Analysis
-
max time kernel
142s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 00:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b02e5510e1bec6a91ffcd63802a67bf0_NEIKI.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
b02e5510e1bec6a91ffcd63802a67bf0_NEIKI.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
b02e5510e1bec6a91ffcd63802a67bf0_NEIKI.exe
-
Size
551KB
-
MD5
b02e5510e1bec6a91ffcd63802a67bf0
-
SHA1
c00f0524239732290db88e7b92d1b8b69f0c0154
-
SHA256
fb14891d34b9b3e0a9ceafca3c2ec106b978985bde9232e5f99b2c53860138b0
-
SHA512
ca69f58e5c097649e7953f86f23e4169e62db8b55732e088f67d63d9cee75a5169f97f704b212849f78646587934e9311c70ce6a5656ae7bb76289772ee2f022
-
SSDEEP
6144:Tg14645CPXbo92ynnZlVrtv35CPXbo92ynn8sbeWD2/U7vXVCpZ3EJHm2k5CPXb5:Tg14pFHRFbe7chCpZ3EJHmhFHRFbeN
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meijhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fioija32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmpkjkma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giieco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgbhabjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Magqncba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqjfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbopgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgagfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kebgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hodpgjha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnielm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icmegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ileiplhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnmlhchd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnace32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amqccfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meccii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcfkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckccgane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajecmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laegiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pndpajgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qqeicede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aecaidjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgaqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmafennb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmfgjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boqbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nofdklgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihoafpmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghcoqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfiale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blmfea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bphbeplm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jofiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jokcgmee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cghggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjcbpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkqbaecc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqgoiokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhbcfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlmic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnojdcfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icmegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kblhgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mimbdhhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpcmpijk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blmfea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgidao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndpfkdmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieidmbcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Limfed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecejkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgninie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qeohnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaloddnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Behgcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmgechbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgeefbhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Papfegmk.exe -
Executes dropped EXE 64 IoCs
