Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 04:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
efb664bf25fe899563105d4fec4939b0_NEIKI.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
efb664bf25fe899563105d4fec4939b0_NEIKI.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
efb664bf25fe899563105d4fec4939b0_NEIKI.exe
-
Size
465KB
-
MD5
efb664bf25fe899563105d4fec4939b0
-
SHA1
cc4d3897ba58ce17b24801015c7428ce81e398ca
-
SHA256
13d771c0432ceb63ca9d813ea01b0d06d68c113cdc2b2be700aefd463407ed31
-
SHA512
bc662871d593ad44524279c151751d6eeb7dd738e8bb373447ec772d9a480774d3be76a3f05a9c3d76d40ae39e421030f14bb941827e4b892aa4e59036eb908b
-
SSDEEP
6144:hECjDjsrwSTYaT15f7o+STYaT15fq1+EKOCLxuC7Vg6h7VIjU:ATYapJoTYapU8N5VTVVI
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpablkhc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgnqgqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqdaadln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkmefd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngcje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkjnfkma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgehfkop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpcapp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebnfbcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgkjhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhlejcpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efffmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aojlaeei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcnmin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hblkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioambknl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjopcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqnbkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljceqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qalnjkgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqknig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doilmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agjhgngj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjpijpdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdnabjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbbpmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gohhpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hofdacke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpnchp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hplicjok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgmgqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efeihb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oofaiokl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfbobf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igqkqiai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjmcnbdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feocelll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ginnfgop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmemac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooqqdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkeekk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkaobnio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflfac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 1544 Mcbahlip.exe 8 Njljefql.exe 2844 Nqfbaq32.exe 2868 Nqiogp32.exe 3772 Ndghmo32.exe 3324 Ngedij32.exe 3340 Nggqoj32.exe 2176 Nqpego32.exe 4088 Ondeac32.exe 2148 Ogljjiei.exe 5080 Ogogoi32.exe 5000 Ogaceh32.exe 1264 Obfhba32.exe 4420 Okolkg32.exe 4868 Oqkdcn32.exe 952 Pbkamqmd.exe 1492 Pghieg32.exe 1404 Pndohaqe.exe 512 Pcagphom.exe 1364 Pbbgnpgl.exe 4452 Pnihcq32.exe 2396 Qecppkdm.exe 3628 Qajadlja.exe 3020 Qalnjkgo.exe 2528 Acjjfggb.exe 4392 Aejfpjne.exe 3404 Ajfoiqll.exe 3304 Aelcfilb.exe 3908 Adapgfqj.exe 4352 Abbpem32.exe 4332 Ajneip32.exe 264 Blmacb32.exe 232 Bdhfhe32.exe 768 Bjbndobo.exe 4472 Bbifelba.exe 1276 Behbag32.exe 4896 Blbknaib.exe 4844 Bblckl32.exe 4048 Bdmpcdfm.exe 3120 Bjghpn32.exe 4484 Bdolhc32.exe 1760 Bkidenlg.exe 4060 Cbqlfkmi.exe 1948 Chmeobkq.exe 4464 Cklaknjd.exe 1180 Ceaehfjj.exe 3752 Chpada32.exe 1752 Cojjqlpk.exe 2648 Cecbmf32.exe 1728 Ckpjfm32.exe 4488 Cbgbgj32.exe 4084 Cdiooblp.exe 1244 Clpgpp32.exe 4528 Chghdqbf.exe 3812 Ckedalaj.exe 3196 Dbllbibl.exe 1668 Dekhneap.exe 4324 Dhidjpqc.exe 1484 Docmgjhp.exe 4708 Daaicfgd.exe 4000 Dlgmpogj.exe 4824 Doeiljfn.exe 1208 Dadeieea.exe 4220 Dlijfneg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bogcgj32.exe Aimkjp32.exe File created C:\Windows\SysWOW64\Hdedgjno.