Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 08:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
001e8274d7fff76d286d3ea388c46b10_NEIKI.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
001e8274d7fff76d286d3ea388c46b10_NEIKI.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
001e8274d7fff76d286d3ea388c46b10_NEIKI.exe
-
Size
55KB
-
MD5
001e8274d7fff76d286d3ea388c46b10
-
SHA1
63b08325dbaaefff222fe089cf507595e1e30c36
-
SHA256
9f9fcfbc11e08bf8db43036b9d346a3d2adce8be517321fb1360906883cab84c
-
SHA512
7884b0ac10478b8d3c1822a5d9c5505b94217a4bdf01b2f8c4536e8f615b5405d1067f9bc388e821b27fee679773c0699daf75775d4112059419d12b9fa82208
-
SSDEEP
1536:gDzTbeFx3GCcwBELXs/DpdXazXaPnfgD6e0+xXxt2Lv:gDbev30L0rKzqwDlMv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njdpomfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enihne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkihhhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Banepo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqhhknjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmlapp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddifnbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbfjdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjmodopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekholjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Globlmmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paggai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddeaalpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnpmipql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Banepo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjpqdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nocemcbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmlgonbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oicpfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paggai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qecoqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Copfbfjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djbiicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epdkli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkaocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbkpna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peiljl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnagjbdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hogmmjfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phjelg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecmkghcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hacmcfge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbnbobin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emcbkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajphib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgbdhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omloag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gogangdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmafennb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeempocb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnpnndgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Globlmmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gobgcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncjgbcoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojficpfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Filldb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmgqnfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hobcak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocomlemo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppmdbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmibdlh.exe -
Executes dropped EXE 64 IoCs
pid Process 1724 Lgdjnofi.exe 2716 Llqcfe32.exe 2748 Lplogdmj.exe 2512 Midcpj32.exe 2500 Mpolmdkg.exe 2960 Maphdl32.exe 1800 Mlelaeqk.exe 2804 Mochnppo.exe 2784 Menakj32.exe 844 Mlgigdoh.exe 1588 Mnieom32.exe 1832 Mepnpj32.exe 1796 Mkmfhacp.exe 2240 Mnkbdlbd.exe 2776 Mdejaf32.exe 780 Mgcgmb32.exe 2864 Nnnojlpa.exe 1728 Naikkk32.exe 2104 Ncjgbcoi.exe 2096 Nkaocp32.exe 1956 Njdpomfe.exe 1700 Nlblkhei.exe 2016 Ndjdlffl.exe 752 Njgldmdc.exe 2076 Nocemcbj.exe 2600 Ngkmnacm.exe 2680 Nlgefh32.exe 2884 Nofabc32.exe 2760 Nbdnoo32.exe 2628 Nhnfkigh.exe 2556 Nbfjdn32.exe 296 Ofbfdmeb.exe 2476 Omloag32.exe 2856 Onmkio32.exe 1244 Oicpfh32.exe 2288 Okalbc32.exe 1840 Oqndkj32.exe 2168 Oghlgdgk.exe 1788 Ojficpfn.exe 1456 Oqqapjnk.exe 2468 Ocomlemo.exe 536 Omgaek32.exe 1568 Ogmfbd32.exe 2456 Ojkboo32.exe 408 Pgobhcac.exe 1220 Pfbccp32.exe 2020 Pjmodopf.exe 1216 Pipopl32.exe 944 Paggai32.exe 2088 Pcfcmd32.exe 1536 Pfdpip32.exe 2636 Piblek32.exe 2608 Plahag32.exe 2728 Ppmdbe32.exe 2660 Pbkpna32.exe 2668 Peiljl32.exe 2808 Piehkkcl.exe 1912 Plcdgfbo.exe 1896 Pbmmcq32.exe 1804 Pfiidobe.exe 1208 Phjelg32.exe 2236 Ppamme32.exe 2588 Pndniaop.exe 484 Pbpjiphi.exe -
