Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/05/2024, 13:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
be5a7a7c88db60f8979973d0c9caa3e0_NEIKI.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
be5a7a7c88db60f8979973d0c9caa3e0_NEIKI.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
be5a7a7c88db60f8979973d0c9caa3e0_NEIKI.exe
-
Size
80KB
-
MD5
be5a7a7c88db60f8979973d0c9caa3e0
-
SHA1
b9c29ca29e542f621aab8a50be9f82e719edefd8
-
SHA256
64adf0d4e7a20f2ccfadc323c960723b5632da91039f93da988693e5cc3e217e
-
SHA512
80634b8beb6fb4aa70d3637a025748d80467b3ebfbe56e5421bdfe2c5d74a5c32e4db06ac94159a8c25a42e191a1476e2a4e9fb262623d98c27a230189cdaf04
-
SSDEEP
1536:Pj4gqVAkytVmKRYSX/dHIRiV6N+zL20gJi1i9:Pj4/EtxF/d6iV6gzL20WKS
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nleiqhcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eflgccbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqimgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jklanp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncmdhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkhpnnej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocajbekl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bommnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcmhiojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oenifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pelipl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghkllmoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pelipl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaefjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnippoha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loooca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhnjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Comimg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdnehci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmkfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgdjnofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Madapkmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhnjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgdmmgpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjcgco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pccfge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqjepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kphimanc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbflib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaeiieeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omloag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiaeoang.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkkalk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqqdag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankdiqih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcfcmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bebkpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebinic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mohbip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkpbgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcknbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chhjkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dngoibmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcgeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohqbqhde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fphafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onmkio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goddhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgmglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdqafgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amndem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhahlj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgaqgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhlfmgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpemgbqf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfaajlfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pabjem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Copfbfjj.exe -
Executes dropped EXE 64 IoCs
pid Process 2308 Iqimgc32.exe 2636 Ijaapifk.exe 2644 Impnldeo.exe 2580 Icjfhn32.exe 2488 Ijdnehci.exe 2724 Imbkadcl.exe 2576 Iclcnnji.exe 2004 Iiikfehq.exe 2900 Ikggbpgd.exe 1812 Ifmlpigj.exe 356 Jeplkf32.exe 1420 Joepio32.exe 1676 Jebiaelb.exe 1752 Jklanp32.exe 2064 Jnkmjk32.exe 540 Jedefejo.exe 608 Jgcabqic.exe 1380 Jnmjok32.exe 1744 Jegble32.exe 3000 Jgenhp32.exe 1616 Jpqclb32.exe 3060 Jclomamd.exe 1692 Jclomamd.exe 2212 Jiigehkl.exe 560 Kappfeln.exe 2392 Kcolba32.exe 2548 Kjhdokbo.exe 2660 Kmgpkfab.exe 2460 Kpemgbqf.exe 2568 Kfoedl32.exe 2712 Kebepion.exe 2196 Kmimafop.exe 2884 Kphimanc.exe 2748 Kfaajlfp.exe 332 Kpjfba32.exe 808 Kakbjibo.exe 1760 Kegnkh32.exe 304 Kjcgco32.exe 1612 Kbkodl32.exe 2272 Kanopipl.exe 2316 Keikqhhe.exe 2252 Lhggmchi.exe 2284 Llccmb32.exe 1492 Lkfciogm.exe 2312 Loapim32.exe 1340 Ldnhad32.exe 1920 Lfmdnp32.exe 864 Lkhpnnej.exe 2988 Lodlom32.exe 3040 Labhkh32.exe 1596 Lpeifeca.exe 1796 Ldqegd32.exe 2648 Lhlqhb32.exe 2684 Lgoacojo.exe 2592 Lkkmdn32.exe 2456 Ladeqhjd.exe 2532 Lpgele32.exe 2136 Ldcamcih.exe 2744 Lbfahp32.exe 2412 Lkmjin32.exe 2008 Lmkfei32.exe 2704 Llnfaffc.exe 2116 Lpjbad32.exe 2828 Lchnnp32.exe -