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nqiogp32.exe Nqfbaq32.exe File opened for modification C:\Windows\SysWOW64\Ednaqo32.exe Ecmeig32.exe File created C:\Windows\SysWOW64\Djfoankj.dll Dkbocbog.exe File created C:\Windows\SysWOW64\Ogbdnipf.dll Ebnfbcbc.exe File created C:\Windows\SysWOW64\Nknjec32.dll Process not Found File created C:\Windows\SysWOW64\Nmdkcj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ajfhnjhq.exe Agglboim.exe File created C:\Windows\SysWOW64\Amgapeea.exe Agjhgngj.exe File created C:\Windows\SysWOW64\Kqpoakco.exe Kkcfid32.exe File created C:\Windows\SysWOW64\Pinnnm32.dll Mngegmbc.exe File created C:\Windows\SysWOW64\Mminhceb.exe Mnfnlf32.exe File opened for modification C:\Windows\SysWOW64\Igjngh32.exe Iqpfjnba.exe File created C:\Windows\SysWOW64\Gbfldf32.exe Gphphj32.exe File opened for modification C:\Windows\SysWOW64\Kfnfjehl.exe Kodnmkap.exe File created C:\Windows\SysWOW64\Fljcmlfd.exe Edbklofb.exe File created C:\Windows\SysWOW64\Kqnbkl32.exe Jjdjoane.exe File opened for modification C:\Windows\SysWOW64\Aoalgn32.exe Albpkc32.exe File created C:\Windows\SysWOW64\Cqmmqg32.dll Eejeiocj.exe File created C:\Windows\SysWOW64\Hiacacpg.exe Process not Found File created C:\Windows\SysWOW64\Kngkqbgl.exe Kgnbdh32.exe File opened for modification C:\Windows\SysWOW64\Lmdnbn32.exe Ljeafb32.exe File created C:\Windows\SysWOW64\Hockka32.dll Process not Found File created C:\Windows\SysWOW64\Lfkaag32.exe Ldleel32.exe File created C:\Windows\SysWOW64\Cpagaq32.dll Hkehkocf.exe File created C:\Windows\SysWOW64\Lonege32.dll Nebmekoi.exe File created C:\Windows\SysWOW64\Ehfcfb32.exe Ealkjh32.exe File created C:\Windows\SysWOW64\Ddfbhfmf.dll Ajbmdn32.exe File opened for modification C:\Windows\SysWOW64\Ejjaqk32.exe Process not Found File created C:\Windows\SysWOW64\Dhidjpqc.exe Dekhneap.exe File opened for modification C:\Windows\SysWOW64\Ehapfiem.exe Eecdjmfi.exe File created C:\Windows\SysWOW64\Doodkl32.dll Gepmlimi.exe File created C:\Windows\SysWOW64\Fkmjaa32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Iabglnco.exe Process not Found File created C:\Windows\SysWOW64\Phfcipoo.exe Process not Found File created C:\Windows\SysWOW64\Fdmlkkap.dll Pnihcq32.exe File created C:\Windows\SysWOW64\Kmkfhc32.exe Kfankifm.exe File opened for modification C:\Windows\SysWOW64\Bcelmhen.exe Bqfoamfj.exe File opened for modification C:\Windows\SysWOW64\Injcmc32.exe Igqkqiai.exe File created C:\Windows\SysWOW64\Ompfej32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Neccpd32.exe Nbefdijg.exe File opened for modification C:\Windows\SysWOW64\Fibhpbea.exe Fbhpch32.exe File created C:\Windows\SysWOW64\Omjpeo32.exe Olicnfco.exe File opened for modification C:\Windows\SysWOW64\Jgpfbjlo.exe Johnamkm.exe File created C:\Windows\SysWOW64\Ehjhee32.dll Famjkl32.exe File created C:\Windows\SysWOW64\Bmabggdm.exe Bjbfklei.exe File created C:\Windows\SysWOW64\Fjmkoeqi.exe Fdccbl32.exe File created C:\Windows\SysWOW64\Pmnbfhal.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ckjknfnh.exe Process not Found File created C:\Windows\SysWOW64\Pndohaqe.exe Pghieg32.exe File created C:\Windows\SysWOW64\Ocnjidkf.exe Njefqo32.exe File created C:\Windows\SysWOW64\Ndnljbeg.dll Lnldla32.exe File opened for modification C:\Windows\SysWOW64\Mgphpe32.exe Moipoh32.exe File created C:\Windows\SysWOW64\Mjlhgaqp.exe Mcbpjg32.exe File created C:\Windows\SysWOW64\Eehnaq32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cpdgqmnb.exe Process not Found File created C:\Windows\SysWOW64\Klambq32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Igbalblk.exe Iphioh32.exe File created C:\Windows\SysWOW64\Fpdcag32.exe Fijkdmhn.exe File opened for modification C:\Windows\SysWOW64\Nfohgqlg.exe Process not Found File created C:\Windows\SysWOW64\Llmglb32.dll Odocigqg.exe File created C:\Windows\SysWOW64\Djfjpgfm.dll Ejflhm32.exe File created C:\Windows\SysWOW64\Hpdclcbj.dll Edopabqn.