Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 02:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d52784a933c585fa9f0414aed0967490_NEIKI.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
d52784a933c585fa9f0414aed0967490_NEIKI.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
d52784a933c585fa9f0414aed0967490_NEIKI.exe
-
Size
479KB
-
MD5
d52784a933c585fa9f0414aed0967490
-
SHA1
2e78471fc4ec53650bd65a2470eb13ad1b6d75df
-
SHA256
ff4ae9efda06f2f934f52bec32ba2f4a83275358ab768b5c97dc25f8f0810f29
-
SHA512
2b14312933b58e616fd9214326ce3839c2d265f2e9989097858f218d5112ce35b6aec9d6da37d6fb97b13a6cde44c7a088fd595d5f8890dfaeb7daf1766bc0bb
-
SSDEEP
6144:03ljypWM+sycRJ6EQnT2leTLgNPx33fpu2leTLg:0VjyGuRJ6EQ6Q2drQ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkkemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmhmpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjenhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaiiff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbdnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njkfpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cljcelan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkece32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmmiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blgpef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcaomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naajoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkiogn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndbcpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceaadk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkqbaecc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjfccn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbpjiphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhooggdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckdanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcegmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjcbpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmocpado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnfhlin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plahag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbkpna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiinen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcfdgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Papfegmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjlqhoba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bidjnkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjjddchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfekcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooeggp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpolmdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogmfbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alenki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Henidd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbhke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhigphio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddgjdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbfdjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcgfbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Penfelgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbhnhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqpgol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjaonpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebodiofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpbefoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lajhofao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmfbogcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocnfbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egoife32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddeaalpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glfhll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obojhlbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emeopn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbgmbg32.exe -
Executes dropped EXE 64 IoCs
pid Process 2636 Ifmlpigj.exe 2624 Jbdlejmn.exe 1952 Jklanp32.exe 2600 Jjoailji.exe 2424 Jbfijjkl.exe 2860 Jaiiff32.exe 2008 Jcgfbb32.exe 2672 Jmdcfg32.exe 1564 Kcolba32.exe 1852 Kfmhol32.exe 1568 Kjhdokbo.exe 2344 Kebepion.exe 1684 Kphimanc.exe 3024 Kbfeimng.exe 2788 Lmdpejfq.exe 2392 Lhjdbcef.exe 780 Lkhpnnej.exe 3000 Lpeifeca.exe 1924 Lgoacojo.exe 1264 Lpgele32.exe 2812 Lbfahp32.exe 1360 Lganiohl.exe 984 Lefkjkmc.exe 884 Meigpkka.exe 2916 Mpolmdkg.exe 2984 Maphdl32.exe 2528 Migpeiag.exe 2608 Mlelaeqk.exe 2148 Mcodno32.exe 1036 Menakj32.exe 2412 Mhlmgf32.exe 2132 Mhnjle32.exe 2544 Mohbip32.exe 2300 Mpjoqhah.exe 1968 Mhqfbebj.exe 2088 Nnnojlpa.exe 2024 Njdpomfe.exe 2400 Nnplpl32.exe 2112 Npnhlg32.exe 2256 Njgldmdc.exe 2884 Nleiqhcg.exe 3012 Nfmmin32.exe 1896 Njiijlbp.exe 888 Nqcagfim.exe 2128 Nofabc32.exe 1448 Nbdnoo32.exe 1912 Njkfpl32.exe 1520 Nmjblg32.exe 2924 Nohnhc32.exe 2468 Nbfjdn32.exe 1844 Odegpj32.exe 2648 Omloag32.exe 2108 Obigjnkf.exe 2036 Ofdcjm32.exe 1956 Oomhcbjp.exe 796 Oqndkj32.exe 2084 Oghlgdgk.exe 2604 Okchhc32.exe 2252 Onbddoog.exe 2480 Obnqem32.exe 1504 Oelmai32.exe 2864 Ocomlemo.exe 1292 Okfencna.exe 1868 Ojieip32.exe -
