Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/05/2024, 19:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
172b16cf85f8360c146166276c3f2710_NEIKI.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
172b16cf85f8360c146166276c3f2710_NEIKI.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
172b16cf85f8360c146166276c3f2710_NEIKI.exe
-
Size
93KB
-
MD5
172b16cf85f8360c146166276c3f2710
-
SHA1
ba5392c4f52f70853fb952b93640a101d05edc43
-
SHA256
7e78d77570756717f2e089c734a26cf0f82ec762d35e8bd6fd596b2764418976
-
SHA512
f727f13a129ba480dfdfc809137705afa6f198cedbf16308c1d0346304295a6d87b1a9563e2dc06584871f092a8219f6899ade913f83671681d9b01741087ae2
-
SSDEEP
1536:Te+aZl0nqDxVYFRHaxX8EiOQwg4REXsRQRRRkRLJzeLD9N0iQGRNQR8RyV+32r:Te+aZl5xGMBFiOReXSJdEN0s4WE+3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdeeqehb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bekkcljk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egllae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhhadmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecejkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahlgfdeq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhndldcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nondgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngpolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pqhpdhcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbhmnkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpnbkeld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcegmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahdaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajejgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clilkfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" 172b16cf85f8360c146166276c3f2710_NEIKI.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albjlcao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhela32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmehnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdlgpgef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbheh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qpecfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alegac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckoilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egjpkffe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egoife32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pogclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amfcikek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbfabp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjjgclai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mggpgmof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dliijipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehgppi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pklhlael.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnaocmmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emkaol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbjgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pedleg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmmiij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehgppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nacgdhlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okikfagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdeeqehb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfoqmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oobjaqaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aadloj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bppoqeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkgfckcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkeimlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alegac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckafbbph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dccagcgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbhnhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkeimlfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blpjegfm.exe -
