Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
08/05/2024, 19:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe
-
Size
704KB
-
MD5
1f2cda5d47d44b927288a8a686f4bfb0
-
SHA1
fd662317725fb01fa88cc4385b41946f6228db5a
-
SHA256
31717ab7468d56c1884b6604dcc9339c048f4903884d9d3a68f5e63d68ff1212
-
SHA512
79f4289e3366cd83345714449c9525f471d59ace5f1e0a8d5b64e5c6ba87735f3d7e9f904a6662bf83405e8f482770f24dd176cd14a277d79cffe8663d363247
-
SSDEEP
12288:m4CaPh2kkkkK4kXkkkkkkkkl888888888888888888nusMH0QiRLsR4P377a20Rw:QaPh2kkkkK4kXkkkkkkkkhLX3a20R0vh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnqphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehmdhja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jajala32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mppepcfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkodhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbnhng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngnbgplj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmapm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmbknddp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohidmoaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eecqjpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gonnhhln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlngpjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nehmdhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgnfhlin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poapfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bioqclil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocllehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bffpki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfdjhndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnhdqdnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhffnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbogfcjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoopae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfpclh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpmhpbkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfedqagp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkgcab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lccdel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dikogf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amhpnkch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkpnhgge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfkke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkklljmg.exe -
Executes dropped EXE 64 IoCs
pid Process 2820 Plahag32.exe 2624 Pnbacbac.exe 2724 Qlhnbf32.exe 2076 Qecoqk32.exe 2772 Amndem32.exe 2956 Apajlhka.exe 2464 Aenbdoii.exe 1556 Bkodhe32.exe 2148 Bhfagipa.exe 1896 Bkdmcdoe.exe 2216 Bdooajdc.exe 860 Cfeddafl.exe 1056 Cckace32.exe 1840 Cfinoq32.exe 440 Dodonf32.exe 1776 Dbbkja32.exe 904 Dhmcfkme.exe 404 Djnpnc32.exe 3060 Dbehoa32.exe 1684 Ddcdkl32.exe 1016 Djpmccqq.exe 880 Dmoipopd.exe 2376 Dgdmmgpj.exe 1784 Dnneja32.exe 2268 Dcknbh32.exe 324 Dfijnd32.exe 1944 Eihfjo32.exe 3044 Ebpkce32.exe 2760 Eijcpoac.exe 2632 Epdkli32.exe 2636 Efncicpm.exe 2612 Emhlfmgj.exe 2208 Enihne32.exe 2060 Eecqjpee.exe 2692 Egamfkdh.exe 2940 Epieghdk.exe 1912 Ebgacddo.exe 760 Eiaiqn32.exe 2536 Ejbfhfaj.exe 2968 Ebinic32.exe 1448 Fckjalhj.exe 2516 Fnpnndgp.exe 2064 Fejgko32.exe 288 Fhhcgj32.exe 644 Fmekoalh.exe 1652 Fhkpmjln.exe 1456 Fjilieka.exe 1284 Fmhheqje.exe 1696 Fbdqmghm.exe 2144 Fmjejphb.exe 876 Fbgmbg32.exe 1876 Feeiob32.exe 2172 Fmlapp32.exe 832 Gonnhhln.exe 2800 Gfefiemq.exe 2588 Gicbeald.exe 684 Gpmjak32.exe 2712 Gieojq32.exe 1584 Gkgkbipp.exe 2176 Gbnccfpb.exe 2440 Gelppaof.exe 1612 Ghkllmoi.exe 1676 Goddhg32.exe 2276 Geolea32.exe -
Loads dropped DLL 64 IoCs
pid Process 1768 1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe 1768 1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe 2820 Plahag32.exe 2820 Plahag32.exe 2624 Pnbacbac.exe 2624 Pnbacbac.exe 2724 Qlhnbf32.exe 2724 Qlhnbf32.exe 2076 Qecoqk32.exe 2076 Qecoqk32.exe 2772 Amndem32.exe 2772 Amndem32.exe 2956 Apajlhka.exe 2956 Apajlhka.exe 2464 Aenbdoii.exe 2464 Aenbdoii.exe 1556 Bkodhe32.exe 1556 Bkodhe32.exe 2148 Bhfagipa.exe 2148 Bhfagipa.exe 1896 Bkdmcdoe.exe 1896 Bkdmcdoe.exe 2216 Bdooajdc.exe 2216 Bdooajdc.exe 860 Cfeddafl.exe 860 Cfeddafl.exe 1056 Cckace32.exe 1056 Cckace32.exe 1840 Cfinoq32.exe 1840 Cfinoq32.exe 440 Dodonf32.exe 440 Dodonf32.exe 1776 Dbbkja32.exe 1776 Dbbkja32.exe 904 Dhmcfkme.exe 904 Dhmcfkme.exe 404 Djnpnc32.exe 404 Djnpnc32.exe 3060 Dbehoa32.exe 3060 Dbehoa32.exe 1684 Ddcdkl32.exe 1684 Ddcdkl32.exe 1016 Djpmccqq.exe 1016 Djpmccqq.exe 880 Dmoipopd.exe 880 Dmoipopd.exe 2376 Dgdmmgpj.exe 2376 Dgdmmgpj.exe 1784 Dnneja32.exe 1784 Dnneja32.exe 2268 Dcknbh32.exe 2268 Dcknbh32.exe 324 Dfijnd32.exe 324 Dfijnd32.exe 1944 Eihfjo32.exe 1944 Eihfjo32.exe 3044 Ebpkce32.exe 3044 Ebpkce32.exe 2760 Eijcpoac.exe 2760 Eijcpoac.exe 2632 Epdkli32.exe 2632 Epdkli32.exe 2636 Efncicpm.exe 2636 Efncicpm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bldcpf32.exe Bifgdk32.exe File opened for modification C:\Windows\SysWOW64\Glgaok32.exe Giieco32.exe File created C:\Windows\SysWOW64\Khdecggq.dll Process not Found File created C:\Windows\SysWOW64\Odiaql32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lkppbl32.exe Ldfgebbe.exe File created C:\Windows\SysWOW64\Ebmgcohn.exe