Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 02:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c8d7159606d19ca3674fcdc9fe6e6a50_NEIKI.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
c8d7159606d19ca3674fcdc9fe6e6a50_NEIKI.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
c8d7159606d19ca3674fcdc9fe6e6a50_NEIKI.exe
-
Size
398KB
-
MD5
c8d7159606d19ca3674fcdc9fe6e6a50
-
SHA1
4548dee0c95191959af1598bdcdfee380e99907a
-
SHA256
70297848752170e8e7eda7cd15e215538eebef3aba91bc66248b2933ce8e0d73
-
SHA512
44a5d5c862d75968dd0f6d0dbf53d54c7e6f143d08d0f8c1e51ce7026ef6b78fe8075b39d165c4989c7eec31d18abbbcb0b101157553982dc0749e2a295da8e4
-
SSDEEP
12288:1JhE5u6t3XGCByvNv54B9f01ZmHByvNv5imipWf0Aq:1JhE5u6t3XGpvr4B9f01ZmQvrimipWfY
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajpelhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eflgccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icmlam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bppoqeja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihfjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpkofpgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnjdhmdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcaomf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joplbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njlockkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dcadac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnefdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihdkao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iajcde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adnopfoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofbfdmeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijeghgoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgdmmgpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefpnhlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojfaijcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Henidd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pamiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qfahhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Endhhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofdcjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijeghgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcdnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pqhpdhcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iqalka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cojema32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacpdbej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icmlam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohibdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpeekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eqonkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpknlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aepojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eqgnokip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdhhqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bgknheej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkbhgojk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnopfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbmmcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnippoha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjpqdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnajilng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafidiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgobhcac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adhlaggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpeofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fnpnndgp.exe -
Executes dropped EXE 64 IoCs
pid Process 2912 Ndgggf32.exe 2540 Nkaocp32.exe 2660 Nlblkhei.exe 2564 Nghphaeo.exe 2356 Nnbhek32.exe 2464 Nocemcbj.exe 868 Ngkmnacm.exe 2760 Nqcagfim.exe 2816 Nbdnoo32.exe 1744 Ofbfdmeb.exe 2216 Ohqbqhde.exe 2420 Oojknblb.exe 1060 Ofdcjm32.exe 2296 Oicpfh32.exe 2024 Okalbc32.exe 384 Oghlgdgk.exe 580 Onbddoog.exe 824 Oelmai32.exe 1976 Ocomlemo.exe 2132 Okfencna.exe 1364 Ondajnme.exe 1636 Oqcnfjli.exe 2288 Ogmfbd32.exe 2116 Ofpfnqjp.exe 876 Pccfge32.exe 3052 Pgobhcac.exe 2960 Paggai32.exe 2364 Pcfcmd32.exe 2552 Pbiciana.exe 2680 Pmnhfjmg.exe 2492 Ppmdbe32.exe 860 Pfflopdh.exe 1768 Plcdgfbo.exe 2940 Pbmmcq32.exe 352 Pigeqkai.exe 2788 Ppamme32.exe 2084 Pabjem32.exe 2692 Qhmbagfa.exe 2284 Qjknnbed.exe 696 Qaefjm32.exe 1804 Qdccfh32.exe 2236 Qjmkcbcb.exe 2428 Qagcpljo.exe 2360 Ahakmf32.exe 1812 Ajphib32.exe 2632 Aajpelhl.exe 2260 Adhlaggp.exe 1780 Affhncfc.exe 3032 Ampqjm32.exe 2672 Aalmklfi.exe 1612 Adjigg32.exe 1184 Afiecb32.exe 2604 Aigaon32.exe 1968 Apajlhka.exe 2052 Afkbib32.exe 324 Aiinen32.exe 1384 Amejeljk.exe 2512 Aoffmd32.exe 2152 Abbbnchb.exe 2000 Aepojo32.exe 2228 Aljgfioc.exe 2252 Bagpopmj.exe 2880 Bingpmnl.exe 1276 Bhahlj32.exe -