Loads dropped DLL 64 IoCs
pid Process 2868 be5a7a7c88db60f8979973d0c9caa3e0_NEIKI.exe 2868 be5a7a7c88db60f8979973d0c9caa3e0_NEIKI.exe 2308 Iqimgc32.exe 2308 Iqimgc32.exe 2636 Ijaapifk.exe 2636 Ijaapifk.exe 2644 Impnldeo.exe 2644 Impnldeo.exe 2580 Icjfhn32.exe 2580 Icjfhn32.exe 2488 Ijdnehci.exe 2488 Ijdnehci.exe 2724 Imbkadcl.exe 2724 Imbkadcl.exe 2576 Iclcnnji.exe 2576 Iclcnnji.exe 2004 Iiikfehq.exe 2004 Iiikfehq.exe 2900 Ikggbpgd.exe 2900 Ikggbpgd.exe 1812 Ifmlpigj.exe 1812 Ifmlpigj.exe 356 Jeplkf32.exe 356 Jeplkf32.exe 1420 Joepio32.exe 1420 Joepio32.exe 1676 Jebiaelb.exe 1676 Jebiaelb.exe 1752 Jklanp32.exe 1752 Jklanp32.exe 2064 Jnkmjk32.exe 2064 Jnkmjk32.exe 540 Jedefejo.exe 540 Jedefejo.exe 608 Jgcabqic.exe 608 Jgcabqic.exe 1380 Jnmjok32.exe 1380 Jnmjok32.exe 1744 Jegble32.exe 1744 Jegble32.exe 3000 Jgenhp32.exe 3000 Jgenhp32.exe 1616 Jpqclb32.exe 1616 Jpqclb32.exe 3060 Jclomamd.exe 3060 Jclomamd.exe 1692 Jclomamd.exe 1692 Jclomamd.exe 2212 Jiigehkl.exe 2212 Jiigehkl.exe 560 Kappfeln.exe 560 Kappfeln.exe 2392 Kcolba32.exe 2392 Kcolba32.exe 2548 Kjhdokbo.exe 2548 Kjhdokbo.exe 2660 Kmgpkfab.exe 2660 Kmgpkfab.exe 2460 Kpemgbqf.exe 2460 Kpemgbqf.exe 2568 Kfoedl32.exe 2568 Kfoedl32.exe 2712 Kebepion.exe 2712 Kebepion.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dbehoa32.exe Dnilobkm.exe File opened for modification C:\Windows\SysWOW64\Lgdjnofi.exe Lchnnp32.exe File opened for modification C:\Windows\SysWOW64\Magnek32.exe Mohbip32.exe File created C:\Windows\SysWOW64\Aajpelhl.exe Amndem32.exe File created C:\Windows\SysWOW64\Bokphdld.exe Blmdlhmp.exe File created C:\Windows\SysWOW64\Qoflni32.dll Comimg32.exe File created C:\Windows\SysWOW64\Cpjiajeb.exe Chcqpmep.exe File created C:\Windows\SysWOW64\Ljpghahi.dll Dgmglh32.exe File created C:\Windows\SysWOW64\Fclomp32.dll Djefobmk.exe File created C:\Windows\SysWOW64\Enihmc32.dll Lchnnp32.exe File opened for modification C:\Windows\SysWOW64\Mpolmdkg.exe Mlcple32.exe File opened for modification C:\Windows\SysWOW64\Nlblkhei.exe Nnplpl32.exe File created C:\Windows\SysWOW64\Bommnc32.exe Bloqah32.exe File created C:\Windows\SysWOW64\Hpkjko32.exe Hmlnoc32.exe File opened for modification C:\Windows\SysWOW64\Kpemgbqf.exe Kmgpkfab.exe File opened for modification C:\Windows\SysWOW64\Qhmbagfa.exe Penfelgm.exe File created C:\Windows\SysWOW64\Kpeliikc.dll Abbbnchb.exe File created C:\Windows\SysWOW64\Bmeohn32.dll Bdooajdc.exe File opened for modification C:\Windows\SysWOW64\Ggpimica.exe Ghmiam32.exe File opened for modification C:\Windows\SysWOW64\Qnfjna32.exe Qlhnbf32.exe File opened for modification C:\Windows\SysWOW64\Cdakgibq.exe Cljcelan.exe File created C:\Windows\SysWOW64\Mbiiek32.dll Chhjkl32.exe File created C:\Windows\SysWOW64\Jclomamd.exe Jpqclb32.exe File opened for modification C:\Windows\SysWOW64\Keikqhhe.exe Kanopipl.exe File created C:\Windows\SysWOW64\Lfmdnp32.exe Ldnhad32.exe File created C:\Windows\SysWOW64\Omocdp32.dll Mgajhbkg.exe File opened for modification C:\Windows\SysWOW64\Nplkfgoe.exe Njbcim32.exe File created C:\Windows\SysWOW64\Mgfgdn32.exe Loooca32.exe File created C:\Windows\SysWOW64\Ljfekqdn.dll Mkjica32.exe File created C:\Windows\SysWOW64\Kkjjld32.dll Qhmbagfa.exe File opened for modification C:\Windows\SysWOW64\Dkhcmgnl.exe Dgmglh32.exe File created C:\Windows\SysWOW64\Gfefiemq.exe Gbijhg32.exe File created C:\Windows\SysWOW64\Mhlmgf32.exe Mdqafgnf.exe File created C:\Windows\SysWOW64\Ncancbha.exe Nqcagfim.exe File created C:\Windows\SysWOW64\Eakjok32.dll Nohnhc32.exe File created C:\Windows\SysWOW64\Kmgpkfab.exe Kjhdokbo.exe File opened for modification C:\Windows\SysWOW64\Mhlmgf32.exe Mdqafgnf.exe File created C:\Windows\SysWOW64\Aenbdoii.exe Afkbib32.exe File opened for modification C:\Windows\SysWOW64\Ffkcbgek.exe Fhhcgj32.exe File created C:\Windows\SysWOW64\Pffgja32.dll Hgdbhi32.exe File created C:\Windows\SysWOW64\Hhmepp32.exe Hjjddchg.exe File created C:\Windows\SysWOW64\Gghcajge.dll Mhlmgf32.exe File created C:\Windows\SysWOW64\Ndgggf32.exe Nplkfgoe.exe File opened for modification C:\Windows\SysWOW64\Dgfjbgmh.exe Dcknbh32.exe File opened for modification C:\Windows\SysWOW64\Ekklaj32.exe Emhlfmgj.exe File opened for modification C:\Windows\SysWOW64\Ebinic32.exe Ennaieib.exe File opened for modification C:\Windows\SysWOW64\Ijaapifk.exe Iqimgc32.exe File opened for modification C:\Windows\SysWOW64\Gbijhg32.exe Gpknlk32.exe File opened for modification C:\Windows\SysWOW64\Iiikfehq.exe Iclcnnji.exe File opened for modification C:\Windows\SysWOW64\Lplogdmj.exe Lmnbkinf.exe File opened