Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 03:28
Behavioral task
behavioral1
Sample
deffd003fd7aba601a3cdf020f12ed10_NEIKI.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
deffd003fd7aba601a3cdf020f12ed10_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
deffd003fd7aba601a3cdf020f12ed10_NEIKI.exe
-
Size
565KB
-
MD5
deffd003fd7aba601a3cdf020f12ed10
-
SHA1
254e4260cc97eb671dfcc1ca8a7dfee2eb8bffbd
-
SHA256
7a4589d2fe1ec716b38a3f8d942bfd27be447429833d767d0f3dc32b8e1c1cd5
-
SHA512
d3a38f56fb1348d841366cfc840a7dd6444cb9f3a9673b45ac68a94aac356924566676ab03b64b0a048c34801d81cee6b600ca5c9d6265bc477a991133558ac5
-
SSDEEP
12288:jHXtuFjAhC/+zrWAI5KFum/+zrWAIAqWim/+zrWAI5KF8OX:LXtuFjAhCm0BmmvFimm09OX
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaldcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbnoliap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meccii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qabcjgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmpnhdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nadpgggp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbeflpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgbggnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dodonf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeaedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gangic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oklkmnbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkaglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adpkee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcmafj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lclnemgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abpfhcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anojbobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efcfga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hedocp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onpjghhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmagdbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpbefoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Biafnecn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocfigjlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgjclbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Moidahcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeenochi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apalea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpafkknm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pklhlael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhnmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kiijnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkhofjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnffgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgmdjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdgjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijpnfif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifkacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oappcfmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cilibi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jofiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpngfgle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oappcfmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhbped32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbgkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mimbdhhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefpnhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbidgeci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkbalifo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbplbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idfbkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijeghgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjojofgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmehnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leljop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnimnfpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cklfll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfjhgdck.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/1924-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/1924-6-0x00000000002D0000-0x0000000000314000-memory.dmp family_berbew behavioral1/files/0x000d00000001228c-5.dat family_berbew behavioral1/files/0x0007000000014b9e-18.dat family_berbew behavioral1/memory/2596-27-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0007000000015065-33.dat family_berbew behavioral1/memory/2596-35-0x00000000002D0000-0x0000000000314000-memory.dmp family_berbew behavioral1/files/0x0008000000015678-46.dat family_berbew behavioral1/memory/2152-54-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000015d53-60.dat family_berbew behavioral1/memory/2152-61-0x00000000002D0000-0x0000000000314000-memory.dmp family_berbew behavioral1/memory/2188-72-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000015d7b-80.dat family_berbew behavioral1/memory/2588-82-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000015d90-88.dat family_berbew behavioral1/memory/1856-97-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000015d9f-106.dat family_berbew behavioral1/memory/1364-111-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000015e1d-117.dat family_berbew behavioral1/memory/2156-126-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000015fef-137.dat family_berbew behavioral1/memory/1484-138-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x000600000001615c-144.dat family_berbew behavioral1/memory/1484-147-0x0000000000250000-0x0000000000294000-memory.dmp family_berbew behavioral1/files/0x0006000000016455-157.dat family_berbew behavioral1/memory/1220-165-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x00060000000165e1-171.dat family_berbew behavioral1/memory/1220-172-0x0000000000250000-0x0000000000294000-memory.dmp family_berbew behavioral1/memory/2764-184-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2288-192-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000016a8a-191.dat family_berbew behavioral1/files/0x0006000000016c6f-198.dat family_berbew behavioral1/memory/1300-219-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000016cc1-218.dat family_berbew behavioral1/memory/264-211-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000016d17-228.dat family_berbew behavioral1/memory/1088-235-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/1300-233-0x00000000003B0000-0x00000000003F4000-memory.dmp family_berbew behavioral1/files/0x0006000000016d32-238.dat family_berbew behavioral1/memory/2912-241-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000016d43-247.dat family_berbew behavioral1/files/0x0005000000019640-566.dat family_berbew behavioral1/files/0x0005000000019637-544.dat family_berbew behavioral1/files/0x000500000001963d-556.dat family_berbew behavioral1/files/0x0005000000019631-533.dat family_berbew behavioral1/files/0x000500000001962d-522.dat family_berbew behavioral1/files/0x0005000000019629-511.dat family_berbew behavioral1/files/0x00050000000195b1-500.dat family_berbew behavioral1/files/0x000500000001951f-489.dat family_berbew behavioral1/files/0x000500000001947b-478.dat family_berbew behavioral1/files/0x0005000000019447-467.dat family_berbew behavioral1/memory/756-461-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0005000000019428-456.dat family_berbew behavioral1/memory/2172-454-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x00050000000193e5-446.dat family_berbew behavioral1/memory/2168-445-0x0000000000280000-0x00000000002C4000-memory.dmp family_berbew behavioral1/memory/2168-439-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0005000000019358-434.dat family_berbew behavioral1/memory/696-432-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x00060000000190da-423.dat family_berbew behavioral1/memory/1568-417-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000018bd9-412.dat family_berbew behavioral1/memory/2948-410-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x00050000000187b3-401.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2756 Qdccfh32.exe 2596 Afdlhchf.exe 2796 Apomfh32.exe 2152 Abpfhcje.exe 2188 Aepojo32.exe 2588 Bagpopmj.exe 1856 Bbflib32.exe 1364 Bpafkknm.exe 2156 Bcaomf32.exe 1484 Cjlgiqbk.exe 1576 Chcqpmep.exe 1220 Cbnbobin.exe 2764 Dbpodagk.exe 2288 Dodonf32.exe 264 Djpmccqq.exe 1300 Dqjepm32.exe 1088 Eflgccbp.exe 2912 Eijcpoac.exe 2648 Eilpeooq.exe 1476 Ekklaj32.exe 2896 Enihne32.exe 952 Efppoc32.exe 1460 Eiomkn32.exe 640 Epieghdk.exe 352 Ebgacddo.exe 2136 Eeempocb.exe 2052 Ennaieib.exe 2932 Fehjeo32.exe 2116 Flabbihl.exe 2728 Fmcoja32.exe 1844 Fhhcgj32.exe 2500 Faagpp32.exe 2948 Ffnphf32.exe 1568 Facdeo32.exe 696 Ffpmnf32.exe 2168 Flmefm32.exe 2172 Fbgmbg32.exe 756 Fiaeoang.exe 2040 Globlmmj.exe 2776 Gonnhhln.exe 2056 Gicbeald.exe 2308 Gpmjak32.exe 996 Gangic32.exe 1520 Ghhofmql.exe 2108 Gkgkbipp.exe 2820 Gelppaof.exe 992 Ghkllmoi.exe 1124 Goddhg32.exe 3064 Gacpdbej.exe 968 Hlfdkoin.exe 1996 Hhmepp32.exe 2608 Icbimi32.exe 2792 Ieqeidnl.exe 2740 Iknnbklc.exe 2488 Idfbkq32.exe 1624 Ikpjgkjq.exe 1632 Iqmcpahh.exe 2180 Ihdkao32.exe 2684 Ijeghgoh.exe 2024 Iblpjdpk.exe 1208 Igihbknb.exe 1940 Ijgdngmf.exe 2768 Idmhkpml.exe 2868 Igkdgk32.exe -