Loads dropped DLL 64 IoCs
pid Process 2384 c8d7159606d19ca3674fcdc9fe6e6a50_NEIKI.exe 2384 c8d7159606d19ca3674fcdc9fe6e6a50_NEIKI.exe 2912 Ndgggf32.exe 2912 Ndgggf32.exe 2540 Nkaocp32.exe 2540 Nkaocp32.exe 2660 Nlblkhei.exe 2660 Nlblkhei.exe 2564 Nghphaeo.exe 2564 Nghphaeo.exe 2356 Nnbhek32.exe 2356 Nnbhek32.exe 2464 Nocemcbj.exe 2464 Nocemcbj.exe 868 Ngkmnacm.exe 868 Ngkmnacm.exe 2760 Nqcagfim.exe 2760 Nqcagfim.exe 2816 Nbdnoo32.exe 2816 Nbdnoo32.exe 1744 Ofbfdmeb.exe 1744 Ofbfdmeb.exe 2216 Ohqbqhde.exe 2216 Ohqbqhde.exe 2420 Oojknblb.exe 2420 Oojknblb.exe 1060 Ofdcjm32.exe 1060 Ofdcjm32.exe 2296 Oicpfh32.exe 2296 Oicpfh32.exe 2024 Okalbc32.exe 2024 Okalbc32.exe 384 Oghlgdgk.exe 384 Oghlgdgk.exe 580 Onbddoog.exe 580 Onbddoog.exe 824 Oelmai32.exe 824 Oelmai32.exe 1976 Ocomlemo.exe 1976 Ocomlemo.exe 2132 Okfencna.exe 2132 Okfencna.exe 1364 Ondajnme.exe 1364 Ondajnme.exe 1636 Oqcnfjli.exe 1636 Oqcnfjli.exe 2288 Ogmfbd32.exe 2288 Ogmfbd32.exe 2116 Ofpfnqjp.exe 2116 Ofpfnqjp.exe 876 Pccfge32.exe 876 Pccfge32.exe 3052 Pgobhcac.exe 3052 Pgobhcac.exe 2960 Paggai32.exe 2960 Paggai32.exe 2364 Pcfcmd32.exe 2364 Pcfcmd32.exe 2552 Pbiciana.exe 2552 Pbiciana.exe 2680 Pmnhfjmg.exe 2680 Pmnhfjmg.exe 2492 Ppmdbe32.exe 2492 Ppmdbe32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dkmcgmjk.dll Onmdoioa.exe File created C:\Windows\SysWOW64\Dlgldibq.exe Dndlim32.exe File opened for modification C:\Windows\SysWOW64\Fidoim32.exe Eqijej32.exe File created C:\Windows\SysWOW64\Lhmjkaoc.exe Lijjoe32.exe File created C:\Windows\SysWOW64\Odifab32.dll Dfamcogo.exe File created C:\Windows\SysWOW64\Nncahjgl.exe Noqamn32.exe File opened for modification C:\Windows\SysWOW64\Pbiciana.exe Pcfcmd32.exe File created C:\Windows\SysWOW64\Jgnamk32.exe Jofiln32.exe File created C:\Windows\SysWOW64\Lbcoccqf.dll Oghlgdgk.exe File opened for modification C:\Windows\SysWOW64\Ijeghgoh.exe Iggkllpe.exe File created C:\Windows\SysWOW64\Qbcpbo32.exe Qpecfc32.exe File opened for modification C:\Windows\SysWOW64\Bldcpf32.exe Bifgdk32.exe File opened for modification C:\Windows\SysWOW64\Hejoiedd.exe Hckcmjep.exe File opened for modification C:\Windows\SysWOW64\Ckafbbph.exe Chbjffad.exe File created C:\Windows\SysWOW64\Dndlim32.exe Dfmdho32.exe File created C:\Windows\SysWOW64\Enakbp32.exe Dggcffhg.exe File created C:\Windows\SysWOW64\Dekpaqgc.dll Ekholjqg.exe File created C:\Windows\SysWOW64\Jfiilbkl.dll Dnoomqbg.exe File created C:\Windows\SysWOW64\Qlkdkd32.exe Qmicohqm.exe File created C:\Windows\SysWOW64\Henidd32.exe Hcplhi32.exe File created C:\Windows\SysWOW64\Ppmcfdad.dll Dgfjbgmh.exe File opened for modification C:\Windows\SysWOW64\Kblhgk32.exe Kcihlong.exe File created C:\Windows\SysWOW64\Eqdajkkb.exe Emieil32.exe File created C:\Windows\SysWOW64\Ekchhcnp.dll Ofpfnqjp.exe File created C:\Windows\SysWOW64\Kemejc32.exe Jbnhng32.exe File created C:\Windows\SysWOW64\Oicpfh32.exe Ofdcjm32.exe File created C:\Windows\SysWOW64\Gkkgcp32.dll Bpafkknm.exe File created C:\Windows\SysWOW64\Ejbfhfaj.exe Eloemi32.exe File created C:\Windows\SysWOW64\Jonpde32.dll Pjcabmga.exe File created C:\Windows\SysWOW64\Ohqbqhde.exe Ofbfdmeb.exe File created C:\Windows\SysWOW64\Pjenhm32.exe Pggbla32.exe File created C:\Windows\SysWOW64\Djefobmk.exe Dgfjbgmh.exe File created C:\Windows\SysWOW64\Gaqcoc32.exe Gobgcg32.exe File opened for modification C:\Windows\SysWOW64\Lecgje32.exe Lahkigca.exe File opened for modification C:\Windows\SysWOW64\Dfffnn32.exe Dbkknojp.exe File created C:\Windows\SysWOW64\Lpicol32.dll Cngcjo32.exe File opened for modification C:\Windows\SysWOW64\Ekhhadmk.exe Egllae32.exe File created C:\Windows\SysWOW64\Lidengnp.dll Abhimnma.exe File created C:\Windows\SysWOW64\Joplbl32.exe Jgidao32.exe File opened for modification C:\Windows\SysWOW64\Kfegbj32.exe Kpkofpgq.exe File opened for modification C:\Windows\SysWOW64\Bafidiio.exe Bmkmdk32.exe File created C:\Windows\SysWOW64\Febhomkh.dll Goddhg32.exe File opened for modification C:\Windows\SysWOW64\Nefpnhlc.exe Nolhan32.exe File opened for modification C:\Windows\SysWOW64\Npdjje32.exe Naajoinb.exe File opened for modification C:\Windows\SysWOW64\Ebmgcohn.exe Enakbp32.exe File created C:\Windows\SysWOW64\Cfgaiaci.exe Cciemedf.exe File opened for modification C:\Windows\SysWOW64\Limfed32.exe Lafndg32.exe File created