Analysis
-
max time kernel
137s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 08:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2696bb43686c3dc31e15a5256ad3b570_NEIKI.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
2696bb43686c3dc31e15a5256ad3b570_NEIKI.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
2696bb43686c3dc31e15a5256ad3b570_NEIKI.exe
-
Size
435KB
-
MD5
2696bb43686c3dc31e15a5256ad3b570
-
SHA1
da8a207cace3dde911ab9566f190211bb46a1700
-
SHA256
5eac3160d67446d7728cd7fc69b5164800a0344464243a2140c5512b4069a240
-
SHA512
092ea96ba348abc02e202541f3e3bc65d5f1b83dfbffc4bc9be92daafcc1f90fe1cb5fd99f2af10c5a19ea6dbad46e554581c9f7c5412909bd702c29c18b18f6
-
SSDEEP
6144:Wka6DXwbWGRdA6sQc/Yp7TVX3J/1awbWGRdA6sQc/Y+mjwjOx5H:S60bWGRdA6sQhPbWGRdA6sQvjpxN
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhekaejj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agcdnjcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhejgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhifomdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhplpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kceoppmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjffpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecidpiad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biigildg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnppkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niglfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhbbmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhnojl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejojljqa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejgbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kciaqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mebkge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcidopb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abemep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpmmfbfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obnnnc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aecbge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lglcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akogio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnenchoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcpnhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhmhpfmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojjcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnfkgp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onngci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjlmbnof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klpjad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emeffcid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knifging.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppffec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pahpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afockelf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmmmnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kciaqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odkcpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iocchhof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhejgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhcali32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pahpee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eelpqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inkjfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adbkmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khfkfedn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndnnianm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cibkohef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmphaaln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fblpflfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkgejncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpllbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbmpjkqk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehhpge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhnkppbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klpjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leabphmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnebmgjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjnihnmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imknli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngnppfgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adkelplc.exe -