pid Process 2200 Comimg32.exe 2840 Cfinoq32.exe 2640 Dkhcmgnl.exe 2568 Dqhhknjp.exe 2816 Dgaqgh32.exe 2436 Dmafennb.exe 2380 Efncicpm.exe 2972 Eilpeooq.exe 2032 Ebgacddo.exe 2420 Fckjalhj.exe 2704 Ffkcbgek.exe 1588 Fmhheqje.exe 1144 Ffpmnf32.exe 540 Fioija32.exe 2864 Fddmgjpo.exe 564 Ghhofmql.exe 2612 Gkgkbipp.exe 276 Gaqcoc32.exe 2140 Ghkllmoi.exe 1824 Glfhll32.exe 1392 Hdfflm32.exe 1928 Hgdbhi32.exe 2384 Hnojdcfi.exe 808 Hpmgqnfl.exe 2288 Hckcmjep.exe 1952 Hnagjbdf.exe 2224 Hcnpbi32.exe 2000 Hjhhocjj.exe 3064 Hlfdkoin.exe 2584 Hodpgjha.exe 2740 Henidd32.exe 2732 Hhmepp32.exe 2556 Ieqeidnl.exe 2464 Ihoafpmp.exe 2932 Ioijbj32.exe 2976 Ifcbodli.exe 2484 Igdogl32.exe 832 Iqmcpahh.exe 2708 Ihdkao32.exe 2284 Icmlam32.exe 2020 Ikddbj32.exe 2064 Incpoe32.exe 1032 Icpigm32.exe 1788 Igkdgk32.exe 2080 Jjjacf32.exe 2528 Jmhmpb32.exe 1188 Jofiln32.exe 2152 Jfqahgpg.exe 3024 Jiondcpk.exe 1416 Jmjjea32.exe 1172 Joifam32.exe 1872 Jbgbni32.exe 2636 Jjojofgn.exe 2588 Jiakjb32.exe 1880 Jokcgmee.exe 2232 Jfekcg32.exe 2084 Jicgpb32.exe 3012 Jkbcln32.exe 344 Jnqphi32.exe 1672 Jejhecaj.exe 2488 Jgidao32.exe 2532 Joplbl32.exe 2664 Jnclnihj.exe 2404 Kkgmgmfd.exe -
Loads dropped DLL 64 IoCs
pid Process 1704 b02e5510e1bec6a91ffcd63802a67bf0_NEIKI.exe 1704 b02e5510e1bec6a91ffcd63802a67bf0_NEIKI.exe 2200 Comimg32.exe 2200 Comimg32.exe 2840 Cfinoq32.exe 2840 Cfinoq32.exe 2640 Dkhcmgnl.exe 2640 Dkhcmgnl.exe 2568 Dqhhknjp.exe 2568 Dqhhknjp.exe 2816 Dgaqgh32.exe 2816 Dgaqgh32.exe 2436 Dmafennb.exe 2436 Dmafennb.exe 2380 Efncicpm.exe 2380 Efncicpm.exe 2972 Eilpeooq.exe 2972 Eilpeooq.exe 2032 Ebgacddo.exe 2032 Ebgacddo.exe 2420 Fckjalhj.exe 2420 Fckjalhj.exe 2704 Ffkcbgek.exe 2704 Ffkcbgek.exe 1588 Fmhheqje.exe 1588 Fmhheqje.exe 1144 Ffpmnf32.exe 1144 Ffpmnf32.exe 540 Fioija32.exe 540 Fioija32.exe 2864 Fddmgjpo.exe 2864 Fddmgjpo.exe 564 Ghhofmql.exe 564 Ghhofmql.exe 2612 Gkgkbipp.exe 2612 Gkgkbipp.exe 276 Gaqcoc32.exe 276 Gaqcoc32.exe 2140 Ghkllmoi.exe 2140 Ghkllmoi.exe 1824 Glfhll32.exe 1824 Glfhll32.exe 1392 Hdfflm32.exe 1392 Hdfflm32.exe 1928 Hgdbhi32.exe 1928 Hgdbhi32.exe 2384 Hnojdcfi.exe 2384 Hnojdcfi.exe 808 Hpmgqnfl.exe 808 Hpmgqnfl.exe 2288 Hckcmjep.exe 2288 Hckcmjep.exe 1952 Hnagjbdf.exe 1952 Hnagjbdf.exe 2224 Hcnpbi32.exe 2224 Hcnpbi32.exe 2000 Hjhhocjj.exe 2000 Hjhhocjj.exe 3064 Hlfdkoin.exe 3064 Hlfdkoin.exe 2584 Hodpgjha.exe 2584 Hodpgjha.exe 2740 Henidd32.exe 2740 Henidd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lnmfog32.dll Mmahdggc.exe File created C:\Windows\SysWOW64\Jdmqokqf.dll Pikkiijf.exe File created C:\Windows\SysWOW64\Jfknbe32.exe Jcmafj32.exe File created C:\Windows\SysWOW64\Poceplpj.dll Lcfqkl32.exe File created C:\Windows\SysWOW64\Enakbp32.exe Dhdcji32.exe File opened for modification C:\Windows\SysWOW64\Fenmdm32.exe Fbopgb32.exe File opened for modification C:\Windows\SysWOW64\Lndohedg.exe Ljibgg32.exe File created C:\Windows\SysWOW64\Docdkd32.dll Nhllob32.exe File created C:\Windows\SysWOW64\Icmlam32.exe Ihdkao32.exe File created C:\Windows\SysWOW64\Clialdph.dll Enakbp32.exe File created C:\Windows\SysWOW64\Abofbl32.dll Fidoim32.exe File created C:\Windows\SysWOW64\Ioolqh32.exe Ipllekdl.exe File created C:\Windows\SysWOW64\Jmbiipml.exe Jnpinc32.exe File created C:\Windows\SysWOW64\Lpbefoai.exe Lemaif32.exe File created C:\Windows\SysWOW64\Apmmjh32.dll Biamilfj.exe File created C:\Windows\SysWOW64\Bblogakg.exe Boqbfb32.exe File opened for modification C:\Windows\SysWOW64\Mmahdggc.exe Mkclhl32.exe File created C:\Windows\SysWOW64\Migbnb32.exe Mponel32.exe File opened for modification C:\Windows\SysWOW64\Bobhal32.exe Bejdiffp.exe File opened for modification C:\Windows\SysWOW64\Meccii32.exe Mcegmm32.exe File opened for modification C:\Windows\SysWOW64\Adnopfoj.exe Aaobdjof.exe File created C:\Windows\SysWOW64\Pplhdp32.dll Kocbkk32.exe File opened for modification C:\Windows\SysWOW64\Mhjbjopf.exe Migbnb32.exe File created C:\Windows\SysWOW64\Nigome32.exe Ngibaj32.exe File created C:\Windows\SysWOW64\Elaieh32.dll Nhohda32.exe File created C:\Windows\SysWOW64\Jfjoqjhi.dll Lafndg32.exe File created C:\Windows\SysWOW64\Ioijbj32.exe Ihoafpmp.exe File created C:\Windows\SysWOW64\Jiakjb32.exe Jjojofgn.exe File created C:\Windows\SysWOW64\Dmpknpme.dll Jgidao32.exe File created C:\Windows\SysWOW64\Apimacnn.exe Amkpegnj.exe File created C:\Windows\SysWOW64\Egjpkffe.exe Egjpkffe.exe File opened for modification C:\Windows\SysWOW64\Ginnnooi.exe Gfobbc32.exe File created C:\Windows\SysWOW64\Cahqdihi.dll Aemkjiem.exe File created C:\Windows\SysWOW64\Hiknhbcg.exe Hkhnle32.exe File created C:\Windows\SysWOW64\Pcibkm32.exe Pqjfoa32.exe File opened for modification C:\Windows\SysWOW64\Fmpkjkma.exe Fidoim32.exe File created C:\Windows\SysWOW64\Cgmgbeon.dll Moidahcn.exe File opened for modification C:\Windows\SysWOW64\Ngibaj32.exe Ndjfeo32.exe File created C:\Windows\SysWOW64\Nenobfak.exe Ncpcfkbg.exe File created C:\Windows\SysWOW64\Kjljhjkl.exe Kkijmm32.exe File opened for modification C:\Windows\SysWOW64\Hkfagfop.exe