Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 14:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d8e8fba63ba108397dbeea791e59b860_NEIKI.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
d8e8fba63ba108397dbeea791e59b860_NEIKI.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
d8e8fba63ba108397dbeea791e59b860_NEIKI.exe
-
Size
488KB
-
MD5
d8e8fba63ba108397dbeea791e59b860
-
SHA1
464ec3721962cef833b7c06066d3239581c88436
-
SHA256
e8a7d652cb5481d5174de88e6c35c93d51c76106628bcfbcb272dd7ecc4434b4
-
SHA512
000b80b54fbdb85c2c5f35a4a6a470ce5f19e9735ab6cb4a0a24a8813e7abca8bbd541ac181aab08d0f7cea77e7fb029cdc343b5c5588cc499d929938b8a22b9
-
SSDEEP
6144:lwJdx9gcjsjoBn/TNId/1fon/T2oI0YokOsfY7Uon2KO:lwJdx9/5NIVy2oIvPKiKO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbceejpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocbddc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhlml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmaok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpdelajl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gododflk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbqlfkmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckpjfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhpjkojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiaephpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqppkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkplejl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbmncp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqppkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkgeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfaloa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkjmlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkikkeeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfoafi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcpebmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odpjcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjkombfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejfpjne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baocghgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkoggkjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehimanbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eocenh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabgaklg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lljfpnjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olkhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndaggimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifjodl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmpijp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndhmhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojjolnaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjcbbmif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bchomn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbmefbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flqimk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceoibflm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onklabip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aacckjaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkffog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hioiji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imoneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcpnhfhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adgbpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbmfoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmlhii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfoafi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfdodjhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peimil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olhlhjpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjoankoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeniabfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chokikeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfbploob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdfofakp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nceonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paegjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddpeoafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imakkfdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajckij32.exe -
Executes dropped EXE 64 IoCs