Executes dropped EXE 64 IoCs
pid Process 4052 Apmhiq32.exe 1256 Bmeandma.exe 4220 Bpfkpp32.exe 4536 Bphgeo32.exe 2224 Bgelgi32.exe 5108 Chdialdl.exe 2452 Ibjqaf32.exe 3564 Jhifomdj.exe 3984 Jlgoek32.exe 2512 Jhnojl32.exe 1676 Jhplpl32.exe 4244 Kefiopki.exe 3696 Kidben32.exe 4360 Kocgbend.exe 4444 Kofdhd32.exe 3804 Lcclncbh.exe 636 Lpgmhg32.exe 4136 Lhcali32.exe 4692 Lckboblp.exe 1844 Llcghg32.exe 3152 Mpclce32.exe 936 Mjlalkmd.exe 660 Mfbaalbi.exe 4688 Mokfja32.exe 4432 Mqjbddpl.exe 4032 Nhegig32.exe 4800 Njedbjej.exe 5060 Nbbeml32.exe 2348 Nmhijd32.exe 2944 Nmjfodne.exe 4524 Ommceclc.exe 3324 Oqmhqapg.exe 1568 Obnehj32.exe 2476 Oflmnh32.exe 2284 Pcpnhl32.exe 2904 Padnaq32.exe 4440 Piocecgj.exe 720 Pbhgoh32.exe 3044 Piapkbeg.exe 1880 Pbjddh32.exe 2084 Pmphaaln.exe 4744 Pjcikejg.exe 3176 Qppaclio.exe 4312 Qjffpe32.exe 4904 Qjhbfd32.exe 4860 Afockelf.exe 1668 Apggckbf.exe 4148 Ajmladbl.exe 2400 Ampaho32.exe 3180 Bmbnnn32.exe 2796 Bfkbfd32.exe 2152 Bmdkcnie.exe 1944 Bjhkmbho.exe 3016 Bfolacnc.exe 1564 Bdcmkgmm.exe 1004 Bpjmph32.exe 2684 Cibain32.exe 3616 Cdhffg32.exe 3548 Cmpjoloh.exe 404 Cgiohbfi.exe 4112 Cpacqg32.exe 2544 Ckggnp32.exe 4120 Cpcpfg32.exe 1084 Cildom32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Eoladdeo.exe Eedmlo32.exe File opened for modification C:\Windows\SysWOW64\Kmbfiokn.exe Kciaqi32.exe File created C:\Windows\SysWOW64\Odpldj32.dll Ohqpjo32.exe File created C:\Windows\SysWOW64\Hnjaonij.exe Hgpibdam.exe File created C:\Windows\SysWOW64\Hmedbiid.dll Imfdaigj.exe File created C:\Windows\SysWOW64\Nejgbn32.exe Namnmp32.exe File opened for modification C:\Windows\SysWOW64\Dbjade32.exe Dlnlak32.exe File created C:\Windows\SysWOW64\Iocchhof.exe Iapbodql.exe File created C:\Windows\SysWOW64\Ncbegn32.dll Lckboblp.exe File opened for modification C:\Windows\SysWOW64\Ommceclc.exe Nmjfodne.exe File created C:\Windows\SysWOW64\Gjhfif32.exe Gdknpp32.exe File opened for modification C:\Windows\SysWOW64\Okqbac32.exe Oediim32.exe File created C:\Windows\SysWOW64\Popdldep.dll Qbmpjkqk.exe File opened for modification C:\Windows\SysWOW64\Hnjaonij.exe Hgpibdam.exe File created C:\Windows\SysWOW64\Ciefek32.exe Cjdfgc32.exe File opened for modification C:\Windows\SysWOW64\Hcabhido.exe Hiinoc32.exe File created C:\Windows\SysWOW64\Cdhffg32.exe Cibain32.exe File created C:\Windows\SysWOW64\Lolcnman.exe Lhbkac32.exe File opened for modification C:\Windows\SysWOW64\Hiinoc32.exe Hkgnalep.exe File opened for modification C:\Windows\SysWOW64\Hhnkppbf.exe Hcabhido.exe File opened for modification C:\Windows\SysWOW64\Hgapmj32.exe Hjmodffo.exe File created C:\Windows\SysWOW64\Efhodebp.dll Lamlphoo.exe File created C:\Windows\SysWOW64\Kdbamc32.dll Ecanojgl.exe File created C:\Windows\SysWOW64\Bkfmjnii.exe Bfieagka.exe File created C:\Windows\SysWOW64\Cdomieml.dll Cnebmgjj.exe File opened for modification C:\Windows\SysWOW64\Cildom32.exe Cpcpfg32.exe File created C:\Windows\SysWOW64\Najlgpeb.dll Leabphmp.exe File created C:\Windows\SysWOW64\Pdnpeh32.exe Odkcpi32.exe File opened for modification C:\Windows\SysWOW64\Mmiealgc.exe Mabdlk32.exe File created C:\Windows\SysWOW64\Cmefomdo.dll Qpmmfbfl.exe File created C:\Windows\SysWOW64\Ajmladbl.exe Apggckbf.exe File opened for modification C:\Windows\SysWOW64\Iloajfml.exe Iecmhlhb.exe File created C:\Windows\SysWOW64\Dpefaq32.exe Cdnelpod.exe File created C:\Windows\SysWOW64\Ppffec32.exe Pjlnhi32.exe File created C:\Windows\SysWOW64\Fhdocc32.exe Fbggkl32.exe File created C:\Windows\SysWOW64\Agcdnjcl.exe Anjpeelk.exe File opened for modification C:\Windows\SysWOW64\Kkabefqp.exe Kbinlp32.exe File created C:\Windows\SysWOW64\Bfolacnc.exe Bjhkmbho.exe File created C:\Windows\SysWOW64\Hnokjm32.exe Hdffah32.exe File created C:\Windows\SysWOW64\Ikpnha32.dll Kallod32.exe File