for modification C:\Windows\SysWOW64\Oojknblb.exe Omloag32.exe File created C:\Windows\SysWOW64\Ealffeej.dll Pfiidobe.exe File created C:\Windows\SysWOW64\Amndem32.exe Ankdiqih.exe File opened for modification C:\Windows\SysWOW64\Oiellh32.exe Odjpkihg.exe File created C:\Windows\SysWOW64\Ebgacddo.exe Epieghdk.exe File created C:\Windows\SysWOW64\Jjcpjl32.dll Ghoegl32.exe File opened for modification C:\Windows\SysWOW64\Hpocfncj.exe Hlcgeo32.exe File created C:\Windows\SysWOW64\Qngmeo32.dll Mhqfbebj.exe File opened for modification C:\Windows\SysWOW64\Okalbc32.exe Oicpfh32.exe File opened for modification C:\Windows\SysWOW64\Onbddoog.exe Ojficpfn.exe File opened for modification C:\Windows\SysWOW64\Kmimafop.exe Kebepion.exe File created C:\Windows\SysWOW64\Doffod32.dll Oenifh32.exe File created C:\Windows\SysWOW64\Niifne32.dll Cndbcc32.exe File created C:\Windows\SysWOW64\Lplogdmj.exe Lmnbkinf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4912 4904 WerFault.exe 434 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhggmchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldqegd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nocemcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgpgce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll" Gaqcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbepi32.dll" Fpfdalii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfoedl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmnbkinf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfflopdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjccnjpk.dll" Aajpelhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdnbg32.dll" Eijcpoac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcplhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lplogdmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aajpelhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddflckmp.dll" Bgknheej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bioggp32.dll" Copfbfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anapbp32.dll" Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klidkobf.dll" Dgaqgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kegnkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iagjfjkn.dll" Lgdjnofi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqqdag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pabjem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bokphdld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gicbeald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll" Gldkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll" Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajdadamj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amejeljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bingpmnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikggbpgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oekngadg.dll" Jebiaelb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Damgbk32.dll" Nleiqhcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nleiqhcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncancbha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbbkja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehifjpg.dll" Ifmlpigj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmgpkfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdeced32.dll" Dkkpbgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ennaieib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piehkkcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkfjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdanej32.dll" Fhhcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcanmhim.dll" Jeplkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Limigk32.dll" Kpemgbqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkhmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oojknblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pminkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbkodl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqqdag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpmchlpl.dll" Pjpkjond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccfhhffh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpfdalii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpknlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpgele32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omgaek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhjppim.dll" Cgpgce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egdilkbf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2308 2868 be5a7a7c88db60f8979973d0c9caa3e0_NEIKI.exe 28 PID 2868 wrote to memory of 2308 2868 be5a7a7c88db60f8979973d0c9caa3e0_NEIKI.exe 28 PID 2868 wrote to memory of 2308 2868 be5a7a7c88db60f8979973d0c9caa3e0_NEIKI.exe 28 PID 2868 wrote to memory of 2308 2868 be5a7a7c88db60f8979973d0c9caa3e0_NEIKI.exe 