C:\Windows\SysWOW64\Nadddkfi.dll Oddpfc32.exe File opened for modification C:\Windows\SysWOW64\Epieghdk.exe Elmigj32.exe File opened for modification C:\Windows\SysWOW64\Hogmmjfo.exe Hhmepp32.exe File opened for modification C:\Windows\SysWOW64\Nnennj32.exe Nocnbmoo.exe File created C:\Windows\SysWOW64\Qiejdkkn.dll Ofmbnkhg.exe File opened for modification C:\Windows\SysWOW64\Hahjpbad.exe Hgbebiao.exe File opened for modification C:\Windows\SysWOW64\Gopkmhjk.exe Glaoalkh.exe File created C:\Windows\SysWOW64\Lihmjejl.exe Lfjqnjkh.exe File created C:\Windows\SysWOW64\Nbpiak32.dll Lojomkdn.exe File created C:\Windows\SysWOW64\Pcnbablo.exe Ppbfpd32.exe File opened for modification C:\Windows\SysWOW64\Bmpfojmp.exe Bfenbpec.exe File created C:\Windows\SysWOW64\Eiaiqn32.exe Ebgacddo.exe File opened for modification C:\Windows\SysWOW64\Jofiln32.exe Jqdipqbp.exe File opened for modification C:\Windows\SysWOW64\Namqci32.exe Nondgn32.exe File created C:\Windows\SysWOW64\Gdidec32.dll Cojema32.exe File created C:\Windows\SysWOW64\Ambcae32.dll Eloemi32.exe File opened for modification C:\Windows\SysWOW64\Pgplkb32.exe Pdaoog32.exe -
Program crash 1 IoCs
pid pid_target Process 6620 6592 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Llkbap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekpaqgc.dll" Ekholjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmicaonb.dll" Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jneohcll.dll" Amfcikek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll" Gdamqndn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nocemcbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bnefdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljenlcfa.dll" Eqonkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Leonofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgicjg32.dll" Ecejkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pflomnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkdaf32.dll" Pnjdhmdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fjilieka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmopod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpeekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhlgc32.dll" Ekelld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eqgnokip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bgknheej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dqhhknjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dgaqgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fckjalhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Idklfpon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglhipbb.dll" Kaceodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nghphaeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qaefjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddflckmp.dll" Bgknheej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfamcogo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kcdnao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lijjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopgmbf.dll" Naoniipe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ogeigofa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obafnlpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fonfbi32.dll" Ndgggf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjndop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldnlic32.dll" Jiondcpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pqkmjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahaloofd.dll" Oqcnfjli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpge32.dll" Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kokbpahm.dll" Kfegbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Omdneebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmanoifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpjfeia.dll" Dfgmhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nondgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkeqmgm.dll" Pdaoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abbbnchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khjjpi32.dll" Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Egjpkffe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bioqclil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iacnpbdl.dll" Ondajnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bcaomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oonafa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chpmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mmahdggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lblqijln.dll" Namqci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chnqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajphib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eilpeooq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjodeppm.dll" Mkclhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Affhncfc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2912 