Executes dropped EXE 64 IoCs
pid Process 2864 Mggpgmof.exe 1880 Monhhk32.exe 2636 Mhgmapfi.exe 2668 Mkeimlfm.exe 2648 Mmceigep.exe 2432 Maoajf32.exe 2920 Mbpnanch.exe 2728 Mkgfckcj.exe 2872 Mijfnh32.exe 2024 Mcbjgn32.exe 1884 Mimbdhhb.exe 324 Mlkopcge.exe 1900 Mcegmm32.exe 1664 Meccii32.exe 2372 Nolhan32.exe 2292 Ncgdbmmp.exe 828 Nlphkb32.exe 1220 Nondgn32.exe 2060 Ncjqhmkm.exe 832 Nhfipcid.exe 1352 Noqamn32.exe 1936 Ndmjedoi.exe 2996 Nglfapnl.exe 2268 Nocnbmoo.exe 884 Npdjje32.exe 2560 Ngnbgplj.exe 2968 Nacgdhlp.exe 2576 Ndbcpd32.exe 2380 Ngpolo32.exe 1188 Oklkmnbp.exe 2784 Onjgiiad.exe 2448 Oddpfc32.exe 800 Ofelmloo.exe 1712 Ojahnj32.exe 544 Oonafa32.exe 2400 Ogeigofa.exe 1808 Ojcecjee.exe 764 Oopnlacm.exe 2068 Obojhlbq.exe 2236 Ojfaijcc.exe 1472 Omdneebf.exe 1484 Oobjaqaj.exe 1496 Ocnfbo32.exe 952 Ofmbnkhg.exe 1940 Oikojfgk.exe 2396 Okikfagn.exe 2832 Onhgbmfb.exe 872 Pfoocjfd.exe 2816 Pimkpfeh.exe 2980 Pklhlael.exe 2424 Pogclp32.exe 2056 Pbfpik32.exe 2080 Pqhpdhcc.exe 1360 Pedleg32.exe 1636 Pgbhabjp.exe 2596 Pkndaa32.exe 2548 Pnlqnl32.exe 2304 Pbhmnkjf.exe 2764 Pefijfii.exe 2592 Pjcabmga.exe 488 Pnomcl32.exe 2032 Pmanoifd.exe 2808 Peiepfgg.exe 2104 Pggbla32.exe -
Loads dropped DLL 64 IoCs
pid Process 2196 172b16cf85f8360c146166276c3f2710_NEIKI.exe 2196 172b16cf85f8360c146166276c3f2710_NEIKI.exe 2864 Mggpgmof.exe 2864 Mggpgmof.exe 1880 Monhhk32.exe 1880 Monhhk32.exe 2636 Mhgmapfi.exe 2636 Mhgmapfi.exe 2668 Mkeimlfm.exe 2668 Mkeimlfm.exe 2648 Mmceigep.exe 2648 Mmceigep.exe 2432 Maoajf32.exe 2432 Maoajf32.exe 2920 Mbpnanch.exe 2920 Mbpnanch.exe 2728 Mkgfckcj.exe 2728 Mkgfckcj.exe 2872 Mijfnh32.exe 2872 Mijfnh32.exe 2024 Mcbjgn32.exe 2024 Mcbjgn32.exe 1884 Mimbdhhb.exe 1884 Mimbdhhb.exe 324 Mlkopcge.exe 324 Mlkopcge.exe 1900 Mcegmm32.exe 1900 Mcegmm32.exe 1664 Meccii32.exe 1664 Meccii32.exe 2372 Nolhan32.exe 2372 Nolhan32.exe 2292 Ncgdbmmp.exe 2292 Ncgdbmmp.exe 828 Nlphkb32.exe 828 Nlphkb32.exe 1220 Nondgn32.exe 1220 Nondgn32.exe 2060 Ncjqhmkm.exe 2060 Ncjqhmkm.exe 832 Nhfipcid.exe 832 Nhfipcid.exe 1352 Noqamn32.exe 1352 Noqamn32.exe 1936 Ndmjedoi.exe 1936 Ndmjedoi.exe 2996 Nglfapnl.exe 2996 Nglfapnl.exe 2268 Nocnbmoo.exe 2268 Nocnbmoo.exe 884 Npdjje32.exe 884 Npdjje32.exe 2560 Ngnbgplj.exe 2560 Ngnbgplj.exe 2968 Nacgdhlp.exe 2968 Nacgdhlp.exe 2576 Ndbcpd32.exe 2576 Ndbcpd32.exe 2380 Ngpolo32.exe 2380 Ngpolo32.exe 1188 Oklkmnbp.exe 1188 Oklkmnbp.exe 2784 Onjgiiad.exe 2784 Onjgiiad.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iigpciig.dll Nocnbmoo.exe File created C:\Windows\SysWOW64\Kgoboqcm.dll Oklkmnbp.exe File created C:\Windows\SysWOW64\Ekhhadmk.exe Egllae32.exe File created C:\Windows\SysWOW64\Omkepc32.dll Ndbcpd32.exe File created C:\Windows\SysWOW64\Ejbgljdk.dll Aefeijle.exe File created C:\Windows\SysWOW64\Aamfnkai.exe Anojbobe.exe File created C:\Windows\SysWOW64\Pmbdhi32.dll Bpleef32.exe File created C:\Windows\SysWOW64\Dpbheh32.exe Dlgldibq.exe File opened for modification C:\Windows\SysWOW64\Monhhk32.exe Mggpgmof.exe File opened for modification C:\Windows\SysWOW64\Pnomcl32.exe Pjcabmga.exe File opened for modification C:\Windows\SysWOW64\Aefeijle.exe Afcenm32.exe File opened for modification C:\Windows\SysWOW64\Meccii32.exe Mcegmm32.exe File opened for modification C:\Windows\SysWOW64\Nacgdhlp.exe Ngnbgplj.exe File opened for modification C:\Windows\SysWOW64\Bmkmdk32.exe Bioqclil.exe File opened for modification C:\Windows\SysWOW64\Cohigamf.exe Cklmgb32.exe File opened for modification C:\Windows\SysWOW64\Dgjclbdi.exe Ccngld32.exe File created C:\Windows\SysWOW64\Dlkaflan.dll Dfoqmo32.exe File opened for modification C:\Windows\SysWOW64\Dbhnhp32.exe Dcenlceh.exe File opened for modification C:\Windows\SysWOW64\Nglfapnl.exe Ndmjedoi.exe File opened for modification C:\Windows\SysWOW64\Apimacnn.exe Amkpegnj.exe File created C:\Windows\SysWOW64\Lchkpi32.dll Ekhhadmk.exe File opened for modification C:\Windows\SysWOW64\Oonafa32.exe Ojahnj32.exe File opened for modification C:\Windows\SysWOW64\Ckafbbph.exe Cgejac32.exe File created C:\Windows\SysWOW64\Odifab32.dll