Loads dropped DLL 64 IoCs
pid Process 2148 001e8274d7fff76d286d3ea388c46b10_NEIKI.exe 2148 001e8274d7fff76d286d3ea388c46b10_NEIKI.exe 1724 Lgdjnofi.exe 1724 Lgdjnofi.exe 2716 Llqcfe32.exe 2716 Llqcfe32.exe 2748 Lplogdmj.exe 2748 Lplogdmj.exe 2512 Midcpj32.exe 2512 Midcpj32.exe 2500 Mpolmdkg.exe 2500 Mpolmdkg.exe 2960 Maphdl32.exe 2960 Maphdl32.exe 1800 Mlelaeqk.exe 1800 Mlelaeqk.exe 2804 Mochnppo.exe 2804 Mochnppo.exe 2784 Menakj32.exe 2784 Menakj32.exe 844 Mlgigdoh.exe 844 Mlgigdoh.exe 1588 Mnieom32.exe 1588 Mnieom32.exe 1832 Mepnpj32.exe 1832 Mepnpj32.exe 1796 Mkmfhacp.exe 1796 Mkmfhacp.exe 2240 Mnkbdlbd.exe 2240 Mnkbdlbd.exe 2776 Mdejaf32.exe 2776 Mdejaf32.exe 780 Mgcgmb32.exe 780 Mgcgmb32.exe 2864 Nnnojlpa.exe 2864 Nnnojlpa.exe 1728 Naikkk32.exe 1728 Naikkk32.exe 2104 Ncjgbcoi.exe 2104 Ncjgbcoi.exe 2096 Nkaocp32.exe 2096 Nkaocp32.exe 1956 Njdpomfe.exe 1956 Njdpomfe.exe 1700 Nlblkhei.exe 1700 Nlblkhei.exe 2016 Ndjdlffl.exe 2016 Ndjdlffl.exe 752 Njgldmdc.exe 752 Njgldmdc.exe 2076 Nocemcbj.exe 2076 Nocemcbj.exe 2600 Ngkmnacm.exe 2600 Ngkmnacm.exe 2680 Nlgefh32.exe 2680 Nlgefh32.exe 2884 Nofabc32.exe 2884 Nofabc32.exe 2760 Nbdnoo32.exe 2760 Nbdnoo32.exe 2628 Nhnfkigh.exe 2628 Nhnfkigh.exe 2556 Nbfjdn32.exe 2556 Nbfjdn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fjdbnf32.exe Fhffaj32.exe File opened for modification C:\Windows\SysWOW64\Glfhll32.exe Ghkllmoi.exe File created C:\Windows\SysWOW64\Fhdclk32.dll Ofbfdmeb.exe File opened for modification C:\Windows\SysWOW64\Ppmdbe32.exe Plahag32.exe File created C:\Windows\SysWOW64\Aajpelhl.exe Ankdiqih.exe File created C:\Windows\SysWOW64\Ebbgid32.exe Epdkli32.exe File opened for modification C:\Windows\SysWOW64\Hlfdkoin.exe Hhjhkq32.exe File created C:\Windows\SysWOW64\Njgldmdc.exe Ndjdlffl.exe File created C:\Windows\SysWOW64\Nocemcbj.exe Njgldmdc.exe File created C:\Windows\SysWOW64\Flcnijgi.dll Ddeaalpg.exe File created C:\Windows\SysWOW64\Bnebmi32.dll Nlgefh32.exe File created C:\Windows\SysWOW64\Hgeadcbc.dll Ankdiqih.exe File opened for modification C:\Windows\SysWOW64\Dbbkja32.exe Dkhcmgnl.exe File created C:\Windows\SysWOW64\Dcknbh32.exe Doobajme.exe File created C:\Windows\SysWOW64\Ljenlcfa.dll Epaogi32.exe File created C:\Windows\SysWOW64\Lpdhmlbj.dll Egamfkdh.exe File created C:\Windows\SysWOW64\Jiiegafd.dll Fehjeo32.exe File created C:\Windows\SysWOW64\Ccedfd32.dll Naikkk32.exe File created C:\Windows\SysWOW64\Cdjgej32.dll Piehkkcl.exe File opened for modification C:\Windows\SysWOW64\Aljgfioc.exe Ailkjmpo.exe File created C:\Windows\SysWOW64\Emhlfmgj.exe Eilpeooq.exe File opened for modification C:\Windows\SysWOW64\Hgilchkf.exe Hobcak32.exe File opened for modification C:\Windows\SysWOW64\Midcpj32.exe Lplogdmj.exe File created C:\Windows\SysWOW64\Paggai32.exe Pipopl32.exe File created C:\Windows\SysWOW64\Lgeceh32.dll Copfbfjj.exe File created C:\Windows\SysWOW64\Ckffgg32.exe Clcflkic.exe File opened for modification C:\Windows\SysWOW64\Ncjgbcoi.exe Naikkk32.exe File created C:\Windows\SysWOW64\Fbeccf32.dll Aoffmd32.exe File opened for modification C:\Windows\SysWOW64\Njgldmdc.exe Ndjdlffl.exe File created C:\Windows\SysWOW64\Bghabf32.exe Bdjefj32.exe File opened for modification C:\Windows\SysWOW64\Cbnbobin.exe Copfbfjj.exe File created C:\Windows\SysWOW64\Hknach32.exe Hgbebiao.exe File created C:\Windows\SysWOW64\Hdfflm32.exe Hahjpbad.exe File opened for modification C:\Windows\SysWOW64\Hobcak32.exe Hpocfncj.exe File opened for modification C:\Windows\SysWOW64\Nhnfkigh.exe Nbdnoo32.exe File opened for modification C:\Windows\SysWOW64\Pfbccp32.exe Pgobhcac.exe File created C:\Windows\SysWOW64\Pndaof32.dll Ppamme32.exe File opened for modification C:\Windows\SysWOW64\Pbpjiphi.exe Pndniaop.exe File opened for modification C:\Windows\SysWOW64\Admemg32.exe Alenki32.exe File created C:\Windows\SysWOW64\Aiinen32.exe Afkbib32.exe File