Loads dropped DLL 64 IoCs
pid Process 1924 deffd003fd7aba601a3cdf020f12ed10_NEIKI.exe 1924 deffd003fd7aba601a3cdf020f12ed10_NEIKI.exe 2756 Qdccfh32.exe 2756 Qdccfh32.exe 2596 Afdlhchf.exe 2596 Afdlhchf.exe 2796 Apomfh32.exe 2796 Apomfh32.exe 2152 Abpfhcje.exe 2152 Abpfhcje.exe 2188 Aepojo32.exe 2188 Aepojo32.exe 2588 Bagpopmj.exe 2588 Bagpopmj.exe 1856 Bbflib32.exe 1856 Bbflib32.exe 1364 Bpafkknm.exe 1364 Bpafkknm.exe 2156 Bcaomf32.exe 2156 Bcaomf32.exe 1484 Cjlgiqbk.exe 1484 Cjlgiqbk.exe 1576 Chcqpmep.exe 1576 Chcqpmep.exe 1220 Cbnbobin.exe 1220 Cbnbobin.exe 2764 Dbpodagk.exe 2764 Dbpodagk.exe 2288 Dodonf32.exe 2288 Dodonf32.exe 264 Djpmccqq.exe 264 Djpmccqq.exe 1300 Dqjepm32.exe 1300 Dqjepm32.exe 1088 Eflgccbp.exe 1088 Eflgccbp.exe 2912 Eijcpoac.exe 2912 Eijcpoac.exe 2648 Eilpeooq.exe 2648 Eilpeooq.exe 1476 Ekklaj32.exe 1476 Ekklaj32.exe 2896 Enihne32.exe 2896 Enihne32.exe 952 Efppoc32.exe 952 Efppoc32.exe 1460 Eiomkn32.exe 1460 Eiomkn32.exe 640 Epieghdk.exe 640 Epieghdk.exe 352 Ebgacddo.exe 352 Ebgacddo.exe 2136 Eeempocb.exe 2136 Eeempocb.exe 2052 Ennaieib.exe 2052 Ennaieib.exe 2932 Fehjeo32.exe 2932 Fehjeo32.exe 2116 Flabbihl.exe 2116 Flabbihl.exe 2728 Fmcoja32.exe 2728 Fmcoja32.exe 1844 Fhhcgj32.exe 1844 Fhhcgj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lonkjenl.dll Ebgacddo.exe File opened for modification C:\Windows\SysWOW64\Pkidlk32.exe Odoloalf.exe File created C:\Windows\SysWOW64\Phmkjbfe.dll Nigome32.exe File opened for modification C:\Windows\SysWOW64\Oegbheiq.exe Onpjghhn.exe File created C:\Windows\SysWOW64\Qodlkm32.exe Qgmdjp32.exe File opened for modification C:\Windows\SysWOW64\Dodonf32.exe Dbpodagk.exe File opened for modification C:\Windows\SysWOW64\Jgnamk32.exe Jofiln32.exe File created C:\Windows\SysWOW64\Abkphdmd.dll Eqpgol32.exe File created C:\Windows\SysWOW64\Eqdajkkb.exe Enfenplo.exe File opened for modification C:\Windows\SysWOW64\Jgojpjem.exe Jnffgd32.exe File opened for modification C:\Windows\SysWOW64\Mooaljkh.exe Mlaeonld.exe File created C:\Windows\SysWOW64\Egadpgfp.dll Fmcoja32.exe File created C:\Windows\SysWOW64\Pqhpdhcc.exe Pklhlael.exe File opened for modification C:\Windows\SysWOW64\Cnmehnan.exe Cgcmlcja.exe File created C:\Windows\SysWOW64\Iimfgo32.dll Bdbhke32.exe File opened for modification C:\Windows\SysWOW64\Bblogakg.exe Blbfjg32.exe File created C:\Windows\SysWOW64\Mpcnkg32.dll Lclnemgd.exe File created C:\Windows\SysWOW64\Ebgacddo.exe Epieghdk.exe File created C:\Windows\SysWOW64\Mlibjc32.exe Mijfnh32.exe File created C:\Windows\SysWOW64\Cfiini32.dll Mhbped32.exe File created C:\Windows\SysWOW64\Lcnaga32.dll Ollajp32.exe File created C:\Windows\SysWOW64\Oopfakpa.exe Oghopm32.exe File opened for modification C:\Windows\SysWOW64\Aecaidjl.exe Aaheie32.exe File created C:\Windows\SysWOW64\Bejdiffp.exe Boplllob.exe File created C:\Windows\SysWOW64\Ajejgp32.exe Ahgnke32.exe File created C:\Windows\SysWOW64\Hhijaf32.dll Dookgcij.exe File created C:\Windows\SysWOW64\Jocflgga.exe Ihjnom32.exe File created C:\Windows\SysWOW64\Dcmfoi32.dll Jicgpb32.exe File opened for modification C:\Windows\SysWOW64\Mkklljmg.exe Mlhkpm32.exe File opened for modification C:\Windows\SysWOW64\Mpfkqb32.exe Mimbdhhb.exe File opened for modification C:\Windows\SysWOW64\Pfoocjfd.exe Odobjg32.exe File created C:\Windows\SysWOW64\Ganpomec.exe Gdjpeifj.exe File created C:\Windows\SysWOW64\Mbpgggol.exe Mkhofjoj.exe File opened for modification C:\Windows\SysWOW64\Bcaomf32.exe Bpafkknm.exe File opened for modification C:\Windows\SysWOW64\Kemejc32.exe Jnclnihj.exe File created C:\Windows\SysWOW64\Khcmap32.dll Lliflp32.exe File opened for modification C:\Windows\SysWOW64\Fiaeoang.exe Fbgmbg32.exe File created C:\Windows\SysWOW64\Cilibi32.exe Cfnmfn32.exe File created C:\Windows\SysWOW64\Djmicm32.exe Dbfabp32.exe File created C:\Windows\SysWOW64\Idcokkak.exe Illgimph.exe File created C:\Windows\SysWOW64\Jcmafj32.exe Jnpinc32.exe File created C:\Windows\SysWOW64\Lgahch32.dll Fhhcgj32.exe File opened for modification C:\Windows\SysWOW64\Flmefm32.exe Ffpmnf32.exe File opened for modification C:\Windows\SysWOW64\Fllnlg32.exe Fcefji32.exe File opened for modification C:\Windows\SysWOW64\Bdbhke32.exe Amhpnkch.exe File created C:\Windows\SysWOW64\Egjpkffe.exe Eqpgol32.exe File created C:\Windows\SysWOW64\Gbcfadgl.exe Gikaio32.exe File opened for modification C:\Windows\SysWOW64\Kiqpop32.exe Keednado.exe File created C:\Windows\SysWOW64\Fbpljhnf.dll Magqncba.exe File created C:\Windows\SysWOW64\Agpgbgpe.dll Kblhgk32.exe