Analysis
-
max time kernel
143s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 00:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
aab34166a697c318e0bdd4d3144f0870_NEIKI.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
aab34166a697c318e0bdd4d3144f0870_NEIKI.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
aab34166a697c318e0bdd4d3144f0870_NEIKI.exe
-
Size
74KB
-
MD5
aab34166a697c318e0bdd4d3144f0870
-
SHA1
07a837f5c3989c905a4f069dbb507ec40964d62b
-
SHA256
e5950416dd1592df798c14da84e1d6499797058f3e591d55dd4e009eb3c547e9
-
SHA512
c2cf3d8662e0059ef0f61ec6de8808038bfb7b54b08b884db8cbe3ee6ae94562ab845af8180e909066a0840edf8afae08356f19e0acdf8711ab491fdf9561619
-
SSDEEP
1536:ZgzmguW7kd74zuidWIqlj3avvXpbEN3yJafI:Zg6bA3/PHpbQ/I
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pagdol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmkfhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hflcbngh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Andqdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikqqlgem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipqnahgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbbgnpgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llgjjnlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbpaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Likcilhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiikak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekjfcipa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkjcbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnkaalkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlpokp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knlleepl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjjocap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gilapgqb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eipinkib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eckonn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aodfajaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fchddejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edfdej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Goljqnpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcicklnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gadqlkep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lblaabdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dldpkoil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnonbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djfcaohp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijlof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdafkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifmcdblq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldjhpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npcoakfp.exe -
Executes dropped EXE 64 IoCs
pid Process 2700 Cibank32.exe 864 Clqnjf32.exe 1564 Coojfa32.exe 3936 Camfbm32.exe 2736 Chgoogfa.exe 1424 Clckpf32.exe 4224 Coagla32.exe 4864 Capchmmb.exe 5048 Digkijmd.exe 1036 Dhjkdg32.exe 1520 Dpacfd32.exe 2140 Doccaall.exe 948 Dabpnlkp.exe 3872 Denlnk32.exe 4604 Dhlhjf32.exe 5044 Dlgdkeje.exe 2116 Dofpgqji.exe 1468 Dcalgo32.exe 1532 Dephckaf.exe 3968 Djlddi32.exe 4220 Dpemacql.exe 1244 Dohmlp32.exe 3824 Dagiil32.exe 4924 Debeijoc.exe 4544 Dhqaefng.exe 2120 Dphifcoi.exe 620 Dcfebonm.exe 2200 Daifnk32.exe 4624 Djpnohej.exe 4684 Dlojkddn.exe 1288 Dpjflb32.exe 4728 Dchbhn32.exe 3516 Dakbckbe.exe 2356 Ejbkehcg.exe 660 Ehekqe32.exe 4212 Epmcab32.exe 4020 Eoocmoao.exe 4296 Eckonn32.exe 2716 Efikji32.exe 3832 Ehhgfdho.exe 1104 Ehhgfdho.exe 1680 Elccfc32.exe 1452 Ecmlcmhe.exe 2904 Eflhoigi.exe 2332 Ejgdpg32.exe 3620 Eleplc32.exe 3840 Eqalmafo.exe 3548 Eodlho32.exe 2296 Ebbidj32.exe 392 Ejjqeg32.exe 3612 Ehlaaddj.exe 4712 Elhmablc.exe 1624 Eofinnkf.exe 776 Ebeejijj.exe 3412 Efpajh32.exe 1336 Ehonfc32.exe 880 Eqfeha32.exe 4252 Ecdbdl32.exe 940 Ffbnph32.exe 2144 Fhajlc32.exe 1400 Fqhbmqqg.exe 1628 Fcgoilpj.exe 1700 Fbioei32.exe 4396 Fjqgff32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bagcnd32.dll Lphoelqn.exe File opened for modification C:\Windows\SysWOW64\Kechmoil.exe Kbekqdjh.exe File created C:\Windows\SysWOW64\Oldamm32.exe Process not Found File created C:\Windows\SysWOW64\Phbhcmjl.exe Process not Found File created C:\Windows\SysWOW64\Elbhjp32.exe Process not Found File created C:\Windows\SysWOW64\Mjdebfnd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jmknaell.exe Jedeph32.exe File created C:\Windows\SysWOW64\Kepelfam.exe Kbaipkbi.exe File created C:\Windows\SysWOW64\Bemqih32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Anbkio32.exe Ajfoiqll.exe File created C:\Windows\SysWOW64\Fdfmlhna.exe Fahaplon.exe File opened for modification C:\Windows\SysWOW64\Ifleoe32.exe Indmnh32.exe File created C:\Windows\SysWOW64\Ebadmmge.dll Ffpicn32.exe File created C:\Windows\SysWOW64\Mlmbfqoj.exe Miofjepg.exe File opened for modification