Analysis
-
max time kernel
21s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 03:22
Behavioral task
behavioral1
Sample
ddc39edb3f51a37feb8e1dfa32a771f0_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ddc39edb3f51a37feb8e1dfa32a771f0_NEIKI.exe
Resource
win10v2004-20240426-en
General
-
Target
ddc39edb3f51a37feb8e1dfa32a771f0_NEIKI.exe
-
Size
176KB
-
MD5
ddc39edb3f51a37feb8e1dfa32a771f0
-
SHA1
bb2e690000d05bb33e9a1be5628f48cb70572581
-
SHA256
61c2807bc25c61053aab607554b19f2254afb9320f87689287bc552a067b5b3f
-
SHA512
268fbd1010f35b7112e93e248c463f3dd2125ba447010c8cfdeb6e272e71ce0e0ae5792b892963978fb0257e53e8d38afebb84d14f73e1ffce006b5c34a4ed86
-
SSDEEP
3072:JYcQty2veUjmOiBn3w8BdTj2h33ppaS46HUF2pMXSfN6RnQShl:StnvLjVu3w8BdTj2V3ppQ60MMCf0RnQ4
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgmigeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" ddc39edb3f51a37feb8e1dfa32a771f0_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffcllo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jajala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onocmadb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iigpli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koddccaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjgoje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iecdhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mamgmofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pddnnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmphhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iigpli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbqbaofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfkkpmko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qngopb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlgfnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jonbee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcckf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bepjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciifbchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Domqjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khabghdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohjnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfghdcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjgoje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbcdbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koddccaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgqpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgqpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgjqjjll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjallg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fheabelm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcegin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cepfgdnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgmbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dljkcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmogmjmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjhcegll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnnnalph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anneqafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gngcgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afajafoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbgod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elfcbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qndigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpcnonob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enlidg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpedeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akqpom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpqain32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cljodo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlfacfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oajlkojn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnihdemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cljodo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgmbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjlheehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjhcegll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnpmfqap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdpldi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdbahpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akncimmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dohgomgf.