Loads dropped DLL 64 IoCs
pid Process 3064 d52784a933c585fa9f0414aed0967490_NEIKI.exe 3064 d52784a933c585fa9f0414aed0967490_NEIKI.exe 2636 Ifmlpigj.exe 2636 Ifmlpigj.exe 2624 Jbdlejmn.exe 2624 Jbdlejmn.exe 1952 Jklanp32.exe 1952 Jklanp32.exe 2600 Jjoailji.exe 2600 Jjoailji.exe 2424 Jbfijjkl.exe 2424 Jbfijjkl.exe 2860 Jaiiff32.exe 2860 Jaiiff32.exe 2008 Jcgfbb32.exe 2008 Jcgfbb32.exe 2672 Jmdcfg32.exe 2672 Jmdcfg32.exe 1564 Kcolba32.exe 1564 Kcolba32.exe 1852 Kfmhol32.exe 1852 Kfmhol32.exe 1568 Kjhdokbo.exe 1568 Kjhdokbo.exe 2344 Kebepion.exe 2344 Kebepion.exe 1684 Kphimanc.exe 1684 Kphimanc.exe 3024 Kbfeimng.exe 3024 Kbfeimng.exe 2788 Lmdpejfq.exe 2788 Lmdpejfq.exe 2392 Lhjdbcef.exe 2392 Lhjdbcef.exe 780 Lkhpnnej.exe 780 Lkhpnnej.exe 3000 Lpeifeca.exe 3000 Lpeifeca.exe 1924 Lgoacojo.exe 1924 Lgoacojo.exe 1264 Lpgele32.exe 1264 Lpgele32.exe 2812 Lbfahp32.exe 2812 Lbfahp32.exe 1360 Lganiohl.exe 1360 Lganiohl.exe 984 Lefkjkmc.exe 984 Lefkjkmc.exe 884 Meigpkka.exe 884 Meigpkka.exe 2916 Mpolmdkg.exe 2916 Mpolmdkg.exe 2984 Maphdl32.exe 2984 Maphdl32.exe 2528 Migpeiag.exe 2528 Migpeiag.exe 2608 Mlelaeqk.exe 2608 Mlelaeqk.exe 2148 Mcodno32.exe 2148 Mcodno32.exe 1036 Menakj32.exe 1036 Menakj32.exe 2412 Mhlmgf32.exe 2412 Mhlmgf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eojnkg32.exe Eojnkg32.exe File created C:\Windows\SysWOW64\Dcadac32.exe Dcadac32.exe File opened for modification C:\Windows\SysWOW64\Hlfdkoin.exe Hjhhocjj.exe File created C:\Windows\SysWOW64\Bebpkk32.dll Cpnojioo.exe File opened for modification C:\Windows\SysWOW64\Bblogakg.exe Boqbfb32.exe File created C:\Windows\SysWOW64\Dcfdgiid.exe Ddcdkl32.exe File created C:\Windows\SysWOW64\Adnopfoj.exe Aekodi32.exe File opened for modification C:\Windows\SysWOW64\Mgljbm32.exe Mbpnanch.exe File created C:\Windows\SysWOW64\Nnennj32.exe Nocnbmoo.exe File created C:\Windows\SysWOW64\Pjcabmga.exe Pkpagq32.exe File opened for modification C:\Windows\SysWOW64\Blmdlhmp.exe Bingpmnl.exe File created C:\Windows\SysWOW64\Kjljhjkl.exe Kgnnln32.exe File created C:\Windows\SysWOW64\Ooeggp32.exe Omfkke32.exe File created C:\Windows\SysWOW64\Lhbjkfod.dll Pminkk32.exe File created C:\Windows\SysWOW64\Hlhaqogk.exe Hhmepp32.exe File opened for modification C:\Windows\SysWOW64\Jfekcg32.exe Jbjochdi.exe File opened for modification C:\Windows\SysWOW64\Kneicieh.exe Kgkafo32.exe File created C:\Windows\SysWOW64\Chhjkl32.exe Cdlnkmha.exe File created C:\Windows\SysWOW64\Gpmcnehn.dll Idmhkpml.exe File created C:\Windows\SysWOW64\Ofmbnkhg.exe Obafnlpn.exe File opened for modification C:\Windows\SysWOW64\Obcccl32.exe Ooeggp32.exe File created C:\Windows\SysWOW64\Aafminbq.dll Bpnbkeld.exe File opened for modification C:\Windows\SysWOW64\Ogmfbd32.exe Ocajbekl.exe File opened for modification C:\Windows\SysWOW64\Gogangdc.exe Gkkemh32.exe File opened for modification C:\Windows\SysWOW64\Onmdoioa.exe Ojahnj32.exe File created C:\Windows\SysWOW64\Qcjfoqkg.dll Anojbobe.exe File opened for modification C:\Windows\SysWOW64\Aaaoij32.exe Adnopfoj.exe File created C:\Windows\SysWOW64\Giaekk32.dll Bmmiij32.exe File created C:\Windows\SysWOW64\Bbokmqie.exe Bocolb32.exe File created C:\Windows\SysWOW64\Dfamcogo.exe Dccagcgk.exe File created C:\Windows\SysWOW64\Bogjdl32.dll Jjoailji.exe File created C:\Windows\SysWOW64\Lollckbk.exe Lkppbl32.exe File created C:\Windows\SysWOW64\Cqljpedj.dll Kgkafo32.exe File created C:\Windows\SysWOW64\Okhklfnh.dll Lkppbl32.exe File opened for modification C:\Windows\SysWOW64\Mkeimlfm.exe Mgimmm32.exe File opened for modification C:\Windows\SysWOW64\Mdpjlajk.exe Mlibjc32.exe File created C:\Windows\SysWOW64\Ojieip32.exe Okfencna.exe File created C:\Windows\SysWOW64\Pbiciana.exe Ppjglfon.exe File created C:\Windows\SysWOW64\Gieojq32.exe Gbkgnfbd.exe File created C:\Windows\SysWOW64\Jepgqikf.dll Iokfhi32.exe File created C:\Windows\SysWOW64\Mnghjbjl.dll Cclkfdnc.exe File created C:\Windows\SysWOW64\Bdjefj32.exe Begeknan.exe File opened for modification C:\Windows\SysWOW64\Coklgg32.exe Cphlljge.exe File opened for modification C:\Windows\SysWOW64\Chhjkl32.exe Cdlnkmha.exe File opened for modification C:\Windows\SysWOW64\Bpnbkeld.exe Bmpfojmp.exe File created C:\Windows\SysWOW64\Gbolehjh.dll Ebedndfa.exe File opened for modification C:\Windows\SysWOW64\Hggomh32.exe Hdhbam32.exe File created C:\Windows\SysWOW64\Meccii32.exe Mcegmm32.exe File opened for modification C:\Windows\SysWOW64\Pgplkb32.exe Pimkpfeh.exe