C:\Windows\SysWOW64\Gigaka32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lnhmng32.exe Lkiqbl32.exe File opened for modification C:\Windows\SysWOW64\Pclneicb.exe Pqnaim32.exe File created C:\Windows\SysWOW64\Hegaehem.dll Process not Found File opened for modification C:\Windows\SysWOW64\Aafemk32.exe Process not Found File created C:\Windows\SysWOW64\Dnjfibml.dll Process not Found File created C:\Windows\SysWOW64\Mlpokp32.exe Mhdckaeo.exe File created C:\Windows\SysWOW64\Bnffda32.dll Process not Found File created C:\Windows\SysWOW64\Iaqdae32.dll Process not Found File created C:\Windows\SysWOW64\Mncilb32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kpcjgnhb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mpnnle32.exe Mhgfkg32.exe File created C:\Windows\SysWOW64\Cpglnhad.exe Cadlbk32.exe File opened for modification C:\Windows\SysWOW64\Nljofl32.exe Nepgjaeg.exe File created C:\Windows\SysWOW64\Mgaokl32.exe Process not Found File created C:\Windows\SysWOW64\Odmbaj32.exe Process not Found File created C:\Windows\SysWOW64\Pmcglkid.dll Gcpapkgp.exe File opened for modification C:\Windows\SysWOW64\Ogcpjhoq.exe Ocgdji32.exe File created C:\Windows\SysWOW64\Nghekkmn.exe Process not Found File created C:\Windows\SysWOW64\Gmhgag32.dll Process not Found File created C:\Windows\SysWOW64\Ifomll32.exe Process not Found File created C:\Windows\SysWOW64\Cpnfbohh.dll Pbpjhp32.exe File created C:\Windows\SysWOW64\Eggmge32.exe Edhakj32.exe File opened for modification C:\Windows\SysWOW64\Bheplb32.exe Process not Found File created C:\Windows\SysWOW64\Alhhhcal.exe Aeopki32.exe File opened for modification C:\Windows\SysWOW64\Dedkdcie.exe Dojcgi32.exe File opened for modification C:\Windows\SysWOW64\Lbkkgl32.exe Ljdceo32.exe File created C:\Windows\SysWOW64\Ikfghc32.dll Process not Found File created C:\Windows\SysWOW64\Oloahhki.exe Process not Found File created C:\Windows\SysWOW64\Bcghdkpf.dll Process not Found File created C:\Windows\SysWOW64\Jpcapp32.exe Process not Found File created C:\Windows\SysWOW64\Kdqejn32.exe Kpeiioac.exe File opened for modification C:\Windows\SysWOW64\Hacbhb32.exe Hjlkge32.exe File created C:\Windows\SysWOW64\Gmcfdb32.dll Dfknkg32.exe File opened for modification C:\Windows\SysWOW64\Klifnj32.exe Kijjbofj.exe File created C:\Windows\SysWOW64\Gkmdecbg.exe Process not Found File created C:\Windows\SysWOW64\Fbpchb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lmqgnhmp.exe Kgfoan32.exe File created C:\Windows\SysWOW64\Jifpbd32.dll Hoadkn32.exe File opened for modification C:\Windows\SysWOW64\Edpnfo32.exe Eabbjc32.exe File created C:\Windows\SysWOW64\Ohnebd32.exe Oepifi32.exe File created C:\Windows\SysWOW64\Ememkjeq.dll Process not Found File created C:\Windows\SysWOW64\Gikdkj32.exe Process not Found File created C:\Windows\SysWOW64\Cammjakm.exe Process not Found File created C:\Windows\SysWOW64\Nokakckp.dll Denlnk32.exe File created C:\Windows\SysWOW64\Mnepdqjg.dll Ehedfo32.exe File created C:\Windows\SysWOW64\Gfngap32.exe Gododflk.exe File created C:\Windows\SysWOW64\Jcbihpel.exe Jmhale32.exe File created C:\Windows\SysWOW64\Nhnlkfpp.exe Neppokal.exe File opened for modification C:\Windows\SysWOW64\Ijhjcchb.exe Idkbkl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 17800 17912 Process not Found 1862 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qceiaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdcmnil.dll" Lpbopfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijhjcchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhlhjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpbbch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfadkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpplna32.dll" Cmdfgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhkjmn32.dll" Dapkni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knknhqjn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahiiai32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkckeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldfjqkf.dll" Mlkepaam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijnlbk32.dll" Cahfmgoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lehaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfamlc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmaid32.dll" Ehlaaddj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll" Jdcpcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll" Jfkoeppq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dllfkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllbndih.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Difebl32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflnbh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnaela32.dll" Ocgdji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnpppgdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klifnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmofee32.dll" Dmglcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpmpnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcgoilpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lldfjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmkjd32.dll" Cjaifp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blafme32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhqaefng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbhoqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkcaoef.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejjqeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpjcdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogbipa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgokg32.dll" Mbbagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlkepaam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jobfelii.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldoaklml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnlhfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll" Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmniml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkmioc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaghgm32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhjnfdhk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkodcb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkhal32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmomlnjk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2948 wrote to memory of 2700 2948 aab34166a697c318e0bdd4d3144f0870_NEIKI.exe 82 PID 2948 wrote to memory of 2700 2948 aab34166a697c318e0bdd4d3144f0870_NEIKI.exe 82 PID 2948 wrote to memory of 2700 2948 aab34166a697c318e0bdd4d3144f0870_NEIKI.exe 82 PID 2700 wrote to memory of 864 2700 Cibank32.exe 83 PID 2700 wrote to memory of 864 2700 Cibank32.exe 83 PID 2700 wrote to memory of 864 2700 Cibank32.exe 83 PID 864 wrote to memory of 1564 864 Clqnjf32.exe 84 PID 864 wrote to memory of 1564 864 Clqnjf32.exe 84 PID 864 wrote to memory of 1564 864 Clqnjf32.exe 84 PID 1564 wrote to memory of 3936 1564 Coojfa32.exe 85 PID 1564 wrote to memory of 3936 1564 Coojfa32.exe 85 PID 1564 wrote to memory of 3936 1564 Coojfa32.exe 85 PID 3936 wrote to memory of 2736 3936 Camfbm32.exe 86 PID 3936 wrote to memory of 2736 3936 Camfbm32.exe 86 PID 3936 wrote to memory of 2736 3936 Camfbm32.exe 86 PID 2736 wrote to memory of 1424 2736 Chgoogfa.exe 87 PID 2736 wrote to memory of 1424 2736 Chgoogfa.exe 87 PID 2736 wrote to memory of 1424 2736 Chgoogfa.exe 87 PID 1424 wrote to memory of 4224 1424 Clckpf32.exe 88 PID 1424 wrote to memory of 4224 1424 Clckpf32.exe 88 PID 1424 wrote to memory of 4224 1424 Clckpf32.exe 88 PID 4224 wrote to memory of 4864 4224 Coagla32.exe 89 PID 4224 wrote to memory of 4864 4224 Coagla32.exe 89 PID 4224 wrote to memory of 4864 4224 Coagla32.exe 89 PID 4864 wrote to memory of 5048 4864 Capchmmb.exe 90 PID 4864 wrote to memory of 5048 4864 Capchmmb.exe 90 PID 4864 wrote to memory of 5048 4864 Capchmmb.exe 90 PID 5048 wrote to memory of 1036 5048 Digkijmd.exe 91 PID 5048 wrote to memory of 1036 5048 Digkijmd.exe 91 PID 5048 wrote to memory of 1036 5048 Digkijmd.exe 91 PID 1036 wrote to memory of 1520 1036 Dhjkdg32.exe 92 PID 1036 wrote to memory of 1520 1036 Dhjkdg32.exe 92 PID 1036 wrote to memory of 1520 1036 Dhjkdg32.exe 92 PID 1520 wrote to memory of 2140 1520 Dpacfd32.exe 93 PID 1520 wrote to memory of 2140 1520 Dpacfd32.exe 93 PID 1520 wrote to memory of 2140 1520 Dpacfd32.exe 93 PID 2140 wrote to memory of 948 2140 Doccaall.exe 94 PID 2140 wrote to memory of 948 2140 Doccaall.exe 94 PID 2140 wrote to memory of 948 2140 Doccaall.exe 94 PID 948 wrote to memory of 3872 948 Dabpnlkp.exe 95 PID 948 wrote to memory of 3872 948 Dabpnlkp.exe 95 PID 948 wrote to memory of 3872 948 Dabpnlkp.exe 95 PID 3872 wrote to memory of 4604 3872 Denlnk32.exe 96 PID 3872 wrote to memory of 4604 3872 Denlnk32.exe 96 PID 3872 wrote to memory of 4604 3872 Denlnk32.exe 96 PID 4604 wrote to memory of 5044 4604 Dhlhjf32.exe 97 PID 4604 wrote to memory of 5044 4604 Dhlhjf32.exe 97 PID 4604 wrote to memory of 5044 4604 Dhlhjf32.exe 97 PID 5044 wrote to memory of 2116 5044 Dlgdkeje.exe 98 PID 5044 wrote to memory of 2116 5044 Dlgdkeje.exe 98 PID 5044 wrote to memory of 2116 5044 Dlgdkeje.exe 98 PID 2116 wrote to memory of 1468 2116 Dofpgqji.exe 100 PID 2116 wrote to memory of 1468 2116 Dofpgqji.exe 100 PID 2116 wrote to memory of 1468 2116 Dofpgqji.exe 100 PID 1468 wrote to memory of 1532 1468 Dcalgo32.exe 101 PID 1468 wrote to memory of 1532 1468 Dcalgo32.exe 101 PID 1468 wrote to memory of 1532 1468 Dcalgo32.exe 101 PID 1532 wrote to memory of 3968 1532 Dephckaf.exe 102 PID 1532 wrote to memory of 3968 1532 Dephckaf.exe 102 PID 1532 wrote to memory of 3968 1532 Dephckaf.exe 102 PID 3968 wrote to memory of 4220 3968 Djlddi32.exe 104 PID 3968 wrote to memory of 4220 3968 Djlddi32.exe 104 PID 3968 wrote to memory of 4220 3968 Djlddi32.exe 104 PID 4220 wrote to memory of 1244 4220 Dpemacql.