pid Process 2196 Hfljmdjc.exe 3172 Hadkpm32.exe 508 Hpgkkioa.exe 4332 Hbhdmd32.exe 4776 Hjolnb32.exe 1180 Ipldfi32.exe 4384 Ijaida32.exe 3096 Ibmmhdhm.exe 3348 Iiffen32.exe 1624 Ipqnahgf.exe 4580 Ibojncfj.exe 1004 Ibagcc32.exe 3684 Iikopmkd.exe 4744 Iabgaklg.exe 2676 Jdcpcf32.exe 2816 Jfaloa32.exe 3432 Jiphkm32.exe 232 Jaimbj32.exe 4612 Jfffjqdf.exe 3440 Jbmfoa32.exe 4164 Jdmcidam.exe 4180 Kaqcbi32.exe 744 Kdaldd32.exe 4028 Kipabjil.exe 3880 Kpmfddnf.exe 4852 Ldkojb32.exe 816 Laopdgcg.exe 5008 Lkgdml32.exe 4592 Lcbiao32.exe 1716 Laciofpa.exe 3840 Ljnnch32.exe 2888 Lgbnmm32.exe 4492 Mdfofakp.exe 2464 Mkpgck32.exe 3872 Mpmokb32.exe 3048 Mgghhlhq.exe 668 Mamleegg.exe 4192 Mcnhmm32.exe 4588 Mncmjfmk.exe 3832 Mcpebmkb.exe 1212 Mkgmcjld.exe 4476 Mpdelajl.exe 3132 Mcbahlip.exe 1088 Nacbfdao.exe 2912 Nceonl32.exe 5024 Nklfoi32.exe 3492 Nqiogp32.exe 2104 Ncgkcl32.exe 1564 Nnmopdep.exe 4896 Ndghmo32.exe 1352 Ngedij32.exe 768 Njcpee32.exe 1440 Ncldnkae.exe 1124 Nnaikd32.exe 1444 Ndkahnhh.exe 4980 Okeieh32.exe 1972 Oboaabga.exe 4752 Ocqnij32.exe 5040 Ojjffddl.exe 1484 Odpjcm32.exe 4836 Ojmcld32.exe 4572 Odbgim32.exe 752 Onklabip.exe 1496 Oqihnn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ibojncfj.exe Ipqnahgf.exe File opened for modification C:\Windows\SysWOW64\Qnnanphk.exe Qgciaf32.exe File created C:\Windows\SysWOW64\Dmcibama.exe Djdmffnn.exe File opened for modification C:\Windows\SysWOW64\Ngpccdlj.exe Ndaggimg.exe File created C:\Windows\SysWOW64\Dkifae32.exe Delnin32.exe File created C:\Windows\SysWOW64\Agffge32.exe Qnnanphk.exe File opened for modification C:\Windows\SysWOW64\Fkopnh32.exe Fdegandp.exe File opened for modification C:\Windows\SysWOW64\Kbaipkbi.exe Kpbmco32.exe File opened for modification C:\Windows\SysWOW64\Andqdh32.exe Agjhgngj.exe File opened for modification C:\Windows\SysWOW64\Aadifclh.exe Afoeiklb.exe File created C:\Windows\SysWOW64\Ojmcld32.exe Odpjcm32.exe File created C:\Windows\SysWOW64\Iedoeq32.dll Gdjjckag.exe File created C:\Windows\SysWOW64\Kbaipkbi.exe Kpbmco32.exe File created C:\Windows\SysWOW64\Afoeiklb.exe Aeniabfd.exe File created C:\Windows\SysWOW64\Cjkjpgfi.exe Chmndlge.exe File created C:\Windows\SysWOW64\Iabgaklg.exe Iikopmkd.exe File opened for modification C:\Windows\SysWOW64\Ncgkcl32.exe Nqiogp32.exe File created C:\Windows\SysWOW64\Ojjolnaq.exe Odmgcgbi.exe File created C:\Windows\SysWOW64\Gbbkaako.exe Gododflk.exe File created C:\Windows\SysWOW64\Hkmefd32.exe Hioiji32.exe File created C:\Windows\SysWOW64\Ocdqjceo.exe Olkhmi32.exe File opened for modification C:\Windows\SysWOW64\Qqfmde32.exe Pjmehkqk.exe File created C:\Windows\SysWOW64\Pmgmnjcj.dll Bfdodjhm.exe File created C:\Windows\SysWOW64\Nacbfdao.exe Mcbahlip.exe File created C:\Windows\SysWOW64\Bopgjmhe.exe Bhfonc32.exe File opened for modification C:\Windows\SysWOW64\Cdkldb32.exe Camphf32.exe File created C:\Windows\SysWOW64\Qlgene32.dll Ceckcp32.exe File opened for modification C:\Windows\SysWOW64\Icifbang.exe Imoneg32.exe File created C:\Windows\SysWOW64\Halpnqlq.dll Pmoahijl.exe File created C:\Windows\SysWOW64\Mamleegg.exe Mgghhlhq.exe File created C:\Windows\SysWOW64\Ifgbnlmj.exe Icifbang.exe File opened for modification C:\Windows\SysWOW64\Ndhmhh32.exe Nnneknob.exe File created C:\Windows\SysWOW64\Cecbmf32.exe Cbefaj32.exe File opened for modification C:\Windows\SysWOW64\Ehimanbq.exe Eekaebcm.exe File created C:\Windows\SysWOW64\Flqimk32.exe Ffgqqaip.exe File created C:\Windows\SysWOW64\Mcmabg32.exe Mmpijp32.exe File created C:\Windows\SysWOW64\Jifkeoll.dll Kpmfddnf.exe File created C:\Windows\SysWOW64\Adcmmeog.exe Aaepqjpd.exe File created C:\Windows\SysWOW64\Imdhga32.dll Cogmkl32.exe File created C:\Windows\SysWOW64\Mpbbmhgf.dll Balfaiil.exe File opened for modification C:\Windows\SysWOW64\Doqpak32.exe Cdkldb32.exe File created C:\Windows\SysWOW64\Dddhpjof.exe Dogogcpo.exe File created C:\Windows\SysWOW64\Hhapkbgi.dll Mncmjfmk.exe File created C:\Windows\SysWOW64\Gcbifaej.dll Jimekgff.exe File created C:\Windows\SysWOW64\Pqpgdfnp.exe Pnakhkol.exe File created C:\Windows\SysWOW64\Gkaejf32.exe Gdhmnlcj.exe File created C:\Windows\SysWOW64\Kikame32.exe Kbaipkbi.exe File created C:\Windows\SysWOW64\Cenahpha.exe Cjinkg32.exe File opened for modification C:\Windows\SysWOW64\Jcllonma.exe Jmbdbd32.exe File created C:\Windows\SysWOW64\Pjngmo32.dll Chagok32.exe File created C:\Windows\SysWOW64\Fdgdgnbm.exe Fcfhof32.exe File opened for modification C:\Windows\SysWOW64\Jmbdbd32.exe Jeklag32.exe File opened for modification C:\Windows\SysWOW64\Ajckij32.exe Ageolo32.exe File created C:\Windows\SysWOW64\Gkillp32.dll Ibmmhdhm.exe File created C:\Windows\SysWOW64\Pjmehkqk.exe Pgnilpah.exe File created C:\Windows\SysWOW64\Aaiapmca.dll Ncldnkae.exe File opened for modification C:\Windows\SysWOW64\Ifgbnlmj.exe Icifbang.exe File created C:\Windows\SysWOW64\Qamhhedg.dll Kbceejpf.exe File created C:\Windows\SysWOW64\Lpfihl32.dll Ibojncfj.exe File opened for modification C:\Windows\SysWOW64\Ecmeig32.exe Ehgqln32.exe File created C:\Windows\SysWOW64\Jgmbieme.dll Ehgqln32.exe File created C:\Windows\SysWOW64\Gnchkk32.dll Ifjodl32.exe File created C:\Windows\SysWOW64\Jbhfjljd.exe