opened for modification C:\Windows\SysWOW64\Dpdogj32.exe Cnebmgjj.exe File opened for modification C:\Windows\SysWOW64\Ajjjjghg.exe Adnbapjp.exe File created C:\Windows\SysWOW64\Pjlnhi32.exe Phkaqqoi.exe File opened for modification C:\Windows\SysWOW64\Ehmibdol.exe Ebpqjmpd.exe File created C:\Windows\SysWOW64\Kcphpdil.exe Jhjcbljf.exe File created C:\Windows\SysWOW64\Lpgmhg32.exe Lcclncbh.exe File created C:\Windows\SysWOW64\Jnakbdid.dll Ddcebe32.exe File created C:\Windows\SysWOW64\Kaaldjil.exe Khihld32.exe File created C:\Windows\SysWOW64\Edcfpa32.dll Ginenk32.exe File opened for modification C:\Windows\SysWOW64\Njmejp32.exe Mmiealgc.exe File created C:\Windows\SysWOW64\Gkeakl32.exe Gehice32.exe File opened for modification C:\Windows\SysWOW64\Hkgnalep.exe Gaoihfoo.exe File opened for modification C:\Windows\SysWOW64\Jcknee32.exe Jhejgl32.exe File created C:\Windows\SysWOW64\Gpmmbfem.dll Iecmhlhb.exe File created C:\Windows\SysWOW64\Oofial32.dll Lhbkac32.exe File opened for modification C:\Windows\SysWOW64\Bnppkj32.exe Aeglbeea.exe File created C:\Windows\SysWOW64\Pgpobmca.exe Ppffec32.exe File created C:\Windows\SysWOW64\Bhcbdkfh.dll Eimelg32.exe File created C:\Windows\SysWOW64\Lpphjbnh.dll Bfolacnc.exe File created C:\Windows\SysWOW64\Bpbpecen.exe Bldgoeog.exe File created C:\Windows\SysWOW64\Efbqkjgq.dll Ebcdjc32.exe File created C:\Windows\SysWOW64\Fidbgm32.exe Fhefmjlp.exe File created C:\Windows\SysWOW64\Ehmibdol.exe Ebpqjmpd.exe File created C:\Windows\SysWOW64\Kbeibo32.exe Jlkafdco.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4100 5208 WerFault.exe 557 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcipf32.dll" Fbaahf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpenjqca.dll" Jcnbekok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpflhb32.dll" Oediim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bijncb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lipmoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjfoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hakidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhcbhh32.dll" Qjffpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leabphmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiebmbnn.dll" Ndnnianm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imdnon32.dll" Dllffa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqdbfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbgcpb32.dll" Fkgejncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geflne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 2696bb43686c3dc31e15a5256ad3b570_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kafkmp32.dll" Jhifomdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjmodffo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhobjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adkelplc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iocchhof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlkplk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpgmhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khihld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbngeadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hodcma32.dll" Dpefaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efpcfibk.dll" Digmqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmdqbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cblebgfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edcfpa32.dll" Ginenk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhaope32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njedbjej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgapmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kallod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khihld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ophoih32.dll" Pfbfjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Libido32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjdfgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iapbodql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liofdigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amnioced.dll" Mmiealgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgelgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kopcbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhdggb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddmqp32.dll" Moiheebb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oacdmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpdogj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Midfjnge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhcjldl.dll" Pahpee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djbbhafj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qagfppeh.dll" Logicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njmejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifhac32.dll" Npadcfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiamigil.dll" Bqbohocd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lckboblp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdnelpod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pelkha32.dll" Kjdqhjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggkgbgid.dll" Nejgbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmmmnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceomp32.dll" Kciaqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajjjjghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mekdffee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefked32.dll" Phbolflm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keebjojo.dll" Efjgpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fofdkcmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5112 wrote to memory of 4052 5112 2696bb43686c3dc31e15a5256ad3b570_NEIKI.exe 91 PID 5112 wrote to memory of 4052 5112 2696bb43686c3dc31e15a5256ad3b570_NEIKI.exe 91 PID 5112 wrote to memory of 4052 5112 2696bb43686c3dc31e15a5256ad3b570_NEIKI.exe 91 PID 4052 wrote to memory of 1256 4052 Apmhiq32.exe 92 PID 4052 wrote to memory of 1256 4052 Apmhiq32.exe 92 PID 4052 wrote to memory of 1256 4052 Apmhiq32.exe 92 PID 1256 wrote to memory of 4220 1256 Bmeandma.exe 93 PID 1256 wrote to memory of 4220 1256 Bmeandma.exe 93 PID 1256 wrote to memory of 4220 1256 Bmeandma.exe 93 PID 4220 wrote to memory of 4536 4220 Bpfkpp32.exe 94 PID 4220 wrote to memory of 4536 4220 Bpfkpp32.exe 94 PID 4220 wrote to memory of 4536 4220 Bpfkpp32.exe 94 PID 4536 wrote to memory of 2224 4536 Bphgeo32.exe 95 PID 4536 wrote to memory of 2224 4536 Bphgeo32.exe 95 PID 4536 wrote to memory of 2224 4536 Bphgeo32.exe 95 PID 2224 wrote to memory of 5108 2224 Bgelgi32.exe 96 PID 2224 wrote to memory of 5108 2224 Bgelgi32.exe 96 PID 2224 wrote to memory of 5108 2224 Bgelgi32.exe 96 PID 5108 wrote to memory of 2452 5108 Chdialdl.exe 97 PID 5108 wrote to memory of 2452 5108 Chdialdl.exe 97 PID 5108 wrote to memory of 2452 5108 Chdialdl.exe 97 PID 2452 wrote to memory of 3564 2452 Ibjqaf32.exe 98 PID 2452 wrote to memory of 3564 2452 Ibjqaf32.exe 98 PID 2452 wrote to memory of 3564 2452 Ibjqaf32.exe 98 PID 3564 wrote to memory of 3984 3564 Jhifomdj.exe 99 PID 3564 wrote to memory of 3984 3564 Jhifomdj.exe 99 PID 3564 wrote to memory of 3984 3564 Jhifomdj.exe 99 PID 3984 wrote to memory of 2512 3984 Jlgoek32.exe 100 PID 3984 wrote to memory of 2512 3984 Jlgoek32.exe 100 PID 3984 wrote to memory of 2512 3984 Jlgoek32.exe 100 PID 2512 wrote to memory of 1676 2512 Jhnojl32.exe 101 PID 2512 wrote to memory of 1676 2512 Jhnojl32.exe 101 PID 2512 wrote to memory of 1676 2512 Jhnojl32.exe 101 PID 1676 wrote to memory of 4244 1676 Jhplpl32.exe 102 PID 1676 wrote to memory of 4244 1676 Jhplpl32.exe 102 PID 1676 wrote to memory of 4244 1676 Jhplpl32.exe 102 PID 4244 wrote to memory of 3696 4244 Kefiopki.exe 103 PID 4244 wrote to memory of 3696 4244 Kefiopki.exe 103 PID 4244 wrote to memory of 3696 4244 Kefiopki.exe 103 PID 3696 wrote to memory of 4360 3696 Kidben32.exe 104 PID 3696 wrote to memory of 4360 3696 Kidben32.exe 104 PID 3696 wrote to memory of 4360 3696 Kidben32.exe 104 PID 4360 wrote to memory of 4444 4360 Kocgbend.exe 105 PID 4360 wrote to memory of 4444 4360 Kocgbend.exe 105 PID 4360 wrote to memory of 4444 4360 Kocgbend.exe 105 PID 4444 wrote to memory