wrote to memory of 1620 2800 Jinead32.exe 36 PID 1620 wrote to memory of 2016 1620 Jgqemakf.exe 37 PID 1620 wrote to memory of 2016 1620 Jgqemakf.exe 37 PID 1620 wrote to memory of 2016 1620 Jgqemakf.exe 37 PID 1620 wrote to memory of 2016 1620 Jgqemakf.exe 37 PID 2016 wrote to memory of 2504 2016 Jjoailji.exe 38 PID 2016 wrote to memory of 2504 2016 Jjoailji.exe 38 PID 2016 wrote to memory of 2504 2016 Jjoailji.exe 38 PID 2016 wrote to memory of 2504 2016 Jjoailji.exe 38 PID 2504 wrote to memory of 2896 2504 Jbfijjkl.exe 39 PID 2504 wrote to memory of 2896 2504 Jbfijjkl.exe 39 PID 2504 wrote to memory of 2896 2504 Jbfijjkl.exe 39 PID 2504 wrote to memory of 2896 2504 Jbfijjkl.exe 39 PID 2896 wrote to memory of 1940 2896 Jedefejo.exe 40 PID 2896 wrote to memory of 1940 2896 Jedefejo.exe 40 PID 2896 wrote to memory of 1940 2896 Jedefejo.exe 40 PID 2896 wrote to memory of 1940 2896 Jedefejo.exe 40 PID 1940 wrote to memory of 1728 1940 Jgcabqic.exe 41 PID 1940 wrote to memory of 1728 1940 Jgcabqic.exe 41 PID 1940 wrote to memory of 1728 1940 Jgcabqic.exe 41 PID 1940 wrote to memory of 1728 1940 Jgcabqic.exe 41 PID 1728 wrote to memory of 1628 1728 Jnmjok32.exe 42 PID 1728 wrote to memory of 1628 1728 Jnmjok32.exe 42 PID 1728 wrote to memory of 1628 1728 Jnmjok32.exe 42 PID 1728 wrote to memory of 1628 1728 Jnmjok32.exe 42 PID 1628 wrote to memory of 1124 1628 Jakfkfpc.exe 43 PID 1628 wrote to memory of 1124 1628 Jakfkfpc.exe 43 PID 1628 wrote to memory of 1124 1628 Jakfkfpc.exe 43 PID 1628 wrote to memory of 1124 1628 Jakfkfpc.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\22550716e3c79b79763a5b9d74da2be0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\22550716e3c79b79763a5b9d74da2be0_NEIKI.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Iiikfehq.exeC:\Windows\system32\Iiikfehq.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Ibapoj32.exeC:\Windows\system32\Ibapoj32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Jgnhga32.exeC:\Windows\system32\Jgnhga32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Joepio32.exeC:\Windows\system32\Joepio32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Jnhqdkde.exeC:\Windows\system32\Jnhqdkde.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Jagmpg32.exeC:\Windows\system32\Jagmpg32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Jinead32.exeC:\Windows\system32\Jinead32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Jjoailji.exeC:\Windows\system32\Jjoailji.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Jbfijjkl.exeC:\Windows\system32\Jbfijjkl.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Jedefejo.exeC:\Windows\system32\Jedefejo.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Jgcabqic.exeC:\Windows\system32\Jgcabqic.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Jnmjok32.exeC:\Windows\system32\Jnmjok32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Jakfkfpc.exeC:\Windows\system32\Jakfkfpc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Jegble32.exeC:\Windows\system32\Jegble32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1124 -
C:\Windows\SysWOW64\Jfhocmnk.exeC:\Windows\system32\Jfhocmnk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:776 -
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Jjfgjk32.exeC:\Windows\system32\Jjfgjk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1476 -
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:764 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe33⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe34⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe35⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe36⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe37⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe38⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe39⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe41⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:672 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe43⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe44⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe46⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe47⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe51⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe53⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe54⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe55⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1080 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe57⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe61⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe63⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe66⤵PID:1300
-
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe67⤵PID:2308
-
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe68⤵PID:108
-
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe69⤵PID:1116
-
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe70⤵PID:1216
-
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe71⤵
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe72⤵
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe73⤵PID:2784
-
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe74⤵PID:1196
-
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe75⤵PID:2992
-
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2984 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe77⤵PID:344
-
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2452 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe80⤵PID:2696
-
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe81⤵PID:1768
-
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe82⤵
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe83⤵PID:336
-
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe84⤵PID:2684
-
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe85⤵PID:1948
-
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe86⤵PID:2420
-
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe87⤵PID:832
-
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe88⤵PID:1436
-
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe89⤵PID:1256
-
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe90⤵PID:2716
-
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe91⤵
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe92⤵PID:1568
-
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe93⤵PID:1920
-
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe94⤵PID:2012
-
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe95⤵PID:1736
-
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe96⤵
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe97⤵PID:1056
-
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe98⤵PID:1956
-
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe99⤵PID:2192
-
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2592 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe101⤵PID:2424
-
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe102⤵PID:1764
-
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe103⤵PID:2660
-
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe104⤵PID:944
-
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe106⤵PID:2180
-
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe107⤵
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:772 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:1132 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe110⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe111⤵PID:2704
-
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe112⤵PID:1244
-
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe113⤵
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe114⤵
- Drops file in System32 directory
- Modifies registry class
PID:1264 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe115⤵
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe116⤵PID:1964
-
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe117⤵PID:1724
-
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe118⤵PID:1048
-
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe119⤵
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe120⤵
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2396
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-