Jlnnmb32.exe File created C:\Windows\SysWOW64\Bapiabak.exe Bnbmefbg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9504 9408 WerFault.exe 452 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chpada32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbeedbdm.dll" Liddbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldleel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll" Miifeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfabnjjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID d8e8fba63ba108397dbeea791e59b860_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ickchq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhjmp32.dll" Jcllonma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdkldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpdelajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njcpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cecenn32.dll" Dbaemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkikkeeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbbdholl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgfqmfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll" Pgnilpah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbhbe32.dll" Hbhdmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aogmoeik.dll" Fdgdgnbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkdbpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippohl32.dll" Jefbfgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olmeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbefaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogcpjhoq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhpjkojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmfbg32.dll" Lbabgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afoeiklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndkahnhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgopffec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imakkfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfjhkjle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndhmhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjcbbmif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbmncp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbabgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceckcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfffjqdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll" Mamleegg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adcmmeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdmpcdfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjpqmmkb.dll" Deoaid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oponmilc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfaloa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifgbnlmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll" Ngdmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll" Oponmilc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofcmfodb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqmjog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajfhnjhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll" Cmqmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcaee32.dll" Ceoibflm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mchhggno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll" Nnqbanmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll" Ofcmfodb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cegdnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Camphf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neeqea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehgqln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpnfbohh.dll" Pjhbgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdiooblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olkhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpelohh.dll" Nnaikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaiapmca.dll" Ncldnkae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alhhhcal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fomhdg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4292 wrote to memory of 2196 4292 d8e8fba63ba108397dbeea791e59b860_NEIKI.exe 80 PID 4292 wrote to memory of 2196 4292 d8e8fba63ba108397dbeea791e59b860_NEIKI.exe 80 PID 4292 wrote to memory of 2196 4292 d8e8fba63ba108397dbeea791e59b860_NEIKI.exe 80 PID 2196 wrote to memory of 3172 2196 Hfljmdjc.exe 82 PID 2196 wrote to memory of 3172 2196 Hfljmdjc.exe 82 PID 2196 wrote to memory of 3172 2196 Hfljmdjc.exe 82 PID 3172 wrote to memory of 508 3172 Hadkpm32.exe 83 PID 3172 wrote to memory of 508 3172 Hadkpm32.exe 83 PID 3172 wrote to memory of 508 3172 Hadkpm32.exe 83 PID 508 wrote to memory of 4332 508 Hpgkkioa.exe 84 PID 