of 3804 4444 Kofdhd32.exe 106 PID 4444 wrote to memory of 3804 4444 Kofdhd32.exe 106 PID 4444 wrote to memory of 3804 4444 Kofdhd32.exe 106 PID 3804 wrote to memory of 636 3804 Lcclncbh.exe 107 PID 3804 wrote to memory of 636 3804 Lcclncbh.exe 107 PID 3804 wrote to memory of 636 3804 Lcclncbh.exe 107 PID 636 wrote to memory of 4136 636 Lpgmhg32.exe 108 PID 636 wrote to memory of 4136 636 Lpgmhg32.exe 108 PID 636 wrote to memory of 4136 636 Lpgmhg32.exe 108 PID 4136 wrote to memory of 4692 4136 Lhcali32.exe 109 PID 4136 wrote to memory of 4692 4136 Lhcali32.exe 109 PID 4136 wrote to memory of 4692 4136 Lhcali32.exe 109 PID 4692 wrote to memory of 1844 4692 Lckboblp.exe 110 PID 4692 wrote to memory of 1844 4692 Lckboblp.exe 110 PID 4692 wrote to memory of 1844 4692 Lckboblp.exe 110 PID 1844 wrote to memory of 3152 1844 Llcghg32.exe 111 PID 1844 wrote to memory of 3152 1844 Llcghg32.exe 111 PID 1844 wrote to memory of 3152 1844 Llcghg32.exe 111 PID 3152 wrote to memory of 936 3152 Mpclce32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\2696bb43686c3dc31e15a5256ad3b570_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\2696bb43686c3dc31e15a5256ad3b570_NEIKI.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\Apmhiq32.exeC:\Windows\system32\Apmhiq32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\Bmeandma.exeC:\Windows\system32\Bmeandma.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Bpfkpp32.exeC:\Windows\system32\Bpfkpp32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Bphgeo32.exeC:\Windows\system32\Bphgeo32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Bgelgi32.exeC:\Windows\system32\Bgelgi32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Chdialdl.exeC:\Windows\system32\Chdialdl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\Ibjqaf32.exeC:\Windows\system32\Ibjqaf32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Jhifomdj.exeC:\Windows\system32\Jhifomdj.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\Jlgoek32.exeC:\Windows\system32\Jlgoek32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\Jhnojl32.exeC:\Windows\system32\Jhnojl32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Jhplpl32.exeC:\Windows\system32\Jhplpl32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Kefiopki.exeC:\Windows\system32\Kefiopki.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\Kidben32.exeC:\Windows\system32\Kidben32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Kocgbend.exeC:\Windows\system32\Kocgbend.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SysWOW64\Kofdhd32.exeC:\Windows\system32\Kofdhd32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\Lcclncbh.exeC:\Windows\system32\Lcclncbh.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\Lpgmhg32.exeC:\Windows\system32\Lpgmhg32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Lhcali32.exeC:\Windows\system32\Lhcali32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\Lckboblp.exeC:\Windows\system32\Lckboblp.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Llcghg32.exeC:\Windows\system32\Llcghg32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Mpclce32.exeC:\Windows\system32\Mpclce32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Mjlalkmd.exeC:\Windows\system32\Mjlalkmd.exe23⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Mfbaalbi.exeC:\Windows\system32\Mfbaalbi.exe24⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Mokfja32.exeC:\Windows\system32\Mokfja32.exe25⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Mqjbddpl.exeC:\Windows\system32\Mqjbddpl.exe26⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Nhegig32.exeC:\Windows\system32\Nhegig32.exe27⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Njedbjej.exeC:\Windows\system32\Njedbjej.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:4800 -