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\aab34166a697c318e0bdd4d3144f0870_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\aab34166a697c318e0bdd4d3144f0870_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Cibank32.exeC:\Windows\system32\Cibank32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Clqnjf32.exeC:\Windows\system32\Clqnjf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Coojfa32.exeC:\Windows\system32\Coojfa32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Camfbm32.exeC:\Windows\system32\Camfbm32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Chgoogfa.exeC:\Windows\system32\Chgoogfa.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Clckpf32.exeC:\Windows\system32\Clckpf32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Coagla32.exeC:\Windows\system32\Coagla32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\Capchmmb.exeC:\Windows\system32\Capchmmb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Digkijmd.exeC:\Windows\system32\Digkijmd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Dhjkdg32.exeC:\Windows\system32\Dhjkdg32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Dpacfd32.exeC:\Windows\system32\Dpacfd32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Doccaall.exeC:\Windows\system32\Doccaall.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Dabpnlkp.exeC:\Windows\system32\Dabpnlkp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Denlnk32.exeC:\Windows\system32\Denlnk32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\Dhlhjf32.exeC:\Windows\system32\Dhlhjf32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\Dlgdkeje.exeC:\Windows\system32\Dlgdkeje.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Dofpgqji.exeC:\Windows\system32\Dofpgqji.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Dcalgo32.exeC:\Windows\system32\Dcalgo32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Dephckaf.exeC:\Windows\system32\Dephckaf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Djlddi32.exeC:\Windows\system32\Djlddi32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\Dpemacql.exeC:\Windows\system32\Dpemacql.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe23⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Dagiil32.exeC:\Windows\system32\Dagiil32.exe24⤵
- Executes dropped EXE
PID:3824 -
C:\Windows\SysWOW64\Debeijoc.exeC:\Windows\system32\Debeijoc.exe25⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Dhqaefng.exeC:\Windows\system32\Dhqaefng.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:4544 -
C:\Windows\SysWOW64\Dphifcoi.exeC:\Windows\system32\Dphifcoi.exe27⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Dcfebonm.exeC:\Windows\system32\Dcfebonm.exe28⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Daifnk32.exeC:\Windows\system32\Daifnk32.exe29⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Djpnohej.exeC:\Windows\system32\Djpnohej.exe30⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Dlojkddn.exeC:\Windows\system32\Dlojkddn.exe31⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Dpjflb32.exeC:\Windows\system32\Dpjflb32.exe32⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Dchbhn32.exeC:\Windows\system32\Dchbhn32.exe33⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe34⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe35⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Ehekqe32.exeC:\Windows\system32\Ehekqe32.exe36⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Epmcab32.exeC:\Windows\system32\Epmcab32.exe37⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe38⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Eckonn32.exeC:\Windows\system32\Eckonn32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Efikji32.exeC:\Windows\system32\Efikji32.exe40⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe41⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe42⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Elccfc32.exeC:\Windows\system32\Elccfc32.exe43⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Ecmlcmhe.exeC:\Windows\system32\Ecmlcmhe.exe44⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Eflhoigi.exeC:\Windows\system32\Eflhoigi.exe45⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Ejgdpg32.exeC:\Windows\system32\Ejgdpg32.exe46⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe47⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Eqalmafo.exeC:\Windows\system32\Eqalmafo.exe48⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Eodlho32.exeC:\Windows\system32\Eodlho32.exe49⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe50⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Ejjqeg32.exeC:\Windows\system32\Ejjqeg32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:392 -
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:3612 -