File created C:\Windows\SysWOW64\Cnaocmmi.exe Cjfccn32.exe File created C:\Windows\SysWOW64\Dndlim32.exe Djhphncm.exe File created C:\Windows\SysWOW64\Apajlhka.exe Alenki32.exe File opened for modification C:\Windows\SysWOW64\Cbnbobin.exe Cckace32.exe File created C:\Windows\SysWOW64\Hkkmeglp.dll Hkpnhgge.exe File created C:\Windows\SysWOW64\Enbfpg32.dll Pogclp32.exe File created C:\Windows\SysWOW64\Bblogakg.exe Boqbfb32.exe File created C:\Windows\SysWOW64\Mcfidhng.dll Dcadac32.exe File opened for modification C:\Windows\SysWOW64\Pbiciana.exe Ppjglfon.exe File created C:\Windows\SysWOW64\Lkojpojq.dll Ebbgid32.exe File created C:\Windows\SysWOW64\Mbpnanch.exe Mbpnanch.exe File opened for modification C:\Windows\SysWOW64\Chnqkg32.exe Cdbdjhmp.exe File opened for modification C:\Windows\SysWOW64\Cppkph32.exe Cnaocmmi.exe File created C:\Windows\SysWOW64\Ckffgg32.exe Chhjkl32.exe File created C:\Windows\SysWOW64\Emhlfmgj.exe Eeqdep32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7264 7808 WerFault.exe 774 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfedefbi.dll" Dgdmmgpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfekcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cddfocpb.dll" Kcdnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfgdhjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nadddkfi.dll" Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhnfd32.dll" Qfokbnip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdooajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll" Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjlnif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlkaflan.dll" Dfoqmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahchbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bokphdld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpmlkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lliflp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mggpgmof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gelppaof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcdbbloa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abqjpn32.dll" Jokcgmee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbjochdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnlilc32.dll" Lbqabkql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aekodi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebmgcohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plfamfpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhjgal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jokcgmee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpdbloof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnpnndgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pikkiijf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcehqcli.dll" Lpeifeca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plfamfpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cibcni32.dll" Qhooggdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igihbknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmaled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngogde32.dll" Nlphkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epaogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjdijm32.dll" Jicgpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlbjhf32.dll" Llkbap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coelaaoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpfcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnaob32.dll" Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbgbni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebpkk32.dll" Cpnojioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlelaeqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgodbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiondcpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ampqjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cndbcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fphafl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jepgqikf.dll" Iokfhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bocolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klidkobf.dll" Dkmmhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jifdebic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoacn32.dll" Mlibjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjcabmga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnfhlh32.dll" Ckafbbph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhooggdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldnlic32.dll" Jiondcpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kahojc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dknekeef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bblogakg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3064 wrote