created C:\Windows\SysWOW64\Epaogi32.exe Emcbkn32.exe File created C:\Windows\SysWOW64\Hggomh32.exe Hckcmjep.exe File created C:\Windows\SysWOW64\Pdehna32.dll Nofabc32.exe File created C:\Windows\SysWOW64\Lmkgjhfn.dll Plcdgfbo.exe File created C:\Windows\SysWOW64\Fphafl32.exe Fmjejphb.exe File created C:\Windows\SysWOW64\Henidd32.exe Hacmcfge.exe File created C:\Windows\SysWOW64\Omeope32.dll Clcflkic.exe File opened for modification C:\Windows\SysWOW64\Gfefiemq.exe Gonnhhln.exe File created C:\Windows\SysWOW64\Chhpdp32.dll Gldkfl32.exe File created C:\Windows\SysWOW64\Hodpgjha.exe Hlfdkoin.exe File created C:\Windows\SysWOW64\Afkbib32.exe Admemg32.exe File opened for modification C:\Windows\SysWOW64\Gejcjbah.exe Gbkgnfbd.exe File created C:\Windows\SysWOW64\Pfabenjd.dll Gaemjbcg.exe File opened for modification C:\Windows\SysWOW64\Hkkalk32.exe Hhmepp32.exe File created C:\Windows\SysWOW64\Mochnppo.exe Mlelaeqk.exe File created C:\Windows\SysWOW64\Piblek32.exe Pfdpip32.exe File created C:\Windows\SysWOW64\Fejgko32.exe Faokjpfd.exe File opened for modification C:\Windows\SysWOW64\Fmlapp32.exe Fiaeoang.exe File opened for modification C:\Windows\SysWOW64\Mlelaeqk.exe Maphdl32.exe File opened for modification C:\Windows\SysWOW64\Ghmiam32.exe Gdamqndn.exe File opened for modification C:\Windows\SysWOW64\Phjelg32.exe Pfiidobe.exe File created C:\Windows\SysWOW64\Cgqjffca.dll Ejgcdb32.exe File opened for modification C:\Windows\SysWOW64\Gldkfl32.exe Ghhofmql.exe File opened for modification C:\Windows\SysWOW64\Pndniaop.exe Ppamme32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3368 3312 WerFault.exe 289 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofbfdmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cngcjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndjdlffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebbjqa32.dll" Penfelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgqjffca.dll" Ejgcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effdfo32.dll" Llqcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkmfhacp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdfflm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiekid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apomfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egamfkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll" Globlmmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghhofmql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlblkhei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcfdgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondlhmp.dll" Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqhhknjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadkgl32.dll" Fckjalhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkkemh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmjejphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peiljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlakpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpjiajeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll" Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnieom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll" Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gopkmhjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnigda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoffmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afmonbqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdjefj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcknbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfekgp32.dll" Fphafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnnojlpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bloqah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpefbknb.dll" Bnefdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfbhnaho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qaefjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll" Hknach32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojkboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iegecigk.dll" Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahakmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boiccdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjecnop.dll" Bommnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghqknigk.dll" Ffpmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll" Gkkemh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhnfkigh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqndkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bokphdld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgcampld.dll" Eilpeooq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jagbha32.dll" Nnnojlpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldmndi32.dll" Oqndkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfcfmmpb.dll" Afmonbqk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2148 