File created C:\Windows\SysWOW64\Mbcjffka.dll Mppepcfg.exe File created C:\Windows\SysWOW64\Onjgiiad.exe Oklkmnbp.exe File created C:\Windows\SysWOW64\Anojbobe.exe Ahdaee32.exe File created C:\Windows\SysWOW64\Hibeif32.dll Odeiibdq.exe File created C:\Windows\SysWOW64\Kpeliikc.dll Abpfhcje.exe File created C:\Windows\SysWOW64\Eijcpoac.exe Eflgccbp.exe File created C:\Windows\SysWOW64\Lanfmb32.dll Efppoc32.exe File opened for modification C:\Windows\SysWOW64\Ijeghgoh.exe Ihdkao32.exe File created C:\Windows\SysWOW64\Pfioffab.dll Ahgnke32.exe File created C:\Windows\SysWOW64\Nkbhgojk.exe Nefpnhlc.exe File opened for modification C:\Windows\SysWOW64\Eqgnokip.exe Eqdajkkb.exe File created C:\Windows\SysWOW64\Hjphijco.dll Afkdakjb.exe File created C:\Windows\SysWOW64\Behnnm32.exe Bpleef32.exe File created C:\Windows\SysWOW64\Lphhenhc.exe Lmikibio.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5064 5028 WerFault.exe 413 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdgcpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iefhhbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faflglmh.dll" Odoloalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agdjkogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klidkobf.dll" Dodonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebodiofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifkacb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgagfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihjnom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kaldcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kblhgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lecgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meccii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkaglf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijeghgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbnoliap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cklfll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aijpnfif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbodgd32.dll" Biafnecn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dodonf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llkbap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpigfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkemkhcd.dll" Pefijfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oqideepg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofhick32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfdjhndl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbdjbaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpeekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kilfcpqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll" Cilibi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmccf32.dll" Idmhkpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnpbep32.dll" Jgnamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acjobj32.dll" Lecgje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Moidahcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlbeqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmbbdq32.dll" Fepiimfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdgcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbdklf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbgmbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cppkph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djmicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgecadnb.dll" Mbpgggol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amhpnkch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffmipmp.dll" Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokjlf32.dll" Hkhnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkhnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhhcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihdkao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcmkhb32.dll" Ijgdngmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhdplq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iefhhbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epecke32.dll" Jnpinc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndhipoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giaekk32.dll" Biamilfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgmcqkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ollajp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogkkfmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkdpanhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifnmmhq.dll" Ahdaee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpiipf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mppepcfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oklkmnbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmfjha32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1924 