Hmbpmapf.exe File created C:\Windows\SysWOW64\Ngibaj32.exe Ndjfeo32.exe File created C:\Windows\SysWOW64\Ocljjp32.dll Lpphap32.exe File created C:\Windows\SysWOW64\Bjjppa32.dll Fbopgb32.exe File created C:\Windows\SysWOW64\Mkmhaj32.exe Maedhd32.exe File created C:\Windows\SysWOW64\Fpmkde32.dll Ghhofmql.exe File created C:\Windows\SysWOW64\Akodpalp.dll Kjnfniii.exe File created C:\Windows\SysWOW64\Jddnncch.dll Meccii32.exe File created C:\Windows\SysWOW64\Pgioaa32.exe Ppbfpd32.exe File opened for modification C:\Windows\SysWOW64\Lghjel32.exe Knpemf32.exe File created C:\Windows\SysWOW64\Blaopqpo.exe Behgcf32.exe File created C:\Windows\SysWOW64\Maoajf32.exe Mgimmm32.exe File opened for modification C:\Windows\SysWOW64\Kgcpjmcb.exe Keednado.exe File created C:\Windows\SysWOW64\Nolhan32.exe Mhbped32.exe File created C:\Windows\SysWOW64\Oonafa32.exe Onmdoioa.exe File opened for modification C:\Windows\SysWOW64\Bghjhp32.exe Bblogakg.exe File created C:\Windows\SysWOW64\Bahbme32.dll Joifam32.exe File created C:\Windows\SysWOW64\Fehofegb.dll Anlmmp32.exe File created C:\Windows\SysWOW64\Piekcd32.exe Pjbjhgde.exe File created C:\Windows\SysWOW64\Ieqeidnl.exe Hhmepp32.exe File created C:\Windows\SysWOW64\Coelaaoi.exe Ckjpacfp.exe File created C:\Windows\SysWOW64\Mfkbpc32.dll Oaiibg32.exe File opened for modification C:\Windows\SysWOW64\Fekpnn32.exe Fcjcfe32.exe File created C:\Windows\SysWOW64\Jgojpjem.exe Jdpndnei.exe -
Program crash 1 IoCs
pid pid_target Process 6460 6436 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjnfniii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkncmmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biamilfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmfmhhoj.dll" Idnaoohk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifcbodli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aepjgc32.dll" Lmgocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghohc32.dll" Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkgbbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Magqncba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paenhpdh.dll" Pqjfoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fddmgjpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkhpkoen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fekpnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oomjlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pihgic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qimhoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aefeijle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keefji32.dll" Bmpfojmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcnilecc.dll" Okdkal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimpgolj.dll" Pnajilng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lghjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgimmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijfoo32.dll" Pnomcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kckmmp32.dll" Aefeijle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnpinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mponel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll" Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajpjakhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpcqaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inkccpgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knpemf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amqccfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknqdmpf.dll" Iqmcpahh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Docdkd32.dll" Nhllob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlbeqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keoapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndemjoae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qeaedd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djhphncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckjpacfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmdadnkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlfdghbq.dll" Lndohedg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkkmqnck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjcabmga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcefke32.dll" Lmolnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Behnnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onbgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngdfge32.dll" Ioolqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opdnhdpo.dll" Ljibgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elonamqm.dll" Mmldme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nofdklgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miikgeea.dll" Nhkbkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iipgcaob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lccdel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Balkchpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgegdo32.dll" Hkfagfop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maiooo32.dll" Febfomdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fehofegb.dll" Anlmmp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1704 