Dbfabp32.exe File created C:\Windows\SysWOW64\Efaibbij.exe Egoife32.exe File opened for modification C:\Windows\SysWOW64\Efcfga32.exe Egafleqm.exe File created C:\Windows\SysWOW64\Olkbjhpi.dll Clilkfnb.exe File created C:\Windows\SysWOW64\Gfadgaio.dll Mhgmapfi.exe File opened for modification C:\Windows\SysWOW64\Pqhpdhcc.exe Pbfpik32.exe File created C:\Windows\SysWOW64\Pnlqnl32.exe Pkndaa32.exe File opened for modification C:\Windows\SysWOW64\Pgioaa32.exe Ppbfpd32.exe File created C:\Windows\SysWOW64\Acmmle32.dll Ahdaee32.exe File created C:\Windows\SysWOW64\Igdaoinc.dll Aaobdjof.exe File created C:\Windows\SysWOW64\Hokokc32.dll Bioqclil.exe File created C:\Windows\SysWOW64\Nanbpedg.dll Ceaadk32.exe File created C:\Windows\SysWOW64\Ffpncj32.dll Eccmffjf.exe File opened for modification C:\Windows\SysWOW64\Ndbcpd32.exe Nacgdhlp.exe File created C:\Windows\SysWOW64\Abjlmo32.dll Amkpegnj.exe File opened for modification C:\Windows\SysWOW64\Bpgljfbl.exe Aadloj32.exe File opened for modification C:\Windows\SysWOW64\Bfcampgf.exe Bbhela32.exe File opened for modification C:\Windows\SysWOW64\Ccahbp32.exe Coelaaoi.exe File created C:\Windows\SysWOW64\Cnobnmpl.exe Cjdfmo32.exe File created C:\Windows\SysWOW64\Qbcpbo32.exe Qcpofbjl.exe File opened for modification C:\Windows\SysWOW64\Ajjcbpdd.exe Ahlgfdeq.exe File created C:\Windows\SysWOW64\Jaegglem.dll Dfmdho32.exe File created C:\Windows\SysWOW64\Pimkpfeh.exe Pfoocjfd.exe File created C:\Windows\SysWOW64\Qmicohqm.exe Qjjgclai.exe File opened for modification C:\Windows\SysWOW64\Bfenbpec.exe Bbjbaa32.exe File created C:\Windows\SysWOW64\Ckoilb32.exe Cgcmlcja.exe File opened for modification C:\Windows\SysWOW64\Ckccgane.exe Cghggc32.exe File created C:\Windows\SysWOW64\Cahqdihi.dll Adpkee32.exe File created C:\Windows\SysWOW64\Hadfjo32.dll Cdikkg32.exe File opened for modification C:\Windows\SysWOW64\Nocnbmoo.exe Nglfapnl.exe File created C:\Windows\SysWOW64\Pnomcl32.exe Pjcabmga.exe File created C:\Windows\SysWOW64\Bhigphio.exe Bekkcljk.exe File created C:\Windows\SysWOW64\Mmnclh32.dll Dkqbaecc.exe File opened for modification C:\Windows\SysWOW64\Egllae32.exe Ecqqpgli.exe File created C:\Windows\SysWOW64\Djklnnaj.exe Dfoqmo32.exe File created C:\Windows\SysWOW64\Lfnjef32.dll Ebodiofk.exe File created C:\Windows\SysWOW64\Ecqqpgli.exe Ednpej32.exe File created C:\Windows\SysWOW64\Ppbfpd32.exe Pmdjdh32.exe File created C:\Windows\SysWOW64\Bhkdeggl.exe Baakhm32.exe File opened for modification C:\Windows\SysWOW64\Cgcmlcja.exe Cddaphkn.exe File created C:\Windows\SysWOW64\Dhdcji32.exe Ddigjkid.exe -
Program crash 1 IoCs
pid pid_target Process 3428 3400 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Caknol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dcenlceh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dnoomqbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nolhan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjcabmga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cohigamf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pbhmnkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keefji32.dll" Blbfjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnmehnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneqdoee.dll" Coelaaoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ccahbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqehhb32.dll" Monhhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pfjbgnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilbgbe32.dll" Pmanoifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnnkng32.dll" Bfcampgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fehofegb.dll" Apimacnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddigjkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojahnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjenhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aipddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaplbi32.dll" Pqhpdhcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edekcace.dll" Dcenlceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebodiofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbfabp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ejhlgaeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cahqdihi.dll" Adpkee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cnkicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffmipmp.dll" Emieil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eccmffjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eqgnokip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Okikfagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bppoqeja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dcadac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmnlfg32.dll" Cpkbdiqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epjomppp.dll" Dhnmij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Emnndlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkpmm32.dll" Meccii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qpecfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knhfdmdo.dll" Ajjcbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ngpolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgggfhdc.dll" Oobjaqaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebmgcohn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ceaadk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdjal32.dll" Dccagcgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oincig32.dll" Mcbjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pgioaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qfahhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nglfapnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aehboi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpeekh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfffnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mbpnanch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpajdp32.dll" Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjhlioai.dll" Bidjnkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pfjbgnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Alegac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgcmlcja.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2864 2196 172b16cf85f8360c146166276c3f2710_NEIKI.exe 28 PID 2196 wrote to memory of 2864 2196 172b16cf85f8360c146166276c3f2710_NEIKI.exe 28 PID 2196 wrote to memory of 2864 2196 172b16cf85f8360c146166276c3f2710_NEIKI.exe 28 PID 2196 wrote to memory of 2864 2196 172b16cf85f8360c146166276c3f2710_NEIKI.exe 28 PID 2864 wrote to memory of 1880 2864 Mggpgmof.exe 29 PID 2864 wrote to memory of 1880 2864 Mggpgmof.exe 29 PID 2864 wrote to memory of 1880 2864 Mggpgmof.exe 29 PID 2864 wrote to memory of 1880 2864 Mggpgmof.exe 29 PID 1880 wrote to memory of 2636 1880 Monhhk32.exe 30 PID 1880 wrote to memory of 2636 1880 Monhhk32.exe 30 PID 1880 wrote to memory of 2636 1880 Monhhk32.exe 30 PID 1880 wrote to memory of 2636 1880 Monhhk32.exe 30 PID 2636 wrote to memory of 2668 2636 Mhgmapfi.exe 31 PID 2636 wrote to memory of 2668 2636 Mhgmapfi.exe 31 PID 2636 wrote to memory of 2668 2636 Mhgmapfi.exe 31 PID 2636 wrote to memory of 2668 2636 Mhgmapfi.exe 31 PID 2668 wrote to memory of 2648 2668 Mkeimlfm.exe 32 PID 2668 wrote to memory of 2648 2668 Mkeimlfm.exe 32 PID 2668 wrote to memory of 2648 2668 Mkeimlfm.exe 32 PID 2668 wrote to memory of 2648 2668 Mkeimlfm.exe 32 PID 2648 wrote to memory of 2432 2648 Mmceigep.exe 33 PID 2648 wrote to memory of 2432 2648 Mmceigep.exe 33 PID 2648 wrote to memory of 2432 2648 Mmceigep.exe 33 PID 2648 wrote to memory of 2432 2648 Mmceigep.exe 33 PID 2432 wrote to memory of 2920 2432 Maoajf32.exe 34 PID 2432 wrote to memory of 2920 2432 Maoajf32.exe 34 PID 2432 wrote to memory of 2920 2432 Maoajf32.exe 34 PID 2432 wrote to memory of 2920 2432 Maoajf32.exe 34 PID 2920 wrote to memory of 2728 2920 Mbpnanch.exe 35 PID 2920 wrote to memory of 2728 2920 Mbpnanch.exe 35 PID 2920 wrote to memory of 2728 2920 Mbpnanch.exe 35 PID 2920 wrote to memory of 2728 2920 Mbpnanch.exe 35 PID 2728 wrote to memory of 2872 2728 