wrote to memory of 2756 1924 deffd003fd7aba601a3cdf020f12ed10_NEIKI.exe 28 PID 1924 wrote to memory of 2756 1924 deffd003fd7aba601a3cdf020f12ed10_NEIKI.exe 28 PID 1924 wrote to memory of 2756 1924 deffd003fd7aba601a3cdf020f12ed10_NEIKI.exe 28 PID 1924 wrote to memory of 2756 1924 deffd003fd7aba601a3cdf020f12ed10_NEIKI.exe 28 PID 2756 wrote to memory of 2596 2756 Qdccfh32.exe 29 PID 2756 wrote to memory of 2596 2756 Qdccfh32.exe 29 PID 2756 wrote to memory of 2596 2756 Qdccfh32.exe 29 PID 2756 wrote to memory of 2596 2756 Qdccfh32.exe 29 PID 2596 wrote to memory of 2796 2596 Afdlhchf.exe 30 PID 2596 wrote to memory of 2796 2596 Afdlhchf.exe 30 PID 2596 wrote to memory of 2796 2596 Afdlhchf.exe 30 PID 2596 wrote to memory of 2796 2596 Afdlhchf.exe 30 PID 2796 wrote to memory of 2152 2796 Apomfh32.exe 31 PID 2796 wrote to memory of 2152 2796 Apomfh32.exe 31 PID 2796 wrote to memory of 2152 2796 Apomfh32.exe 31 PID 2796 wrote to memory of 2152 2796 Apomfh32.exe 31 PID 2152 wrote to memory of 2188 2152 Abpfhcje.exe 32 PID 2152 wrote to memory of 2188 2152 Abpfhcje.exe 32 PID 2152 wrote to memory of 2188 2152 Abpfhcje.exe 32 PID 2152 wrote to memory of 2188 2152 Abpfhcje.exe 32 PID 2188 wrote to memory of 2588 2188 Aepojo32.exe 33 PID 2188 wrote to memory of 2588 2188 Aepojo32.exe 33 PID 2188 wrote to memory of 2588 2188 Aepojo32.exe 33 PID 2188 wrote to memory of 2588 2188 Aepojo32.exe 33 PID 2588 wrote to memory of 1856 2588 Bagpopmj.exe 34 PID 2588 wrote to memory of 1856 2588 Bagpopmj.exe 34 PID 2588 wrote to memory of 1856 2588 Bagpopmj.exe 34 PID 2588 wrote to memory of 1856 2588 Bagpopmj.exe 34 PID 1856 wrote to memory of 1364 1856 Bbflib32.exe 35 PID 1856 wrote to memory of 1364 1856 Bbflib32.exe 35 PID 1856 wrote to memory of 1364 1856 Bbflib32.exe 35 PID 1856 wrote to memory of 1364 1856 Bbflib32.exe 35 PID 1364 wrote to memory of 2156 1364 Bpafkknm.exe 36 PID 1364 wrote to memory of 2156 1364 Bpafkknm.exe 36 PID 1364 wrote to memory of 2156 1364 Bpafkknm.exe 36 PID 1364 wrote to memory of 2156 1364 Bpafkknm.exe 36 PID 2156 wrote to memory of 1484 2156 Bcaomf32.exe 37 PID 2156 wrote to memory of 1484 2156 Bcaomf32.exe 37 PID 2156 wrote to memory of 1484 2156 Bcaomf32.exe 37 PID 2156 wrote to memory of 1484 2156 Bcaomf32.exe 37 PID 1484 wrote to memory of 1576 1484 Cjlgiqbk.exe 38 PID 1484 wrote to memory of 1576 1484 Cjlgiqbk.exe 38 PID 1484 wrote to memory of 1576 1484 Cjlgiqbk.exe 38 PID 1484 wrote to memory of 1576 1484 Cjlgiqbk.exe 38 PID 1576 wrote to memory of 1220 1576 Chcqpmep.exe 39 PID 1576 wrote to memory of 1220 1576 Chcqpmep.exe 39 PID 1576 wrote to memory of 1220 1576 Chcqpmep.exe 39 PID 1576 wrote to memory of 1220 1576 Chcqpmep.exe 39 PID 1220 wrote to memory of 2764 1220 Cbnbobin.exe 40 PID 1220 wrote to memory of 2764 1220 Cbnbobin.exe 40 PID 1220 wrote to memory of 2764 1220 Cbnbobin.exe 40 PID 1220 wrote to memory of 2764 1220 Cbnbobin.exe 40 PID 2764 wrote to memory of 2288 2764 Dbpodagk.exe 41 PID 2764 wrote to memory of 2288 2764 Dbpodagk.exe 41 PID 2764 wrote to memory of 2288 2764 Dbpodagk.exe 41 PID 2764 wrote to memory of 2288 2764 Dbpodagk.exe 41 PID 2288 wrote to memory of 264 2288 Dodonf32.exe 42 PID 2288 wrote to memory of 264 2288 Dodonf32.exe 42 PID 2288 wrote to memory of 264 2288 Dodonf32.exe 42 PID 2288 wrote to memory of 264 2288 Dodonf32.exe 42 PID 264 wrote to memory of 1300 264 Djpmccqq.exe 43 PID 264 wrote to memory of 1300 264 Djpmccqq.exe 43 PID 264 wrote to memory of 1300 264 Djpmccqq.exe 43 PID 264 wrote to memory of 1300 264 Djpmccqq.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\deffd003fd7aba601a3cdf020f12ed10_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\deffd003fd7aba601a3cdf020f12ed10_NEIKI.