C:\Windows\SysWOW64\Elhmablc.exeC:\Windows\system32\Elhmablc.exe53⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Eofinnkf.exeC:\Windows\system32\Eofinnkf.exe54⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Ebeejijj.exeC:\Windows\system32\Ebeejijj.exe55⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe56⤵
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Ehonfc32.exeC:\Windows\system32\Ehonfc32.exe57⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Eqfeha32.exeC:\Windows\system32\Eqfeha32.exe58⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe59⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe60⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe61⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Fqhbmqqg.exeC:\Windows\system32\Fqhbmqqg.exe62⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Fbioei32.exeC:\Windows\system32\Fbioei32.exe64⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe65⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe66⤵PID:4884
-
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe67⤵PID:4304
-
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe68⤵PID:1376
-
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe69⤵PID:3444
-
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe70⤵PID:744
-
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe71⤵PID:3044
-
C:\Windows\SysWOW64\Fckhdk32.exeC:\Windows\system32\Fckhdk32.exe72⤵PID:1044
-
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe73⤵PID:2504
-
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe74⤵PID:3992
-
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe75⤵PID:892
-
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe76⤵PID:3772
-
C:\Windows\SysWOW64\Fbqefhpm.exeC:\Windows\system32\Fbqefhpm.exe77⤵PID:3056
-
C:\Windows\SysWOW64\Fjhmgeao.exeC:\Windows\system32\Fjhmgeao.exe78⤵PID:4692
-
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe79⤵PID:4068
-
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe80⤵PID:4240
-
C:\Windows\SysWOW64\Gcpapkgp.exeC:\Windows\system32\Gcpapkgp.exe81⤵
- Drops file in System32 directory
PID:3104 -
C:\Windows\SysWOW64\Gfnnlffc.exeC:\Windows\system32\Gfnnlffc.exe82⤵PID:4532
-
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe83⤵PID:3584
-
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe84⤵PID:1732
-
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe85⤵PID:3588
-
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe86⤵PID:4436
-
C:\Windows\SysWOW64\Gjlfbd32.exeC:\Windows\system32\Gjlfbd32.exe87⤵PID:3068
-
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe88⤵PID:5064
-
C:\Windows\SysWOW64\Gqfooodg.exeC:\Windows\system32\Gqfooodg.exe89⤵PID:3876
-
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe90⤵PID:1220
-
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe91⤵PID:692
-
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe92⤵PID:3912
-
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe93⤵PID:856
-
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe94⤵PID:2448
-
C:\Windows\SysWOW64\Gfedle32.exeC:\Windows\system32\Gfedle32.exe95⤵PID:5136
-
C:\Windows\SysWOW64\Gidphq32.exeC:\Windows\system32\Gidphq32.exe96⤵PID:5180
-
C:\Windows\SysWOW64\Gqkhjn32.exeC:\Windows\system32\Gqkhjn32.exe97⤵PID:5228
-
C:\Windows\SysWOW64\Gcidfi32.exeC:\Windows\system32\Gcidfi32.exe98⤵PID:5272
-
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe99⤵PID:5316
-
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe100⤵PID:5360
-
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe101⤵PID:5404
-
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe102⤵PID:5444
-
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe103⤵PID:5488
-
C:\Windows\SysWOW64\Hfjmgdlf.exeC:\Windows\system32\Hfjmgdlf.exe104⤵PID:5536
-
C:\Windows\SysWOW64\Hjfihc32.exeC:\Windows\system32\Hjfihc32.exe105⤵PID:5580
-
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe106⤵PID:5616
-
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe107⤵PID:5660
-
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe108⤵PID:5712
-
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe109⤵PID:5752
-
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe110⤵PID:5796
-
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe111⤵PID:5840
-
C:\Windows\SysWOW64\Hjjbcbqj.exeC:\Windows\system32\Hjjbcbqj.exe112⤵PID:5880
-
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe113⤵PID:5928
-
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe114⤵PID:5972
-
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe115⤵PID:6016
-
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe116⤵PID:6060
-
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe117⤵PID:6100
-
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe118⤵PID:3724
-
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe119⤵PID:5176
-
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe120⤵PID:5236
-
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe121⤵PID:5308
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-