Mkgfckcj.exe 36 PID 2728 wrote to memory of 2872 2728 Mkgfckcj.exe 36 PID 2728 wrote to memory of 2872 2728 Mkgfckcj.exe 36 PID 2728 wrote to memory of 2872 2728 Mkgfckcj.exe 36 PID 2872 wrote to memory of 2024 2872 Mijfnh32.exe 37 PID 2872 wrote to memory of 2024 2872 Mijfnh32.exe 37 PID 2872 wrote to memory of 2024 2872 Mijfnh32.exe 37 PID 2872 wrote to memory of 2024 2872 Mijfnh32.exe 37 PID 2024 wrote to memory of 1884 2024 Mcbjgn32.exe 38 PID 2024 wrote to memory of 1884 2024 Mcbjgn32.exe 38 PID 2024 wrote to memory of 1884 2024 Mcbjgn32.exe 38 PID 2024 wrote to memory of 1884 2024 Mcbjgn32.exe 38 PID 1884 wrote to memory of 324 1884 Mimbdhhb.exe 39 PID 1884 wrote to memory of 324 1884 Mimbdhhb.exe 39 PID 1884 wrote to memory of 324 1884 Mimbdhhb.exe 39 PID 1884 wrote to memory of 324 1884 Mimbdhhb.exe 39 PID 324 wrote to memory of 1900 324 Mlkopcge.exe 40 PID 324 wrote to memory of 1900 324 Mlkopcge.exe 40 PID 324 wrote to memory of 1900 324 Mlkopcge.exe 40 PID 324 wrote to memory of 1900 324 Mlkopcge.exe 40 PID 1900 wrote to memory of 1664 1900 Mcegmm32.exe 41 PID 1900 wrote to memory of 1664 1900 Mcegmm32.exe 41 PID 1900 wrote to memory of 1664 1900 Mcegmm32.exe 41 PID 1900 wrote to memory of 1664 1900 Mcegmm32.exe 41 PID 1664 wrote to memory of 2372 1664 Meccii32.exe 42 PID 1664 wrote to memory of 2372 1664 Meccii32.exe 42 PID 1664 wrote to memory of 2372 1664 Meccii32.exe 42 PID 1664 wrote to memory of 2372 1664 Meccii32.exe 42 PID 2372 wrote to memory of 2292 2372 Nolhan32.exe 43 PID 2372 wrote to memory of 2292 2372 Nolhan32.exe 43 PID 2372 wrote to memory of 2292 2372 Nolhan32.exe 43 PID 2372 wrote to memory of 2292 2372 Nolhan32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\172b16cf85f8360c146166276c3f2710_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\172b16cf85f8360c146166276c3f2710_NEIKI.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:828 -
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1220 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1352 -
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Nocnbmoo.exeC:\Windows\system32\Nocnbmoo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1188 -
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe33⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Ofelmloo.exeC:\Windows\system32\Ofelmloo.exe34⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Ojahnj32.exeC:\Windows\system32\Ojahnj32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe36⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe37⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Ojcecjee.exeC:\Windows\system32\Ojcecjee.exe38⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe39⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe40⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe41⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe42⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe44⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Ofmbnkhg.exeC:\Windows\system32\Ofmbnkhg.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe46⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe48⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe50⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe56⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe60⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe62⤵
- Executes dropped EXE
PID:488 -
C:\Windows\SysWOW64\Pmanoifd.exeC:\Windows\system32\Pmanoifd.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe64⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe65⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Pfjbgnme.exeC:\Windows\system32\Pfjbgnme.exe66⤵
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe67⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe68⤵
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe69⤵
- Drops file in System32 directory
PID:1376 -
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe70⤵
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe71⤵PID:2780
-
C:\Windows\SysWOW64\Qabcjgkh.exeC:\Windows\system32\Qabcjgkh.exe72⤵PID:2100