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1476 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1460 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:640 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:352 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe33⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe34⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe35⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:696 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe37⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe39⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe40⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe41⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe42⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe43⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe45⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe46⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe47⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe48⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe49⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe50⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe51⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe52⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe53⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe54⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe55⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe57⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe58⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe61⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe62⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe65⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe66⤵PID:1156
-
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe68⤵
- Modifies registry class
PID:468 -
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe69⤵PID:2060
-
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe70⤵PID:324
-
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1104 -
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1316 -
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe73⤵PID:1532
-
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe74⤵PID:564
-
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe75⤵
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe76⤵PID:2484
-
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe77⤵
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe78⤵
- Drops file in System32 directory
PID:328 -
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe79⤵PID:844
-
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe80⤵PID:2464
-
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe81⤵PID:1120
-
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe82⤵PID:1588
-
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe83⤵PID:1692
-
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe84⤵PID:828
-
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe85⤵PID:1188
-
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe86⤵PID:2972
-
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:904 -
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe88⤵PID:2260
-
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe89⤵PID:2612
-
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe91⤵PID:2704
-
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe92⤵PID:2208
-
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe93⤵PID:1700
-
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1456 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe95⤵
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe96⤵PID:2284
-
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe97⤵
- Modifies registry class
PID:596 -
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe98⤵PID:1884
-
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe99⤵
- Modifies registry class
PID:548 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe100⤵PID:1784
-
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe101⤵PID:800
-
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe102⤵
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe103⤵PID:1676
-
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe105⤵PID:1496
-
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe106⤵PID:3028
-
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe107⤵
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe108⤵PID:2844
-
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe109⤵PID:2744
-
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe111⤵PID:860
-
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe114⤵
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:796 -
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe116⤵PID:1928
-
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe117⤵PID:276
-
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe118⤵
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe119⤵PID:884
-
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe120⤵PID:2800
-
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe121⤵PID:1376
-
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe122⤵PID:632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-