508 wrote to memory of 4332 508 Hpgkkioa.exe 84 PID 508 wrote to memory of 4332 508 Hpgkkioa.exe 84 PID 4332 wrote to memory of 4776 4332 Hbhdmd32.exe 85 PID 4332 wrote to memory of 4776 4332 Hbhdmd32.exe 85 PID 4332 wrote to memory of 4776 4332 Hbhdmd32.exe 85 PID 4776 wrote to memory of 1180 4776 Hjolnb32.exe 86 PID 4776 wrote to memory of 1180 4776 Hjolnb32.exe 86 PID 4776 wrote to memory of 1180 4776 Hjolnb32.exe 86 PID 1180 wrote to memory of 4384 1180 Ipldfi32.exe 88 PID 1180 wrote to memory of 4384 1180 Ipldfi32.exe 88 PID 1180 wrote to memory of 4384 1180 Ipldfi32.exe 88 PID 4384 wrote to memory of 3096 4384 Ijaida32.exe 89 PID 4384 wrote to memory of 3096 4384 Ijaida32.exe 89 PID 4384 wrote to memory of 3096 4384 Ijaida32.exe 89 PID 3096 wrote to memory of 3348 3096 Ibmmhdhm.exe 90 PID 3096 wrote to memory of 3348 3096 Ibmmhdhm.exe 90 PID 3096 wrote to memory of 3348 3096 Ibmmhdhm.exe 90 PID 3348 wrote to memory of 1624 3348 Iiffen32.exe 91 PID 3348 wrote to memory of 1624 3348 Iiffen32.exe 91 PID 3348 wrote to memory of 1624 3348 Iiffen32.exe 91 PID 1624 wrote to memory of 4580 1624 Ipqnahgf.exe 92 PID 1624 wrote to memory of 4580 1624 Ipqnahgf.exe 92 PID 1624 wrote to memory of 4580 1624 Ipqnahgf.exe 92 PID 4580 wrote to memory of 1004 4580 Ibojncfj.exe 93 PID 4580 wrote to memory of 1004 4580 Ibojncfj.exe 93 PID 4580 wrote to memory of 1004 4580 Ibojncfj.exe 93 PID 1004 wrote to memory of 3684 1004 Ibagcc32.exe 94 PID 1004 wrote to memory of 3684 1004 Ibagcc32.exe 94 PID 1004 wrote to memory of 3684 1004 Ibagcc32.exe 94 PID 3684 wrote to memory of 4744 3684 Iikopmkd.exe 95 PID 3684 wrote to memory of 4744 3684 Iikopmkd.exe 95 PID 3684 wrote to memory of 4744 3684 Iikopmkd.exe 95 PID 4744 wrote to memory of 2676 4744 Iabgaklg.exe 96 PID 4744 wrote to memory of 2676 4744 Iabgaklg.exe 96 PID 4744 wrote to memory of 2676 4744 Iabgaklg.exe 96 PID 2676 wrote to memory of 2816 2676 Jdcpcf32.exe 97 PID 2676 wrote to memory of 2816 2676 Jdcpcf32.exe 97 PID 2676 wrote to memory of 2816 2676 Jdcpcf32.exe 97 PID 2816 wrote to memory of 3432 2816 Jfaloa32.exe 98 PID 2816 wrote to memory of 3432 2816 Jfaloa32.exe 98 PID 2816 wrote to memory of 3432 2816 Jfaloa32.exe 98 PID 3432 wrote to memory of 232 3432 Jiphkm32.exe 99 PID 3432 wrote to memory of 232 3432 Jiphkm32.exe 99 PID 3432 wrote to memory of 232 3432 Jiphkm32.exe 99 PID 232 wrote to memory of 4612 232 Jaimbj32.exe 100 PID 232 wrote to memory of 4612 232 Jaimbj32.exe 100 PID 232 wrote to memory of 4612 232 Jaimbj32.exe 100 PID 4612 wrote to memory of 3440 4612 Jfffjqdf.exe 101 PID 4612 wrote to memory of 3440 4612 Jfffjqdf.exe 101 PID 4612 wrote to memory of 3440 4612 Jfffjqdf.exe 101 PID 3440 wrote to memory of 4164 3440 Jbmfoa32.exe 102 PID 3440 wrote to memory of 4164 3440 Jbmfoa32.exe 102 PID 3440 wrote to memory of 4164 3440 Jbmfoa32.exe 102 PID 4164 wrote to memory of 4180 4164 Jdmcidam.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8e8fba63ba108397dbeea791e59b860_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\d8e8fba63ba108397dbeea791e59b860_NEIKI.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Hpgkkioa.exeC:\Windows\system32\Hpgkkioa.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:508 -
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Ibojncfj.exeC:\Windows\system32\Ibojncfj.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Jdcpcf32.exeC:\Windows\system32\Jdcpcf32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\Jaimbj32.exeC:\Windows\system32\Jaimbj32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe23⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe24⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe25⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3880 -
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe27⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe28⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe29⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe30⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe31⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe32⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe33⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe35⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe36⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:668 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe39⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4588 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe42⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4476 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3132 -