Dookgcij.exe File created C:\Windows\SysWOW64\Kaldcb32.exe Knmhgf32.exe File created C:\Windows\SysWOW64\Mhhfdo32.exe Meijhc32.exe File opened for modification C:\Windows\SysWOW64\Cpfaocal.exe Cmgechbh.exe File created C:\Windows\SysWOW64\Pqbolhmg.dll Process not Found File created C:\Windows\SysWOW64\Dclchm32.dll Ghmkjedk.exe File opened for modification C:\Windows\SysWOW64\Jgqpkc32.exe Joihjfnl.exe File created C:\Windows\SysWOW64\Pakllc32.exe Pnopldgn.exe File created C:\Windows\SysWOW64\Chhldeho.exe Cielhh32.exe File created C:\Windows\SysWOW64\Oklghebe.dll Hmmphlpp.exe File opened for modification C:\Windows\SysWOW64\Mfllkece.exe Mcnpojca.exe File created C:\Windows\SysWOW64\Jenbjc32.exe Process not Found File created C:\Windows\SysWOW64\Nplnekmg.dll Process not Found File created C:\Windows\SysWOW64\Cdoime32.dll Process not Found File created C:\Windows\SysWOW64\Leonofpp.exe Lbqabkql.exe File created C:\Windows\SysWOW64\Eojnkg32.exe Emkaol32.exe File opened for modification C:\Windows\SysWOW64\Leljop32.exe Lmebnb32.exe File opened for modification C:\Windows\SysWOW64\Ebefgm32.exe Eogjka32.exe File created C:\Windows\SysWOW64\Ocfqdk32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dglpbbbg.exe Doehqead.exe File created C:\Windows\SysWOW64\Kldcnd32.dll Jcbhee32.exe File created C:\Windows\SysWOW64\Aaaphj32.dll Cdgpnqpo.exe File opened for modification C:\Windows\SysWOW64\Imiigiab.exe Process not Found File created C:\Windows\SysWOW64\Dcnqanhd.exe Dkgippgb.exe File opened for modification C:\Windows\SysWOW64\Jjbbpmgo.exe Process not Found File created C:\Windows\SysWOW64\Nbniiffi.dll Hobcak32.exe File created C:\Windows\SysWOW64\Mbkmlh32.exe Mpmapm32.exe File opened for modification C:\Windows\SysWOW64\Mcckcbgp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ofnpnkgf.exe Process not Found File created C:\Windows\SysWOW64\Mommgm32.dll Process not Found File created C:\Windows\SysWOW64\Jbdhhp32.dll Process not Found File created C:\Windows\SysWOW64\Okhlbmkc.dll Kfjggo32.exe File created C:\Windows\SysWOW64\Goembl32.dll Process not Found File created C:\Windows\SysWOW64\Mbhlek32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jelfdc32.exe Process not Found File created C:\Windows\SysWOW64\Phoccb32.dll Jcgogk32.exe File created C:\Windows\SysWOW64\Cdlgpgef.exe Cldooj32.exe File created C:\Windows\SysWOW64\Jjnbaf32.dll Kincipnk.exe File created C:\Windows\SysWOW64\Domqjm32.exe Dlndnacm.exe File opened for modification C:\Windows\SysWOW64\Oonldcih.exe Process not Found File opened for modification C:\Windows\SysWOW64\Aflfjc32.exe Process not Found File created C:\Windows\SysWOW64\Kqgmkdbj.dll Kjqccigf.exe File opened for modification C:\Windows\SysWOW64\Melifl32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ceebklai.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ehpcehcj.exe Process not Found File created C:\Windows\SysWOW64\Qkophk32.dll Mmceigep.exe File opened for modification C:\Windows\SysWOW64\Mbhjlbbh.exe Lnlnlc32.exe File opened for modification C:\Windows\SysWOW64\Hbnmienj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jofiln32.exe Jnemdecl.exe File created C:\Windows\SysWOW64\Blkepk32.dll Nkmdpm32.exe File created C:\Windows\SysWOW64\Pkfaka32.dll Bdmddc32.exe File created C:\Windows\SysWOW64\Akhfoldn.exe Acqnnndl.exe File created C:\Windows\SysWOW64\Cenljmgq.exe Process not Found File created C:\Windows\SysWOW64\Eopphehb.exe Process not Found File created C:\Windows\SysWOW64\Gfbliabl.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dblhmoio.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hfjnla32.exe Hppfog32.exe File created C:\Windows\SysWOW64\Ialelpfl.dll Ipbocjlg.exe File created C:\Windows\SysWOW64\Ppdjkg32.dll Jkgcab32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4964 4320 Process not Found 1662 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cemdajgc.dll" Ieagbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhioaa32.dll" Lbogfcjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeidgbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpgcnh32.dll" Dmdnbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaoobkci.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhgdkjol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocgpappk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipllekdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peipigfb.dll" Dpgcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcegmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbfdaigg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beejng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cegcbjkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfjljina.dll" Nhiholof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecgdipbc.dll" Bjmbqhif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cifelgmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eplkpgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caknol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejmebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjdilgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhkiid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjfgpjhf.dll" Cjmopkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdjmcpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkejof32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdmmfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilhjm32.dll" Badnhbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnajilng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfjcc32.dll" Ieidmbcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbbngf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npijoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Danmmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edpmjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmfmihf.dll" Jfekcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbnemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hppfog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eamilh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknqdmpf.dll" Iajcde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljhgm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dobfbpbc.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chkmkacq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nialog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkhak32.dll" Ehjehh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kokbpahm.dll" Kcfkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajjmcaea.dll" Ajjcbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjpqlpe.dll" Ccigfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfmcfjpo.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1768 wrote to memory of 2820 1768 1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe 28 PID 1768 wrote to memory of 2820 1768 1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe 28 PID 1768 wrote to memory of 2820 1768 1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe 28 PID 1768 wrote to memory of 2820 1768 1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe 28 PID 2820 wrote to memory of 2624 2820 Plahag32.exe 29 PID 2820 wrote to memory of 2624 2820 Plahag32.exe 29 PID 2820 wrote to memory of 2624 2820 Plahag32.exe 29 PID 2820 wrote to memory of 2624 2820 Plahag32.exe 29 PID 2624 wrote to memory of 2724 2624 Pnbacbac.exe 30 PID 2624 wrote to memory of 2724 2624 Pnbacbac.exe 30 PID 2624 wrote to memory of 2724 2624 Pnbacbac.exe 30 PID 2624 wrote to memory of 2724 2624 Pnbacbac.exe 30 PID 2724 wrote to memory of 2076 2724 Qlhnbf32.exe 31 PID 2724 wrote to memory of 2076 2724 Qlhnbf32.exe 31 PID 2724 wrote to memory of 2076 2724 Qlhnbf32.exe 31 PID 2724 wrote to memory of 2076 2724 Qlhnbf32.exe 31 PID 2076 wrote to memory of 2772 2076 Qecoqk32.exe 32 PID 2076 wrote to memory of 2772 2076 Qecoqk32.exe 32 PID 2076 wrote to memory of 2772 2076 Qecoqk32.exe 32 PID 2076 wrote to memory of 2772 2076 Qecoqk32.exe 32 PID 2772 wrote to memory of 2956 2772 Amndem32.exe 33 PID 2772 wrote to memory of 2956 2772 Amndem32.exe 33 PID 2772 wrote to memory of 2956 2772 Amndem32.exe 33 PID 2772 wrote to memory of 2956 2772 Amndem32.exe 33 PID 2956 wrote to memory of 2464 2956 Apajlhka.exe 34 PID 2956 wrote to memory of 2464 2956 Apajlhka.exe 34 PID 2956 wrote to memory of 2464 2956 Apajlhka.exe 34 PID 2956 wrote to memory of 2464 2956 Apajlhka.exe 34 PID 2464 wrote to memory of 1556 2464 Aenbdoii.exe 35 PID 2464 wrote to memory of 1556 2464 Aenbdoii.exe 35 PID 2464 wrote to memory of 1556 2464 Aenbdoii.exe 35 PID 2464 wrote to memory of 1556 2464 Aenbdoii.exe 35 PID 1556 wrote to memory of 2148 1556 Bkodhe32.exe 36 PID 1556 wrote to memory of 2148 1556 Bkodhe32.exe 36 PID 1556 wrote to memory of 2148 1556 Bkodhe32.exe 36 PID 1556 wrote to memory of 2148 1556 Bkodhe32.exe 36 PID 2148 wrote to memory of 1896 2148 Bhfagipa.exe 37 PID 2148 wrote to memory of 1896 2148 Bhfagipa.exe 37 PID 2148 wrote to memory of 1896 2148 Bhfagipa.exe 37 PID 2148 wrote to memory of 1896 2148 Bhfagipa.exe 37 PID 1896 wrote to memory of 2216 1896 Bkdmcdoe.exe 38 PID 1896 wrote to memory of 2216 1896 Bkdmcdoe.exe 38 PID 1896 wrote to memory of 2216 1896 Bkdmcdoe.exe 38 PID 1896 wrote to memory of 2216 1896 Bkdmcdoe.exe 38 PID 2216 wrote to memory of 860 2216 Bdooajdc.exe 1093 PID 2216 wrote to memory of 860 2216 Bdooajdc.exe 1093 PID 2216 wrote to memory of 860 2216 Bdooajdc.exe 1093 PID 2216 wrote to memory of 860 2216 Bdooajdc.exe 1093 PID 860 wrote to memory of 1056 860 Cfeddafl.exe 40 PID 860 wrote to memory of 1056 860 Cfeddafl.exe 40 PID 860 wrote to memory of 1056 860 Cfeddafl.exe 40 PID 860 wrote to memory of 1056 860 Cfeddafl.exe 40 PID 1056 wrote to memory of 1840 1056 Cckace32.exe 41 PID 1056 wrote to memory of 1840 1056 Cckace32.exe 41 PID 1056 wrote to memory of 1840 1056 Cckace32.exe 41 PID 1056 wrote to memory of 1840 1056 Cckace32.exe 41 PID 1840 wrote to memory of 440 1840 Cfinoq32.exe 42 PID 1840 wrote to memory of 440 1840 Cfinoq32.exe 42 PID 1840 wrote to memory of 440 1840 Cfinoq32.exe 42 PID 1840 wrote to memory of 440 1840 Cfinoq32.exe 42 PID 440 wrote to memory of 1776 440 Dodonf32.exe 43 PID 440 wrote to memory of 1776 440 Dodonf32.exe 43 PID 440 wrote to memory of 1776 440 Dodonf32.exe 43 PID 440 wrote to memory of 1776 440 Dodonf32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:404 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1016 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:324 