C:\Windows\SysWOW64\Nbbeml32.exeC:\Windows\system32\Nbbeml32.exe29⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Nmhijd32.exeC:\Windows\system32\Nmhijd32.exe30⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Nmjfodne.exeC:\Windows\system32\Nmjfodne.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Ommceclc.exeC:\Windows\system32\Ommceclc.exe32⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Oqmhqapg.exeC:\Windows\system32\Oqmhqapg.exe33⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Obnehj32.exeC:\Windows\system32\Obnehj32.exe34⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Oflmnh32.exeC:\Windows\system32\Oflmnh32.exe35⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Pcpnhl32.exeC:\Windows\system32\Pcpnhl32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Padnaq32.exeC:\Windows\system32\Padnaq32.exe37⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Piocecgj.exeC:\Windows\system32\Piocecgj.exe38⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Pbhgoh32.exeC:\Windows\system32\Pbhgoh32.exe39⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\Piapkbeg.exeC:\Windows\system32\Piapkbeg.exe40⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Pbjddh32.exeC:\Windows\system32\Pbjddh32.exe41⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Pmphaaln.exeC:\Windows\system32\Pmphaaln.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Pjcikejg.exeC:\Windows\system32\Pjcikejg.exe43⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Qppaclio.exeC:\Windows\system32\Qppaclio.exe44⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Qjffpe32.exeC:\Windows\system32\Qjffpe32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4312 -
C:\Windows\SysWOW64\Qjhbfd32.exeC:\Windows\system32\Qjhbfd32.exe46⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Afockelf.exeC:\Windows\system32\Afockelf.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Apggckbf.exeC:\Windows\system32\Apggckbf.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Ajmladbl.exeC:\Windows\system32\Ajmladbl.exe49⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Ampaho32.exeC:\Windows\system32\Ampaho32.exe50⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Bmbnnn32.exeC:\Windows\system32\Bmbnnn32.exe51⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Bfkbfd32.exeC:\Windows\system32\Bfkbfd32.exe52⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Bmdkcnie.exeC:\Windows\system32\Bmdkcnie.exe53⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Bjhkmbho.exeC:\Windows\system32\Bjhkmbho.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Bfolacnc.exeC:\Windows\system32\Bfolacnc.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Bdcmkgmm.exeC:\Windows\system32\Bdcmkgmm.exe56⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Bpjmph32.exeC:\Windows\system32\Bpjmph32.exe57⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Cibain32.exeC:\Windows\system32\Cibain32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Cdhffg32.exeC:\Windows\system32\Cdhffg32.exe59⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Cmpjoloh.exeC:\Windows\system32\Cmpjoloh.exe60⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Cgiohbfi.exeC:\Windows\system32\Cgiohbfi.exe61⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Cpacqg32.exeC:\Windows\system32\Cpacqg32.exe62⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Ckggnp32.exeC:\Windows\system32\Ckggnp32.exe63⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Cpcpfg32.exeC:\Windows\system32\Cpcpfg32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4120 -
C:\Windows\SysWOW64\Cildom32.exeC:\Windows\system32\Cildom32.exe65⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Ccdihbgg.exeC:\Windows\system32\Ccdihbgg.exe66⤵PID:4316
-
C:\Windows\SysWOW64\Ddcebe32.exeC:\Windows\system32\Ddcebe32.exe67⤵
- Drops file in System32 directory
PID:1016 -
C:\Windows\SysWOW64\Dpjfgf32.exeC:\Windows\system32\Dpjfgf32.exe68⤵PID:1892
-
C:\Windows\SysWOW64\Dkpjdo32.exeC:\Windows\system32\Dkpjdo32.exe69⤵PID:5076
-
C:\Windows\SysWOW64\Dajbaika.exeC:\Windows\system32\Dajbaika.exe70⤵PID:3940
-
C:\Windows\SysWOW64\Dnqcfjae.exeC:\Windows\system32\Dnqcfjae.exe71⤵PID:4056
-
C:\Windows\SysWOW64\Dkedonpo.exeC:\Windows\system32\Dkedonpo.exe72⤵PID:4016
-
C:\Windows\SysWOW64\Daollh32.exeC:\Windows\system32\Daollh32.exe73⤵PID:4668
-
C:\Windows\SysWOW64\Ejjaqk32.exeC:\Windows\system32\Ejjaqk32.exe74⤵PID:5072
-
C:\Windows\SysWOW64\Epffbd32.exeC:\Windows\system32\Epffbd32.exe75⤵PID:1504
-