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3876 1668 Process not Found 1558 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbllbibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoonaj32.dll" Ieliebnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiaglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggebqoki.dll" Fmjaphek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodolnaf.dll" Fbpchb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdcoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meebmkdh.dll" Leenhhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjcgfjdk.dll" Nmenca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fijkdmhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdiphhpk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkckeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnipccc.dll" Gfmojenc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdphngfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 efb664bf25fe899563105d4fec4939b0_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flippejg.dll" Qcbfakec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipoheakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnlhfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgamgpme.dll" Lbinam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmjaa32.dll" Eleepoob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnldla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nofoidko.dll" Kbpbed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckilmcgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcgnbaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpejkd32.dll" Gemkelcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igjngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifgbnlmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkbocbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cohkokgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodfed32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgjbbcpq.dll" Gbabigfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldcadhpd.dll" Jpdhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iojnef32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngedij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chpada32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidjfdep.dll" Chghdqbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll" Olmeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lonege32.dll" Nebmekoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lblaabdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qqffjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgagmm32.dll" Qfbobf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcaaddl.dll" Nimbkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbhijepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcgffqei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aonoao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cndeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogiek32.dll" Ehgqln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fiodpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll" Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mflfak32.dll" Emeoooml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipoheakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miofjepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnfihkqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncapfeoc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipbmd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nipekiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggiabl32.dll" Mnfnlf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4608 wrote to memory of 1544 4608 efb664bf25fe899563105d4fec4939b0_NEIKI.exe 81 PID 4608 wrote to memory of 1544 4608 efb664bf25fe899563105d4fec4939b0_NEIKI.exe 81 PID 4608 wrote to memory of 1544 4608 efb664bf25fe899563105d4fec4939b0_NEIKI.exe 81 PID 1544 wrote to memory of 8 1544 Mcbahlip.exe 82 PID 1544 wrote to memory of 8 1544 Mcbahlip.exe 82 PID 1544 wrote to memory of 8 1544 Mcbahlip.exe 82 PID 8 wrote to memory of 2844 8 Njljefql.exe 83 PID 8 wrote to memory of 2844 8 Njljefql.exe 83 PID 8 wrote to memory of 2844 8 Njljefql.exe 83 PID 2844 wrote to memory of 2868 2844 Nqfbaq32.exe 84 PID 2844 wrote to memory of 2868 2844 Nqfbaq32.exe 84 PID 2844 wrote to memory of 2868 2844 Nqfbaq32.exe 84 PID 2868 wrote to memory of 3772 2868 Nqiogp32.exe 87 PID 2868 wrote to memory of 3772 2868 Nqiogp32.exe 87 PID 2868 wrote to memory of 3772 2868 Nqiogp32.exe 87 PID 3772 wrote to memory of 3324 3772 Ndghmo32.exe 88 PID 3772 wrote to memory of 3324 3772 Ndghmo32.exe 88 PID 3772 wrote to memory of 3324 3772 Ndghmo32.exe 88 PID 3324 wrote to memory of 3340 3324 Ngedij32.exe 89 PID 3324 wrote to memory of 3340 3324 Ngedij32.exe 89 PID 3324 wrote to memory of 3340 3324 Ngedij32.exe 89 PID 3340 wrote to memory of 2176 3340 Nggqoj32.exe 90 PID 3340 wrote to memory of 2176 3340 Nggqoj32.exe 90 PID 