2384 c8d7159606d19ca3674fcdc9fe6e6a50_NEIKI.exe 28 PID 2384 wrote to memory of 2912 2384 c8d7159606d19ca3674fcdc9fe6e6a50_NEIKI.exe 28 PID 2384 wrote to memory of 2912 2384 c8d7159606d19ca3674fcdc9fe6e6a50_NEIKI.exe 28 PID 2384 wrote to memory of 2912 2384 c8d7159606d19ca3674fcdc9fe6e6a50_NEIKI.exe 28 PID 2912 wrote to memory of 2540 2912 Ndgggf32.exe 29 PID 2912 wrote to memory of 2540 2912 Ndgggf32.exe 29 PID 2912 wrote to memory of 2540 2912 Ndgggf32.exe 29 PID 2912 wrote to memory of 2540 2912 Ndgggf32.exe 29 PID 2540 wrote to memory of 2660 2540 Nkaocp32.exe 30 PID 2540 wrote to memory of 2660 2540 Nkaocp32.exe 30 PID 2540 wrote to memory of 2660 2540 Nkaocp32.exe 30 PID 2540 wrote to memory of 2660 2540 Nkaocp32.exe 30 PID 2660 wrote to memory of 2564 2660 Nlblkhei.exe 31 PID 2660 wrote to memory of 2564 2660 Nlblkhei.exe 31 PID 2660 wrote to memory of 2564 2660 Nlblkhei.exe 31 PID 2660 wrote to memory of 2564 2660 Nlblkhei.exe 31 PID 2564 wrote to memory of 2356 2564 Nghphaeo.exe 32 PID 2564 wrote to memory of 2356 2564 Nghphaeo.exe 32 PID 2564 wrote to memory of 2356 2564 Nghphaeo.exe 32 PID 2564 wrote to memory of 2356 2564 Nghphaeo.exe 32 PID 2356 wrote to memory of 2464 2356 Nnbhek32.exe 33 PID 2356 wrote to memory of 2464 2356 Nnbhek32.exe 33 PID 2356 wrote to memory of 2464 2356 Nnbhek32.exe 33 PID 2356 wrote to memory of 2464 2356 Nnbhek32.exe 33 PID 2464 wrote to memory of 868 2464 Nocemcbj.exe 34 PID 2464 wrote to memory of 868 2464 Nocemcbj.exe 34 PID 2464 wrote to memory of 868 2464 Nocemcbj.exe 34 PID 2464 wrote to memory of 868 2464 Nocemcbj.exe 34 PID 868 wrote to memory of 2760 868 Ngkmnacm.exe 35 PID 868 wrote to memory of 2760 868 Ngkmnacm.exe 35 PID 868 wrote to memory of 2760 868 Ngkmnacm.exe 35 PID 868 wrote to memory of 2760 868 Ngkmnacm.exe 35 PID 2760 wrote to memory of 2816 2760 Nqcagfim.exe 36 PID 2760 wrote to memory of 2816 2760 Nqcagfim.exe 36 PID 2760 wrote to memory of 2816 2760 Nqcagfim.exe 36 PID 2760 wrote to memory of 2816 2760 Nqcagfim.exe 36 PID 2816 wrote to memory of 1744 2816 Nbdnoo32.exe 37 PID 2816 wrote to memory of 1744 2816 Nbdnoo32.exe 37 PID 2816 wrote to memory of 1744 2816 Nbdnoo32.exe 37 PID 2816 wrote to memory of 1744 2816 Nbdnoo32.exe 37 PID 1744 wrote to memory of 2216 1744 Ofbfdmeb.exe 38 PID 1744 wrote to memory of 2216 1744 Ofbfdmeb.exe 38 PID 1744 wrote to memory of 2216 1744 Ofbfdmeb.exe 38 PID 1744 wrote to memory of 2216 1744 Ofbfdmeb.exe 38 PID 2216 wrote to memory of 2420 2216 Ohqbqhde.exe 39 PID 2216 wrote to memory of 2420 2216 Ohqbqhde.exe 39 PID 2216 wrote to memory of 2420 2216 Ohqbqhde.exe 39 PID 2216 wrote to memory of 2420 2216 Ohqbqhde.exe 39 PID 2420 wrote to memory of 1060 2420 Oojknblb.exe 40 PID 2420 wrote to memory of 1060 2420 Oojknblb.exe 40 PID 2420 wrote to memory of 1060 2420 Oojknblb.exe 40 PID 2420 wrote to memory of 1060 2420 Oojknblb.exe 40 PID 1060 wrote to memory of 2296 1060 Ofdcjm32.exe 41 PID 1060 wrote to memory of 2296 1060 Ofdcjm32.exe 41 PID 1060 wrote to memory of 2296 1060 Ofdcjm32.exe 41 PID 1060 wrote to memory of 2296 1060 Ofdcjm32.exe 41 PID 2296 wrote to memory of 2024 2296 Oicpfh32.exe 42 PID 2296 wrote to memory of 2024 2296 Oicpfh32.exe 42 PID 2296 wrote to memory of 2024 2296 Oicpfh32.exe 42 PID 2296 wrote to memory of 2024 2296 Oicpfh32.exe 42 PID 2024 wrote to memory of 384 2024 Okalbc32.exe 43 PID 2024 wrote to memory of 384 2024 Okalbc32.exe 43 PID 2024 wrote to memory of 384 2024 Okalbc32.exe 43 PID 2024 wrote to memory of 384 2024 Okalbc32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8d7159606d19ca3674fcdc9fe6e6a50_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\c8d7159606d19ca3674fcdc9fe6e6a50_NEIKI.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:384 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:580 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:824 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe33⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe34⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe36⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe37⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe38⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe39⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe40⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:696 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe42⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe43⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe44⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe45⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe50⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe51⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe52⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe53⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe54⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe55⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe56⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe57⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe58⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe59⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe62⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe63⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe64⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe65⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe66⤵PID:2640
-
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe67⤵PID:2656
-
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2192 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe69⤵PID:2748
-
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe70⤵PID:588
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe71⤵PID:688
-
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe72⤵PID:2644
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe73⤵PID:1988
-
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe74⤵PID:300
-
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe75⤵
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe77⤵PID:1952
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe79⤵PID:892
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe81⤵PID:2652
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe82⤵
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2560 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe84⤵PID:1984
-
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe85⤵
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:744 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe87⤵PID:1592
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe88⤵PID:488
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe89⤵PID:2220
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1304 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe91⤵PID:2036
-
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe92⤵
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe93⤵PID:2212
-
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe94⤵PID:1956
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe95⤵PID:2732
-
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe96⤵PID:2860
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe97⤵PID:2624
-
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe98⤵PID:1272
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe99⤵PID:1392
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe100⤵PID:2480
-
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe101⤵PID:2664
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe102⤵PID:2396
-
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe103⤵PID:2752
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe104⤵PID:1084
-
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe105⤵PID:1380
-
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe106⤵
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe107⤵PID:2808
-
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe108⤵PID:1928
-
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe109⤵PID:2444
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe110⤵
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe111⤵PID:2104
-
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe112⤵
- Modifies registry class
PID:500 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe113⤵PID:672
-
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe114⤵PID:2864
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe115⤵PID:1052
-
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2468 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe117⤵
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe118⤵
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe119⤵
- Drops file in System32 directory
PID:1880 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe120⤵PID:956
-
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-