wrote to memory of 2200 1704 b02e5510e1bec6a91ffcd63802a67bf0_NEIKI.exe 28 PID 1704 wrote to memory of 2200 1704 b02e5510e1bec6a91ffcd63802a67bf0_NEIKI.exe 28 PID 1704 wrote to memory of 2200 1704 b02e5510e1bec6a91ffcd63802a67bf0_NEIKI.exe 28 PID 1704 wrote to memory of 2200 1704 b02e5510e1bec6a91ffcd63802a67bf0_NEIKI.exe 28 PID 2200 wrote to memory of 2840 2200 Comimg32.exe 29 PID 2200 wrote to memory of 2840 2200 Comimg32.exe 29 PID 2200 wrote to memory of 2840 2200 Comimg32.exe 29 PID 2200 wrote to memory of 2840 2200 Comimg32.exe 29 PID 2840 wrote to memory of 2640 2840 Cfinoq32.exe 30 PID 2840 wrote to memory of 2640 2840 Cfinoq32.exe 30 PID 2840 wrote to memory of 2640 2840 Cfinoq32.exe 30 PID 2840 wrote to memory of 2640 2840 Cfinoq32.exe 30 PID 2640 wrote to memory of 2568 2640 Dkhcmgnl.exe 31 PID 2640 wrote to memory of 2568 2640 Dkhcmgnl.exe 31 PID 2640 wrote to memory of 2568 2640 Dkhcmgnl.exe 31 PID 2640 wrote to memory of 2568 2640 Dkhcmgnl.exe 31 PID 2568 wrote to memory of 2816 2568 Dqhhknjp.exe 32 PID 2568 wrote to memory of 2816 2568 Dqhhknjp.exe 32 PID 2568 wrote to memory of 2816 2568 Dqhhknjp.exe 32 PID 2568 wrote to memory of 2816 2568 Dqhhknjp.exe 32 PID 2816 wrote to memory of 2436 2816 Dgaqgh32.exe 33 PID 2816 wrote to memory of 2436 2816 Dgaqgh32.exe 33 PID 2816 wrote to memory of 2436 2816 Dgaqgh32.exe 33 PID 2816 wrote to memory of 2436 2816 Dgaqgh32.exe 33 PID 2436 wrote to memory of 2380 2436 Dmafennb.exe 34 PID 2436 wrote to memory of 2380 2436 Dmafennb.exe 34 PID 2436 wrote to memory of 2380 2436 Dmafennb.exe 34 PID 2436 wrote to memory of 2380 2436 Dmafennb.exe 34 PID 2380 wrote to memory of 2972 2380 Efncicpm.exe 35 PID 2380 wrote to memory of 2972 2380 Efncicpm.exe 35 PID 2380 wrote to memory of 2972 2380 Efncicpm.exe 35 PID 2380 wrote to memory of 2972 2380 Efncicpm.exe 35 PID 2972 wrote to memory of 2032 2972 Eilpeooq.exe 36 PID 2972 wrote to memory of 2032 2972 Eilpeooq.exe 36 PID 2972 wrote to memory of 2032 2972 Eilpeooq.exe 36 PID 2972 wrote to memory of 2032 2972 Eilpeooq.exe 36 PID 2032 wrote to memory of 2420 2032 Ebgacddo.exe 37 PID 2032 wrote to memory of 2420 2032 Ebgacddo.exe 37 PID 2032 wrote to memory of 2420 2032 Ebgacddo.exe 37 PID 2032 wrote to memory of 2420 2032 Ebgacddo.exe 37 PID 2420 wrote to memory of 2704 2420 Fckjalhj.exe 38 PID 2420 wrote to memory of 2704 2420 Fckjalhj.exe 38 PID 2420 wrote to memory of 2704 2420 Fckjalhj.exe 38 PID 2420 wrote to memory of 2704 2420 Fckjalhj.exe 38 PID 2704 wrote to memory of 1588 2704 Ffkcbgek.exe 39 PID 2704 wrote to memory of 1588 2704 Ffkcbgek.exe 39 PID 2704 wrote to memory of 1588 2704 Ffkcbgek.exe 39 PID 2704 wrote to memory of 1588 2704 Ffkcbgek.exe 39 PID 1588 wrote to memory of 1144 1588 Fmhheqje.exe 40 PID 1588 wrote to memory of 1144 1588 Fmhheqje.exe 40 PID 1588 wrote to memory of 1144 1588 Fmhheqje.exe 40 PID 1588 wrote to memory of 1144 1588 Fmhheqje.exe 40 PID 1144 wrote to memory of 540 1144 Ffpmnf32.exe 41 PID 1144 wrote to memory of 540 1144 Ffpmnf32.exe 41 PID 1144 wrote to memory of 540 1144 Ffpmnf32.exe 41 PID 1144 wrote to memory of 540 1144 Ffpmnf32.exe 41 PID 540 wrote to memory of 2864 540 Fioija32.exe 42 PID 540 wrote to memory of 2864 540 Fioija32.exe 42 PID 540 wrote to memory of 2864 540 Fioija32.exe 42 PID 540 wrote to memory of 2864 540 Fioija32.exe 42 PID 2864 wrote to memory of 564 2864 Fddmgjpo.exe 43 PID 2864 wrote to memory of 564 2864 Fddmgjpo.exe 43 PID 2864 wrote to memory of 564 2864 Fddmgjpo.exe 43 PID 2864 wrote to memory of 564 2864 Fddmgjpo.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\b02e5510e1bec6a91ffcd63802a67bf0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\b02e5510e1bec6a91ffcd63802a67bf0_NEIKI.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:564 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:276 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1392 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:808 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe34⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe36⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe38⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe41⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe42⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe43⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe44⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe45⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe46⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe47⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe49⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe50⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe51⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1172 -