to memory of 2636 3064 d52784a933c585fa9f0414aed0967490_NEIKI.exe 28 PID 3064 wrote to memory of 2636 3064 d52784a933c585fa9f0414aed0967490_NEIKI.exe 28 PID 3064 wrote to memory of 2636 3064 d52784a933c585fa9f0414aed0967490_NEIKI.exe 28 PID 3064 wrote to memory of 2636 3064 d52784a933c585fa9f0414aed0967490_NEIKI.exe 28 PID 2636 wrote to memory of 2624 2636 Ifmlpigj.exe 29 PID 2636 wrote to memory of 2624 2636 Ifmlpigj.exe 29 PID 2636 wrote to memory of 2624 2636 Ifmlpigj.exe 29 PID 2636 wrote to memory of 2624 2636 Ifmlpigj.exe 29 PID 2624 wrote to memory of 1952 2624 Jbdlejmn.exe 30 PID 2624 wrote to memory of 1952 2624 Jbdlejmn.exe 30 PID 2624 wrote to memory of 1952 2624 Jbdlejmn.exe 30 PID 2624 wrote to memory of 1952 2624 Jbdlejmn.exe 30 PID 1952 wrote to memory of 2600 1952 Jklanp32.exe 31 PID 1952 wrote to memory of 2600 1952 Jklanp32.exe 31 PID 1952 wrote to memory of 2600 1952 Jklanp32.exe 31 PID 1952 wrote to memory of 2600 1952 Jklanp32.exe 31 PID 2600 wrote to memory of 2424 2600 Jjoailji.exe 32 PID 2600 wrote to memory of 2424 2600 Jjoailji.exe 32 PID 2600 wrote to memory of 2424 2600 Jjoailji.exe 32 PID 2600 wrote to memory of 2424 2600 Jjoailji.exe 32 PID 2424 wrote to memory of 2860 2424 Jbfijjkl.exe 33 PID 2424 wrote to memory of 2860 2424 Jbfijjkl.exe 33 PID 2424 wrote to memory of 2860 2424 Jbfijjkl.exe 33 PID 2424 wrote to memory of 2860 2424 Jbfijjkl.exe 33 PID 2860 wrote to memory of 2008 2860 Jaiiff32.exe 34 PID 2860 wrote to memory of 2008 2860 Jaiiff32.exe 34 PID 2860 wrote to memory of 2008 2860 Jaiiff32.exe 34 PID 2860 wrote to memory of 2008 2860 Jaiiff32.exe 34 PID 2008 wrote to memory of 2672 2008 Jcgfbb32.exe 35 PID 2008 wrote to memory of 2672 2008 Jcgfbb32.exe 35 PID 2008 wrote to memory of 2672 2008 Jcgfbb32.exe 35 PID 2008 wrote to memory of 2672 2008 Jcgfbb32.exe 35 PID 2672 wrote to memory of 1564 2672 Jmdcfg32.exe 36 PID 2672 wrote to memory of 1564 2672 Jmdcfg32.exe 36 PID 2672 wrote to memory of 1564 2672 Jmdcfg32.exe 36 PID 2672 wrote to memory of 1564 2672 Jmdcfg32.exe 36 PID 1564 wrote to memory of 1852 1564 Kcolba32.exe 37 PID 1564 wrote to memory of 1852 1564 Kcolba32.exe 37 PID 1564 wrote to memory of 1852 1564 Kcolba32.exe 37 PID 1564 wrote to memory of 1852 1564 Kcolba32.exe 37 PID 1852 wrote to memory of 1568 1852 Kfmhol32.exe 38 PID 1852 wrote to memory of 1568 1852 Kfmhol32.exe 38 PID 1852 wrote to memory of 1568 1852 Kfmhol32.exe 38 PID 1852 wrote to memory of 1568 1852 Kfmhol32.exe 38 PID 1568 wrote to memory of 2344 1568 Kjhdokbo.exe 39 PID 1568 wrote to memory of 2344 1568 Kjhdokbo.exe 39 PID 1568 wrote to memory of 2344 1568 Kjhdokbo.exe 39 PID 1568 wrote to memory of 2344 1568 Kjhdokbo.exe 39 PID 2344 wrote to memory of 1684 2344 Kebepion.exe 40 PID 2344 wrote to memory of 1684 2344 Kebepion.exe 40 PID 2344 wrote to memory of 1684 2344 Kebepion.exe 40 PID 2344 wrote to memory of 1684 2344 Kebepion.exe 40 PID 1684 wrote to memory of 3024 1684 Kphimanc.exe 41 PID 1684 wrote to memory of 3024 1684 Kphimanc.exe 41 PID 1684 wrote to memory of 3024 1684 Kphimanc.exe 41 PID 1684 wrote to memory of 3024 1684 Kphimanc.exe 41 PID 3024 wrote to memory of 2788 3024 Kbfeimng.exe 42 PID 3024 wrote to memory of 2788 3024 Kbfeimng.exe 42 PID 3024 wrote to memory of 2788 3024 Kbfeimng.exe 42 PID 3024 wrote to memory of 2788 3024 Kbfeimng.exe 42 PID 2788 wrote to memory of 2392 2788 Lmdpejfq.exe 43 PID 2788 wrote to memory of 2392 2788 Lmdpejfq.exe 43 PID 2788 wrote to memory of 2392 2788 Lmdpejfq.exe 43 PID 2788 wrote to memory of 2392 2788 Lmdpejfq.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\d52784a933c585fa9f0414aed0967490_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\d52784a933c585fa9f0414aed0967490_NEIKI.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Ifmlpigj.exeC:\Windows\system32\Ifmlpigj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Jklanp32.exeC:\Windows\system32\Jklanp32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Jjoailji.exeC:\Windows\system32\Jjoailji.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Jbfijjkl.exeC:\Windows\system32\Jbfijjkl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Jcgfbb32.exeC:\Windows\system32\Jcgfbb32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:780 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1264 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1360 