3340 wrote to memory of 2176 3340 Nggqoj32.exe 90 PID 2176 wrote to memory of 4088 2176 Nqpego32.exe 91 PID 2176 wrote to memory of 4088 2176 Nqpego32.exe 91 PID 2176 wrote to memory of 4088 2176 Nqpego32.exe 91 PID 4088 wrote to memory of 2148 4088 Ondeac32.exe 92 PID 4088 wrote to memory of 2148 4088 Ondeac32.exe 92 PID 4088 wrote to memory of 2148 4088 Ondeac32.exe 92 PID 2148 wrote to memory of 5080 2148 Ogljjiei.exe 93 PID 2148 wrote to memory of 5080 2148 Ogljjiei.exe 93 PID 2148 wrote to memory of 5080 2148 Ogljjiei.exe 93 PID 5080 wrote to memory of 5000 5080 Ogogoi32.exe 94 PID 5080 wrote to memory of 5000 5080 Ogogoi32.exe 94 PID 5080 wrote to memory of 5000 5080 Ogogoi32.exe 94 PID 5000 wrote to memory of 1264 5000 Ogaceh32.exe 95 PID 5000 wrote to memory of 1264 5000 Ogaceh32.exe 95 PID 5000 wrote to memory of 1264 5000 Ogaceh32.exe 95 PID 1264 wrote to memory of 4420 1264 Obfhba32.exe 96 PID 1264 wrote to memory of 4420 1264 Obfhba32.exe 96 PID 1264 wrote to memory of 4420 1264 Obfhba32.exe 96 PID 4420 wrote to memory of 4868 4420 Okolkg32.exe 97 PID 4420 wrote to memory of 4868 4420 Okolkg32.exe 97 PID 4420 wrote to memory of 4868 4420 Okolkg32.exe 97 PID 4868 wrote to memory of 952 4868 Oqkdcn32.exe 98 PID 4868 wrote to memory of 952 4868 Oqkdcn32.exe 98 PID 4868 wrote to memory of 952 4868 Oqkdcn32.exe 98 PID 952 wrote to memory of 1492 952 Pbkamqmd.exe 99 PID 952 wrote to memory of 1492 952 Pbkamqmd.exe 99 PID 952 wrote to memory of 1492 952 Pbkamqmd.exe 99 PID 1492 wrote to memory of 1404 1492 Pghieg32.exe 100 PID 1492 wrote to memory of 1404 1492 Pghieg32.exe 100 PID 1492 wrote to memory of 1404 1492 Pghieg32.exe 100 PID 1404 wrote to memory of 512 1404 Pndohaqe.exe 101 PID 1404 wrote to memory of 512 1404 Pndohaqe.exe 101 PID 1404 wrote to memory of 512 1404 Pndohaqe.exe 101 PID 512 wrote to memory of 1364 512 Pcagphom.exe 102 PID 512 wrote to memory of 1364 512 Pcagphom.exe 102 PID 512 wrote to memory of 1364 512 Pcagphom.exe 102 PID 1364 wrote to memory of 4452 1364 Pbbgnpgl.exe 103 PID 1364 wrote to memory of 4452 1364 Pbbgnpgl.exe 103 PID 1364 wrote to memory of 4452 1364 Pbbgnpgl.exe 103 PID 4452 wrote to memory of 2396 4452 Pnihcq32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\efb664bf25fe899563105d4fec4939b0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\efb664bf25fe899563105d4fec4939b0_NEIKI.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe23⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe24⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe26⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe27⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe28⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe29⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe30⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe31⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe32⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe33⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe34⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe35⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe36⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe37⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe38⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe39⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe40⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe41⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe42⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe43⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe44⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe45⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe46⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe47⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:3752 -
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe49⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe50⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe51⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe52⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe53⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe54⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:4528 -
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe56⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:3196 -