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe53⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe55⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe57⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe58⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe59⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe60⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe61⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe63⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe64⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe65⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe66⤵PID:1696
-
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe67⤵
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe68⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe69⤵PID:1996
-
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe70⤵PID:2056
-
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe71⤵PID:3000
-
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe73⤵PID:1960
-
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe74⤵PID:1964
-
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2560 -
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe76⤵PID:2720
-
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe77⤵PID:1728
-
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe78⤵PID:2444
-
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe79⤵PID:1092
-
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2784 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe81⤵PID:696
-
C:\Windows\SysWOW64\Kmaled32.exeC:\Windows\system32\Kmaled32.exe82⤵PID:488
-
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe83⤵
- Drops file in System32 directory
PID:1700 -
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe84⤵PID:2416
-
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe85⤵PID:2880
-
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe86⤵
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe87⤵PID:1012
-
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe88⤵
- Drops file in System32 directory
PID:284 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe89⤵PID:1636
-
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe91⤵PID:2492
-
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe92⤵
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe93⤵PID:1096
-
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe94⤵PID:612
-
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:784 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe96⤵PID:896
-
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe97⤵
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe98⤵PID:1940
-
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe99⤵PID:1876
-
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe100⤵
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe101⤵
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe102⤵PID:1732
-
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe103⤵PID:1264
-
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe104⤵PID:308
-
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe106⤵PID:2984
-
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe107⤵PID:2956
-
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1460 -
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe109⤵PID:452
-
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe110⤵PID:2304
-
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe111⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe113⤵
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe114⤵PID:2360
-
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe115⤵PID:2204
-
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe116⤵PID:1176
-
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe117⤵PID:1332
-
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe118⤵PID:2928
-
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe119⤵PID:2676
-
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe120⤵PID:1076
-
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe121⤵PID:1104
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-