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe45⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe47⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3492 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe49⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe50⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe51⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe52⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1440 -
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1124 -
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe57⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe58⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe59⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe60⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe62⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe63⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe65⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe66⤵
- Modifies registry class
PID:4464 -
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe67⤵PID:1632
-
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe68⤵PID:3900
-
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe69⤵PID:2716
-
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2880 -
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe71⤵PID:1468
-
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3144 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe73⤵PID:3784
-
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe74⤵
- Modifies registry class
PID:4656 -
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe75⤵PID:3136
-
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2228 -
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4880 -
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe78⤵
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe79⤵PID:2156
-
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe80⤵PID:3204
-
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe81⤵PID:3852
-
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe82⤵PID:4632
-
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe83⤵
- Drops file in System32 directory
PID:5108 -
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe84⤵
- Drops file in System32 directory
PID:1188 -
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe85⤵PID:3580
-
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe86⤵PID:3196
-
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4092 -
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe88⤵PID:3148
-
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe89⤵PID:4016
-
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe90⤵PID:3484
-
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1552 -
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe92⤵
- Modifies registry class
PID:1392 -
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe93⤵PID:2908
-
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe94⤵
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe95⤵
- Modifies registry class
PID:4064 -
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe96⤵PID:4768
-
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe97⤵PID:3068
-
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe98⤵PID:1604
-
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe99⤵PID:3504
-
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe100⤵PID:676
-
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe101⤵PID:1860
-
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe102⤵PID:2284
-
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe103⤵
- Drops file in System32 directory
PID:4108 -
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe104⤵
- Drops file in System32 directory
PID:4544 -
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe105⤵PID:3940
-
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3752 -
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe107⤵
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Bobcpmfc.exeC:\Windows\system32\Bobcpmfc.exe108⤵PID:1336
-
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe109⤵PID:1144
-
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe110⤵PID:4056
-
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3052 -
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3128 -
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe113⤵PID:4928
-
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe114⤵
- Drops file in System32 directory
PID:884 -
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe115⤵PID:5148
-
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe116⤵
- Modifies registry class
PID:5184 -
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe117⤵PID:5232
-
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:5280 -
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe119⤵PID:5328
-
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe120⤵PID:5372
-
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5416
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-