C:\Windows\SysWOW64\Ejojljqa.exeC:\Windows\system32\Ejojljqa.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1828 -
C:\Windows\SysWOW64\Ecgodpgb.exeC:\Windows\system32\Ecgodpgb.exe77⤵PID:4468
-
C:\Windows\SysWOW64\Eqkondfl.exeC:\Windows\system32\Eqkondfl.exe78⤵PID:4648
-
C:\Windows\SysWOW64\Ekqckmfb.exeC:\Windows\system32\Ekqckmfb.exe79⤵PID:4100
-
C:\Windows\SysWOW64\Fboecfii.exeC:\Windows\system32\Fboecfii.exe80⤵PID:4984
-
C:\Windows\SysWOW64\Fkgillpj.exeC:\Windows\system32\Fkgillpj.exe81⤵PID:2076
-
C:\Windows\SysWOW64\Fbaahf32.exeC:\Windows\system32\Fbaahf32.exe82⤵
- Modifies registry class
PID:5168 -
C:\Windows\SysWOW64\Fdbkja32.exeC:\Windows\system32\Fdbkja32.exe83⤵PID:5212
-
C:\Windows\SysWOW64\Fjocbhbo.exeC:\Windows\system32\Fjocbhbo.exe84⤵PID:5252
-
C:\Windows\SysWOW64\Gkoplk32.exeC:\Windows\system32\Gkoplk32.exe85⤵PID:5292
-
C:\Windows\SysWOW64\Gcjdam32.exeC:\Windows\system32\Gcjdam32.exe86⤵PID:5332
-
C:\Windows\SysWOW64\Gclafmej.exeC:\Windows\system32\Gclafmej.exe87⤵PID:5372
-
C:\Windows\SysWOW64\Gdknpp32.exeC:\Windows\system32\Gdknpp32.exe88⤵
- Drops file in System32 directory
PID:5416 -
C:\Windows\SysWOW64\Gjhfif32.exeC:\Windows\system32\Gjhfif32.exe89⤵PID:5460
-
C:\Windows\SysWOW64\Gcqjal32.exeC:\Windows\system32\Gcqjal32.exe90⤵PID:5504
-
C:\Windows\SysWOW64\Hqdkkp32.exeC:\Windows\system32\Hqdkkp32.exe91⤵PID:5552
-
C:\Windows\SysWOW64\Hjmodffo.exeC:\Windows\system32\Hjmodffo.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:5600 -
C:\Windows\SysWOW64\Hgapmj32.exeC:\Windows\system32\Hgapmj32.exe93⤵
- Modifies registry class
PID:5644 -
C:\Windows\SysWOW64\Hbiapb32.exeC:\Windows\system32\Hbiapb32.exe94⤵PID:5732
-
C:\Windows\SysWOW64\Hannao32.exeC:\Windows\system32\Hannao32.exe95⤵PID:5784
-
C:\Windows\SysWOW64\Iapjgo32.exeC:\Windows\system32\Iapjgo32.exe96⤵PID:5840
-
C:\Windows\SysWOW64\Iencmm32.exeC:\Windows\system32\Iencmm32.exe97⤵PID:5884
-
C:\Windows\SysWOW64\Ieqpbm32.exeC:\Windows\system32\Ieqpbm32.exe98⤵PID:5928
-
C:\Windows\SysWOW64\Iecmhlhb.exeC:\Windows\system32\Iecmhlhb.exe99⤵
- Drops file in System32 directory
PID:5972 -
C:\Windows\SysWOW64\Iloajfml.exeC:\Windows\system32\Iloajfml.exe100⤵PID:6024
-
C:\Windows\SysWOW64\Jjdokb32.exeC:\Windows\system32\Jjdokb32.exe101⤵PID:6080
-
C:\Windows\SysWOW64\Jejbhk32.exeC:\Windows\system32\Jejbhk32.exe102⤵PID:6136
-
C:\Windows\SysWOW64\Jbncbpqd.exeC:\Windows\system32\Jbncbpqd.exe103⤵PID:4516
-
C:\Windows\SysWOW64\Jnedgq32.exeC:\Windows\system32\Jnedgq32.exe104⤵PID:5164
-
C:\Windows\SysWOW64\Jhmhpfmi.exeC:\Windows\system32\Jhmhpfmi.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5324 -
C:\Windows\SysWOW64\Jaemilci.exeC:\Windows\system32\Jaemilci.exe106⤵PID:5384
-
C:\Windows\SysWOW64\Jlkafdco.exeC:\Windows\system32\Jlkafdco.exe107⤵
- Drops file in System32 directory
PID:5488 -
C:\Windows\SysWOW64\Kbeibo32.exeC:\Windows\system32\Kbeibo32.exe108⤵PID:5560
-
C:\Windows\SysWOW64\Klmnkdal.exeC:\Windows\system32\Klmnkdal.exe109⤵PID:5660
-
C:\Windows\SysWOW64\Kefbdjgm.exeC:\Windows\system32\Kefbdjgm.exe110⤵PID:5824
-
C:\Windows\SysWOW64\Klpjad32.exeC:\Windows\system32\Klpjad32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5900 -
C:\Windows\SysWOW64\Kbjbnnfg.exeC:\Windows\system32\Kbjbnnfg.exe112⤵PID:6016
-
C:\Windows\SysWOW64\Khfkfedn.exeC:\Windows\system32\Khfkfedn.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6132 -
C:\Windows\SysWOW64\Kopcbo32.exeC:\Windows\system32\Kopcbo32.exe114⤵
- Modifies registry class
PID:5128 -
C:\Windows\SysWOW64\Khihld32.exeC:\Windows\system32\Khihld32.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:5288 -
C:\Windows\SysWOW64\Kaaldjil.exeC:\Windows\system32\Kaaldjil.exe116⤵PID:5408
-
C:\Windows\SysWOW64\Klgqabib.exeC:\Windows\system32\Klgqabib.exe117⤵PID:5588
-
C:\Windows\SysWOW64\Ldbefe32.exeC:\Windows\system32\Ldbefe32.exe118⤵PID:5792
-
C:\Windows\SysWOW64\Logicn32.exeC:\Windows\system32\Logicn32.exe119⤵
- Modifies registry class
PID:5948 -
C:\Windows\SysWOW64\Leabphmp.exeC:\Windows\system32\Leabphmp.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6096 -
C:\Windows\SysWOW64\Lknjhokg.exeC:\Windows\system32\Lknjhokg.exe121⤵PID:5232
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-