28 PID 2308 wrote to memory of 2636 2308 Iqimgc32.exe 29 PID 2308 wrote to memory of 2636 2308 Iqimgc32.exe 29 PID 2308 wrote to memory of 2636 2308 Iqimgc32.exe 29 PID 2308 wrote to memory of 2636 2308 Iqimgc32.exe 29 PID 2636 wrote to memory of 2644 2636 Ijaapifk.exe 30 PID 2636 wrote to memory of 2644 2636 Ijaapifk.exe 30 PID 2636 wrote to memory of 2644 2636 Ijaapifk.exe 30 PID 2636 wrote to memory of 2644 2636 Ijaapifk.exe 30 PID 2644 wrote to memory of 2580 2644 Impnldeo.exe 31 PID 2644 wrote to memory of 2580 2644 Impnldeo.exe 31 PID 2644 wrote to memory of 2580 2644 Impnldeo.exe 31 PID 2644 wrote to memory of 2580 2644 Impnldeo.exe 31 PID 2580 wrote to memory of 2488 2580 Icjfhn32.exe 32 PID 2580 wrote to memory of 2488 2580 Icjfhn32.exe 32 PID 2580 wrote to memory of 2488 2580 Icjfhn32.exe 32 PID 2580 wrote to memory of 2488 2580 Icjfhn32.exe 32 PID 2488 wrote to memory of 2724 2488 Ijdnehci.exe 33 PID 2488 wrote to memory of 2724 2488 Ijdnehci.exe 33 PID 2488 wrote to memory of 2724 2488 Ijdnehci.exe 33 PID 2488 wrote to memory of 2724 2488 Ijdnehci.exe 33 PID 2724 wrote to memory of 2576 2724 Imbkadcl.exe 34 PID 2724 wrote to memory of 2576 2724 Imbkadcl.exe 34 PID 2724 wrote to memory of 2576 2724 Imbkadcl.exe 34 PID 2724 wrote to memory of 2576 2724 Imbkadcl.exe 34 PID 2576 wrote to memory of 2004 2576 Iclcnnji.exe 35 PID 2576 wrote to memory of 2004 2576 Iclcnnji.exe 35 PID 2576 wrote to memory of 2004 2576 Iclcnnji.exe 35 PID 2576 wrote to memory of 2004 2576 Iclcnnji.exe 35 PID 2004 wrote to memory of 2900 2004 Iiikfehq.exe 36 PID 2004 wrote to memory of 2900 2004 Iiikfehq.exe 36 PID 2004 wrote to memory of 2900 2004 Iiikfehq.exe 36 PID 2004 wrote to memory of 2900 2004 Iiikfehq.exe 36 PID 2900 wrote to memory of 1812 2900 Ikggbpgd.exe 37 PID 2900 wrote to memory of 1812 2900 Ikggbpgd.exe 37 PID 2900 wrote to memory of 1812 2900 Ikggbpgd.exe 37 PID 2900 wrote to memory of 1812 2900 Ikggbpgd.exe 37 PID 1812 wrote to memory of 356 1812 Ifmlpigj.exe 38 PID 1812 wrote to memory of 356 1812 Ifmlpigj.exe 38 PID 1812 wrote to memory of 356 1812 Ifmlpigj.exe 38 PID 1812 wrote to memory of 356 1812 Ifmlpigj.exe 38 PID 356 wrote to memory of 1420 356 Jeplkf32.exe 39 PID 356 wrote to memory of 1420 356 Jeplkf32.exe 39 PID 356 wrote to memory of 1420 356 Jeplkf32.exe 39 PID 356 wrote to memory of 1420 356 Jeplkf32.exe 39 PID 1420 wrote to memory of 1676 1420 Joepio32.exe 40 PID 1420 wrote to memory of 1676 1420 Joepio32.exe 40 PID 1420 wrote to memory of 1676 1420 Joepio32.exe 40 PID 1420 wrote to memory of 1676 1420 Joepio32.exe 40 PID 1676 wrote to memory of 1752 1676 Jebiaelb.exe 41 PID 1676 wrote to memory of 1752 1676 Jebiaelb.exe 41 PID 1676 wrote to memory of 1752 1676 Jebiaelb.exe 41 PID 1676 wrote to memory of 1752 1676 Jebiaelb.exe 41 PID 1752 wrote to memory of 2064 1752 Jklanp32.exe 42 PID 1752 wrote to memory of 2064 1752 Jklanp32.exe 42 PID 1752 wrote to memory of 2064 1752 Jklanp32.exe 42 PID 1752 wrote to memory of 2064 1752 Jklanp32.exe 42 PID 2064 wrote to memory of 540 2064 Jnkmjk32.exe 43 PID 2064 wrote to memory of 540 2064 Jnkmjk32.exe 43 PID 2064 wrote to memory of 540 2064 Jnkmjk32.exe 43 PID 2064 wrote to memory of 540 2064 Jnkmjk32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\be5a7a7c88db60f8979973d0c9caa3e0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\be5a7a7c88db60f8979973d0c9caa3e0_NEIKI.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Iqimgc32.exeC:\Windows\system32\Iqimgc32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Ijaapifk.exeC:\Windows\system32\Ijaapifk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Impnldeo.exeC:\Windows\system32\Impnldeo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Icjfhn32.exeC:\Windows\system32\Icjfhn32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Ijdnehci.exeC:\Windows\system32\Ijdnehci.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Imbkadcl.exeC:\Windows\system32\Imbkadcl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Iclcnnji.exeC:\Windows\system32\Iclcnnji.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Iiikfehq.exeC:\Windows\system32\Iiikfehq.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Ikggbpgd.exeC:\Windows\system32\Ikggbpgd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Ifmlpigj.exeC:\Windows\system32\Ifmlpigj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Jeplkf32.exeC:\Windows\system32\Jeplkf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:356 -
C:\Windows\SysWOW64\Joepio32.exeC:\Windows\system32\Joepio32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Jklanp32.exeC:\Windows\system32\Jklanp32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Jnkmjk32.exeC:\Windows\system32\Jnkmjk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Jedefejo.exeC:\Windows\system32\Jedefejo.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:540 -
C:\Windows\SysWOW64\Jgcabqic.exeC:\Windows\system32\Jgcabqic.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:608 -