wrote to memory of 1724 2148 001e8274d7fff76d286d3ea388c46b10_NEIKI.exe 28 PID 2148 wrote to memory of 1724 2148 001e8274d7fff76d286d3ea388c46b10_NEIKI.exe 28 PID 2148 wrote to memory of 1724 2148 001e8274d7fff76d286d3ea388c46b10_NEIKI.exe 28 PID 2148 wrote to memory of 1724 2148 001e8274d7fff76d286d3ea388c46b10_NEIKI.exe 28 PID 1724 wrote to memory of 2716 1724 Lgdjnofi.exe 29 PID 1724 wrote to memory of 2716 1724 Lgdjnofi.exe 29 PID 1724 wrote to memory of 2716 1724 Lgdjnofi.exe 29 PID 1724 wrote to memory of 2716 1724 Lgdjnofi.exe 29 PID 2716 wrote to memory of 2748 2716 Llqcfe32.exe 30 PID 2716 wrote to memory of 2748 2716 Llqcfe32.exe 30 PID 2716 wrote to memory of 2748 2716 Llqcfe32.exe 30 PID 2716 wrote to memory of 2748 2716 Llqcfe32.exe 30 PID 2748 wrote to memory of 2512 2748 Lplogdmj.exe 31 PID 2748 wrote to memory of 2512 2748 Lplogdmj.exe 31 PID 2748 wrote to memory of 2512 2748 Lplogdmj.exe 31 PID 2748 wrote to memory of 2512 2748 Lplogdmj.exe 31 PID 2512 wrote to memory of 2500 2512 Midcpj32.exe 32 PID 2512 wrote to memory of 2500 2512 Midcpj32.exe 32 PID 2512 wrote to memory of 2500 2512 Midcpj32.exe 32 PID 2512 wrote to memory of 2500 2512 Midcpj32.exe 32 PID 2500 wrote to memory of 2960 2500 Mpolmdkg.exe 33 PID 2500 wrote to memory of 2960 2500 Mpolmdkg.exe 33 PID 2500 wrote to memory of 2960 2500 Mpolmdkg.exe 33 PID 2500 wrote to memory of 2960 2500 Mpolmdkg.exe 33 PID 2960 wrote to memory of 1800 2960 Maphdl32.exe 34 PID 2960 wrote to memory of 1800 2960 Maphdl32.exe 34 PID 2960 wrote to memory of 1800 2960 Maphdl32.exe 34 PID 2960 wrote to memory of 1800 2960 Maphdl32.exe 34 PID 1800 wrote to memory of 2804 1800 Mlelaeqk.exe 35 PID 1800 wrote to memory of 2804 1800 Mlelaeqk.exe 35 PID 1800 wrote to memory of 2804 1800 Mlelaeqk.exe 35 PID 1800 wrote to memory of 2804 1800 Mlelaeqk.exe 35 PID 2804 wrote to memory of 2784 2804 Mochnppo.exe 36 PID 2804 wrote to memory of 2784 2804 Mochnppo.exe 36 PID 2804 wrote to memory of 2784 2804 Mochnppo.exe 36 PID 2804 wrote to memory of 2784 2804 Mochnppo.exe 36 PID 2784 wrote to memory of 844 2784 Menakj32.exe 37 PID 2784 wrote to memory of 844 2784 Menakj32.exe 37 PID 2784 wrote to memory of 844 2784 Menakj32.exe 37 PID 2784 wrote to memory of 844 2784 Menakj32.exe 37 PID 844 wrote to memory of 1588 844 Mlgigdoh.exe 38 PID 844 wrote to memory of 1588 844 Mlgigdoh.exe 38 PID 844 wrote to memory of 1588 844 Mlgigdoh.exe 38 PID 844 wrote to memory of 1588 844 Mlgigdoh.exe 38 PID 1588 wrote to memory of 1832 1588 Mnieom32.exe 39 PID 1588 wrote to memory of 1832 1588 Mnieom32.exe 39 PID 1588 wrote to memory of 1832 1588 Mnieom32.exe 39 PID 1588 wrote to memory of 1832 1588 Mnieom32.exe 39 PID 1832 wrote to memory of 1796 1832 Mepnpj32.exe 40 PID 1832 wrote to memory of 1796 1832 Mepnpj32.exe 40 PID 1832 wrote to memory of 1796 1832 Mepnpj32.exe 40 PID 1832 wrote to memory of 1796 1832 Mepnpj32.exe 40 PID 1796 wrote to memory of 2240 1796 Mkmfhacp.exe 41 PID 1796 wrote to memory of 2240 1796 Mkmfhacp.exe 41 PID 1796 wrote to memory of 2240 1796 Mkmfhacp.exe 41 PID 1796 wrote to memory of 2240 1796 Mkmfhacp.exe 41 PID 2240 wrote to memory of 2776 2240 Mnkbdlbd.exe 42 PID 2240 wrote to memory of 2776 2240 Mnkbdlbd.exe 42 PID 2240 wrote to memory of 2776 2240 Mnkbdlbd.exe 42 PID 2240 wrote to memory of 2776 2240 Mnkbdlbd.exe 42 PID 2776 wrote to memory of 780 2776 Mdejaf32.exe 43 PID 2776 wrote to memory of 780 2776 Mdejaf32.exe 43 PID 2776 wrote to memory of 780 2776 Mdejaf32.exe 43 PID 2776 wrote to memory of 780 2776 Mdejaf32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\001e8274d7fff76d286d3ea388c46b10_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\001e8274d7fff76d286d3ea388c46b10_NEIKI.