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe33⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe34⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe36⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe37⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe38⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe39⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe40⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe41⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe42⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe43⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe44⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe45⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe46⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe47⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe48⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe49⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe50⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe51⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe52⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe53⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe54⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe56⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe57⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe58⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe59⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe60⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe61⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe62⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe63⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe64⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe65⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe66⤵PID:300
-
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe67⤵PID:2428
-
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe68⤵PID:980
-
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe69⤵PID:1940
-
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe70⤵PID:2224
-
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2112 -
C:\Windows\SysWOW64\Hlakpp32.exeC:\Windows\system32\Hlakpp32.exe72⤵PID:2092
-
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:580 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe74⤵PID:1664
-
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe75⤵PID:1596
-
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe76⤵PID:2488
-
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe77⤵PID:1924
-
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe78⤵
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe79⤵PID:2232
-
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe80⤵PID:2368
-
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe81⤵PID:1440
-
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe82⤵PID:1956
-
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe83⤵PID:2260
-
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe84⤵PID:2540
-
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe85⤵PID:1428
-
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe86⤵PID:668
-
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe87⤵PID:1560
-
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe88⤵PID:2188
-
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe89⤵PID:2908
-
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe90⤵PID:1496
-
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe91⤵PID:1844
-
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe92⤵
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe93⤵PID:3008
-
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe94⤵PID:2184
-
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe95⤵PID:2928
-
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe96⤵PID:1504
-
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe97⤵PID:1348
-
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe98⤵PID:2204
-
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe99⤵PID:1508
-
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe100⤵PID:348
-
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe101⤵PID:480
-
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe102⤵PID:2016
-
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe103⤵
- Drops file in System32 directory
PID:988 -
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe104⤵PID:1392
-
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe105⤵PID:2992
-
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe106⤵PID:1708
-
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe107⤵PID:2984
-
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe108⤵PID:2872
-
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe109⤵PID:1360
-
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe110⤵PID:1536
-
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe111⤵PID:2168
-
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe112⤵PID:2460
-
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe113⤵
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe114⤵
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe115⤵PID:2320
-
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe116⤵PID:2496
-
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2100 -
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe118⤵PID:1724
-
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe119⤵PID:868
-
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe120⤵PID:2592
-
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe121⤵PID:2688
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-