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe59⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe60⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe61⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Dlgmpogj.exeC:\Windows\system32\Dlgmpogj.exe62⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe63⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe64⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe65⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Dccbbhld.exeC:\Windows\system32\Dccbbhld.exe66⤵PID:736
-
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe67⤵PID:532
-
C:\Windows\SysWOW64\Dllfkn32.exeC:\Windows\system32\Dllfkn32.exe68⤵PID:216
-
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe69⤵PID:1648
-
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe70⤵PID:1932
-
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe71⤵PID:5084
-
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe72⤵PID:1236
-
C:\Windows\SysWOW64\Eaklidoi.exeC:\Windows\system32\Eaklidoi.exe73⤵PID:4892
-
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe74⤵PID:1068
-
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe75⤵PID:1812
-
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe76⤵PID:536
-
C:\Windows\SysWOW64\Ehgqln32.exeC:\Windows\system32\Ehgqln32.exe77⤵
- Modifies registry class
PID:4776 -
C:\Windows\SysWOW64\Ekemhj32.exeC:\Windows\system32\Ekemhj32.exe78⤵PID:3348
-
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe79⤵
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe80⤵PID:4992
-
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe81⤵PID:2160
-
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe82⤵PID:224
-
C:\Windows\SysWOW64\Ehljfnpn.exeC:\Windows\system32\Ehljfnpn.exe83⤵PID:856
-
C:\Windows\SysWOW64\Eofbch32.exeC:\Windows\system32\Eofbch32.exe84⤵PID:3104
-
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe85⤵
- Drops file in System32 directory
PID:4920 -
C:\Windows\SysWOW64\Fljcmlfd.exeC:\Windows\system32\Fljcmlfd.exe86⤵PID:3808
-
C:\Windows\SysWOW64\Febgea32.exeC:\Windows\system32\Febgea32.exe87⤵PID:4916
-
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe88⤵PID:1940
-
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe89⤵PID:4944
-
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe90⤵PID:1996
-
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe91⤵PID:3956
-
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe92⤵PID:1188
-
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe93⤵PID:1936
-
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe94⤵PID:448
-
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe95⤵PID:804
-
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe96⤵PID:2200
-
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe97⤵PID:548
-
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2840 -
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe99⤵PID:1060
-
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe100⤵PID:2544
-
C:\Windows\SysWOW64\Gkaejf32.exeC:\Windows\system32\Gkaejf32.exe101⤵PID:4124
-
C:\Windows\SysWOW64\Gblngpbd.exeC:\Windows\system32\Gblngpbd.exe102⤵PID:1988
-
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe103⤵PID:1308
-
C:\Windows\SysWOW64\Helfik32.exeC:\Windows\system32\Helfik32.exe104⤵PID:1864
-
C:\Windows\SysWOW64\Hbpgbo32.exeC:\Windows\system32\Hbpgbo32.exe105⤵PID:756
-
C:\Windows\SysWOW64\Hmfkoh32.exeC:\Windows\system32\Hmfkoh32.exe106⤵PID:5128
-
C:\Windows\SysWOW64\Hfnphn32.exeC:\Windows\system32\Hfnphn32.exe107⤵PID:5172
-
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5216 -
C:\Windows\SysWOW64\Hkmefd32.exeC:\Windows\system32\Hkmefd32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5260 -
C:\Windows\SysWOW64\Iefioj32.exeC:\Windows\system32\Iefioj32.exe110⤵PID:5304
-
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe111⤵PID:5348
-
C:\Windows\SysWOW64\Iehfdi32.exeC:\Windows\system32\Iehfdi32.exe112⤵PID:5396
-
C:\Windows\SysWOW64\Ifgbnlmj.exeC:\Windows\system32\Ifgbnlmj.exe113⤵
- Modifies registry class
PID:5440 -
C:\Windows\SysWOW64\Imakkfdg.exeC:\Windows\system32\Imakkfdg.exe114⤵PID:5484
-
C:\Windows\SysWOW64\Imdgqfbd.exeC:\Windows\system32\Imdgqfbd.exe115⤵PID:5528
-
C:\Windows\SysWOW64\Ifllil32.exeC:\Windows\system32\Ifllil32.exe116⤵PID:5572
-
C:\Windows\SysWOW64\Imfdff32.exeC:\Windows\system32\Imfdff32.exe117⤵PID:5616
-
C:\Windows\SysWOW64\Jmhale32.exeC:\Windows\system32\Jmhale32.exe118⤵PID:5660
-
C:\Windows\SysWOW64\Jcbihpel.exeC:\Windows\system32\Jcbihpel.exe119⤵PID:5704
-
C:\Windows\SysWOW64\Jmknaell.exeC:\Windows\system32\Jmknaell.exe120⤵PID:5748
-
C:\Windows\SysWOW64\Jianff32.exeC:\Windows\system32\Jianff32.exe121⤵PID:5792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-