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:780 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:752 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:296 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe35⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe37⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1840 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe39⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe41⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe43⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe44⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:408 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe47⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1216 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe51⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe53⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe60⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe65⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe66⤵
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe67⤵PID:1736
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe68⤵PID:692
-
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe69⤵PID:1252
-
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe70⤵
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe71⤵PID:2388
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe72⤵PID:2264
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe73⤵
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2752 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2108 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe76⤵
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2116 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe78⤵
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe79⤵PID:2844
-
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe80⤵PID:1688
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe81⤵PID:2220
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe82⤵PID:1952
-
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe83⤵
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1704 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe85⤵PID:1576
-
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2988 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe87⤵
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe88⤵
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe89⤵
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe90⤵PID:2828
-
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe91⤵PID:1356
-
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe92⤵
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe94⤵
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe95⤵
- Drops file in System32 directory
PID:1416 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe96⤵PID:1048
-
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe97⤵
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe98⤵PID:1212
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe99⤵PID:284
-
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe100⤵PID:1640
-
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe101⤵PID:2876
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe102⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe103⤵PID:2132
-
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe104⤵PID:2772
-
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe105⤵PID:2400
-
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe106⤵
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:308 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe108⤵
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1404 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe111⤵PID:1960
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe112⤵PID:2060
-
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe113⤵PID:2624
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2396 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe115⤵PID:3012
-
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe116⤵PID:1284
-
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe117⤵PID:1204
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe118⤵PID:800
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe119⤵
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe120⤵PID:448
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe121⤵PID:344
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-