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe33⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe34⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe35⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe36⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe37⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe38⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe39⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe40⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe41⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe42⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe43⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe44⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe45⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe46⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe49⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe50⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe51⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe52⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe53⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe54⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe55⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe56⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe57⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe58⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe59⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe60⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe61⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe62⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe63⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe65⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe66⤵PID:240
-
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe67⤵PID:564
-
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe68⤵
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2372 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe70⤵
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe71⤵PID:2560
-
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe72⤵PID:2668
-
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe73⤵PID:1748
-
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe74⤵PID:752
-
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe75⤵PID:1424
-
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe76⤵PID:1940
-
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe77⤵
- Drops file in System32 directory
PID:620 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe78⤵PID:280
-
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe79⤵PID:108
-
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe80⤵PID:1580
-
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1788 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe82⤵PID:2964
-
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2340 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe84⤵PID:1400
-
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe85⤵PID:1420
-
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe86⤵PID:2944
-
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe87⤵PID:848
-
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe88⤵PID:2240
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe89⤵PID:1028
-
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe90⤵PID:2440
-
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe91⤵
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2584 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1472 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe94⤵PID:2028
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe95⤵PID:1056
-
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe96⤵PID:1836
-
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe97⤵PID:1560
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe99⤵PID:904
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe100⤵PID:2780
-
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe101⤵PID:1648
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe102⤵PID:960
-
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe103⤵PID:1184
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe104⤵PID:2324
-
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe105⤵
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe106⤵PID:2652
-
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe107⤵PID:1212
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe108⤵PID:1916
-
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe109⤵
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe110⤵PID:2660
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe111⤵PID:352
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe112⤵
- Modifies registry class
PID:912 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe113⤵PID:1460
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe114⤵PID:1792
-
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe116⤵PID:2872
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe117⤵PID:2828
-
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe118⤵PID:2444
-
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2616 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe120⤵PID:2676
-
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe121⤵PID:1192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-