-
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Qcpofbjl.exeC:\Windows\system32\Qcpofbjl.exe74⤵
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe75⤵PID:2460
-
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe77⤵PID:2952
-
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe78⤵PID:1152
-
C:\Windows\SysWOW64\Qbelgood.exeC:\Windows\system32\Qbelgood.exe79⤵PID:2072
-
C:\Windows\SysWOW64\Qfahhm32.exeC:\Windows\system32\Qfahhm32.exe80⤵
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe81⤵
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Amkpegnj.exeC:\Windows\system32\Amkpegnj.exe82⤵
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe83⤵
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Abhimnma.exeC:\Windows\system32\Abhimnma.exe84⤵PID:2588
-
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe85⤵
- Drops file in System32 directory
PID:916 -
C:\Windows\SysWOW64\Aefeijle.exeC:\Windows\system32\Aefeijle.exe86⤵
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Ahdaee32.exeC:\Windows\system32\Ahdaee32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Alpmfdcb.exeC:\Windows\system32\Alpmfdcb.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:904 -
C:\Windows\SysWOW64\Aplifb32.exeC:\Windows\system32\Aplifb32.exe89⤵PID:2416
-
C:\Windows\SysWOW64\Anojbobe.exeC:\Windows\system32\Anojbobe.exe90⤵
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Aamfnkai.exeC:\Windows\system32\Aamfnkai.exe91⤵PID:2856
-
C:\Windows\SysWOW64\Aehboi32.exeC:\Windows\system32\Aehboi32.exe92⤵
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Ahgnke32.exeC:\Windows\system32\Ahgnke32.exe93⤵PID:2768
-
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2760 -
C:\Windows\SysWOW64\Ajejgp32.exeC:\Windows\system32\Ajejgp32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2660 -
C:\Windows\SysWOW64\Abmbhn32.exeC:\Windows\system32\Abmbhn32.exe96⤵PID:2692
-
C:\Windows\SysWOW64\Aaobdjof.exeC:\Windows\system32\Aaobdjof.exe97⤵
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Ahikqd32.exeC:\Windows\system32\Ahikqd32.exe98⤵PID:1672
-
C:\Windows\SysWOW64\Alegac32.exeC:\Windows\system32\Alegac32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe100⤵PID:2736
-
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1452 -
C:\Windows\SysWOW64\Aaaoij32.exeC:\Windows\system32\Aaaoij32.exe102⤵PID:2256
-
C:\Windows\SysWOW64\Adpkee32.exeC:\Windows\system32\Adpkee32.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Ajjcbpdd.exeC:\Windows\system32\Ajjcbpdd.exe105⤵
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Aoepcn32.exeC:\Windows\system32\Aoepcn32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Bpgljfbl.exeC:\Windows\system32\Bpgljfbl.exe108⤵PID:2544
-
C:\Windows\SysWOW64\Bhndldcn.exeC:\Windows\system32\Bhndldcn.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1676 -
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe110⤵
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Bmkmdk32.exeC:\Windows\system32\Bmkmdk32.exe111⤵PID:1288
-
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe112⤵PID:1660
-
C:\Windows\SysWOW64\Bdeeqehb.exeC:\Windows\system32\Bdeeqehb.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1296 -
C:\Windows\SysWOW64\Bbhela32.exeC:\Windows\system32\Bbhela32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1144 -
C:\Windows\SysWOW64\Bfcampgf.exeC:\Windows\system32\Bfcampgf.exe115⤵
- Modifies registry class
PID:412 -
C:\Windows\SysWOW64\Bmmiij32.exeC:\Windows\system32\Bmmiij32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:344 -
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1136 -
C:\Windows\SysWOW64\Bpleef32.exeC:\Windows\system32\Bpleef32.exe118⤵
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Bbjbaa32.exeC:\Windows\system32\Bbjbaa32.exe119⤵
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Bfenbpec.exeC:\Windows\system32\Bfenbpec.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:804 -
C:\Windows\SysWOW64\Bidjnkdg.exeC:\Windows\system32\Bidjnkdg.exe121⤵
- Modifies registry class
PID:2892
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-