C:\Windows\SysWOW64\Jnmjok32.exeC:\Windows\system32\Jnmjok32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1380 -
C:\Windows\SysWOW64\Jegble32.exeC:\Windows\system32\Jegble32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:560 -
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe33⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe36⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe37⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe42⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe44⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe45⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe46⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe48⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe50⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe51⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe52⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe54⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe55⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe56⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe57⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe59⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe60⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe61⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe63⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe64⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1428 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe67⤵PID:1804
-
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe68⤵PID:652
-
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe69⤵
- Drops file in System32 directory
- Modifies registry class
PID:1124 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe70⤵
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe72⤵PID:1148
-
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe73⤵PID:2104
-
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe74⤵
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe75⤵PID:3032
-
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2572 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe77⤵PID:2468
-
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe78⤵PID:2484
-
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe79⤵PID:2784
-
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe80⤵
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe81⤵PID:2524
-
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe82⤵PID:1628
-
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1424 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe84⤵
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe85⤵
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe86⤵PID:2068
-
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1536 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe88⤵PID:2952
-
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2220 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe90⤵
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe92⤵PID:2180
-
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe93⤵PID:2476
-
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe94⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe95⤵PID:1316
-
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe96⤵PID:1156
-
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe97⤵
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe98⤵
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe99⤵PID:1584
-
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe100⤵PID:2432
-
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe101⤵PID:324
-
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe102⤵
- Drops file in System32 directory
PID:916 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe103⤵PID:1624
-
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe104⤵PID:904
-
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1284 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe106⤵PID:3052
-
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe107⤵PID:2920
-
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe110⤵
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe111⤵PID:1828
-
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe112⤵PID:804
-
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe113⤵PID:1636
-
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe114⤵PID:2244
-
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe115⤵
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe116⤵
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe117⤵PID:2328
-
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe118⤵PID:1044
-
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe119⤵
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe120⤵PID:2604
-
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe121⤵PID:2876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-