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2656-0-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/files/0x000e000000014698-5.dat family_berbew behavioral1/memory/2656-6-0x00000000002B0000-0x00000000002EF000-memory.dmp family_berbew behavioral1/memory/2504-19-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/memory/2692-28-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/files/0x002a000000014b6d-27.dat family_berbew behavioral1/files/0x0007000000015264-34.dat family_berbew behavioral1/files/0x00070000000155d4-50.dat family_berbew behavioral1/memory/2596-54-0x0000000000220000-0x000000000025F000-memory.dmp family_berbew behavioral1/files/0x0006000000016cf0-66.dat family_berbew behavioral1/files/0x0006000000016d11-74.dat family_berbew behavioral1/memory/2840-82-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/files/0x0006000000016d36-88.dat family_berbew behavioral1/files/0x0006000000016d4a-101.dat family_berbew behavioral1/files/0x0013000000014c67-114.dat family_berbew behavioral1/files/0x0006000000016d89-128.dat family_berbew behavioral1/memory/1600-136-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/files/0x000600000001704f-147.dat family_berbew behavioral1/memory/1988-149-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/files/0x000500000001868c-160.dat family_berbew behavioral1/files/0x00050000000186a0-169.dat family_berbew behavioral1/memory/1100-181-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/files/0x0006000000018ae8-191.dat family_berbew behavioral1/memory/2096-190-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/memory/2096-198-0x0000000000220000-0x000000000025F000-memory.dmp family_berbew behavioral1/memory/2916-206-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/files/0x0006000000018b33-204.dat family_berbew behavioral1/files/0x0006000000018b42-216.dat family_berbew behavioral1/memory/2956-217-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/files/0x0006000000018b6a-224.dat family_berbew behavioral1/memory/1692-232-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/files/0x0006000000018d06-246.dat family_berbew behavioral1/memory/780-265-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/memory/780-270-0x00000000002D0000-0x000000000030F000-memory.dmp family_berbew behavioral1/memory/2132-276-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/memory/2132-281-0x00000000005D0000-0x000000000060F000-memory.dmp family_berbew behavioral1/memory/648-283-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/memory/648-289-0x00000000002E0000-0x000000000031F000-memory.dmp family_berbew behavioral1/memory/2116-305-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/files/0x000500000001946b-303.dat family_berbew behavioral1/memory/2264-316-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/memory/2116-315-0x0000000000220000-0x000000000025F000-memory.dmp family_berbew behavioral1/files/0x0005000000019473-313.dat family_berbew behavioral1/memory/2832-327-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/memory/2868-342-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/files/0x00050000000194e8-345.dat family_berbew behavioral1/memory/2556-353-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/memory/2868-344-0x0000000000220000-0x000000000025F000-memory.dmp family_berbew behavioral1/memory/2556-358-0x0000000000220000-0x000000000025F000-memory.dmp family_berbew behavioral1/files/0x00050000000194f2-366.dat family_berbew behavioral1/memory/2760-374-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/memory/2616-381-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/memory/584-392-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/files/0x000500000001959c-398.dat family_berbew behavioral1/memory/584-405-0x0000000000220000-0x000000000025F000-memory.dmp family_berbew behavioral1/memory/2656-425-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/memory/2692-437-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/memory/1156-438-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/memory/2504-436-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/files/0x00050000000195aa-445.dat family_berbew behavioral1/memory/1272-454-0x0000000000220000-0x000000000025F000-memory.dmp family_berbew behavioral1/memory/2596-458-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/files/0x00050000000195ff-455.dat family_berbew behavioral1/memory/1792-464-0x00000000002C0000-0x00000000002FF000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2504 Ffcllo32.exe 2692 Gbjlaplk.exe 2596 Gnpmfqap.exe 2436 Gnbjlpom.exe 2416 Gbqbaofc.exe 2840 Gngcgp32.exe 696 Hjndlqal.exe 1304 Hjqqap32.exe 340 Hdiejfej.exe 1600 Hfjnla32.exe 1988 Hmcfhkjg.exe 1908 Iogoec32.exe 1100 Ihpdoh32.exe 2096 Iecdhm32.exe 2916 Ioliqbjn.exe 2956 Inafbooe.exe 1692 Ikefkcmo.exe 1252 Jcpkpe32.exe 1560 Jpdkii32.exe 780 Jgncfcaa.exe 2132 Jnhlbn32.exe 648 Jgqpkc32.exe 2296 Jajala32.exe 2116 Jonbee32.exe 2264 Kopokehd.exe 2832 Kobkpdfa.exe 2868 Kbcdbp32.exe 2556 Kceqjhiq.exe 2636 Kgbipf32.exe 2760 Kqknil32.exe 2616 Lqmjnk32.exe 584 Lmdkcl32.exe 2128 Lflplbpi.exe 552 Lpedeg32.exe 2604 Lklejh32.exe 1156 Ledibnco.exe 1272 Mbhjlbbh.exe 1792 Mamgmofp.exe 1984 Mapccndn.exe 1836 Mikhgqbi.exe 2792 Mdpldi32.exe 580 Mimemp32.exe 3052 Mdbiji32.exe 1124 Medeaaej.exe 2784 Npijoj32.exe 300 Nbhfke32.exe 2168 Nmfqgbmm.exe 2120 Noemqe32.exe 1740 Npgihn32.exe 1980 Oklnff32.exe 1608 Oaffbqaa.exe 2908 Ogcnkgoh.exe 2940 Ommfga32.exe 2524 Ocjophem.exe 2468 Onocmadb.exe 2584 Oghhfg32.exe 2424 Oifdbb32.exe 1264 Opplolac.exe 2484 Oemegc32.exe 1956 Olgmcmgh.exe 1140 Pcaepg32.exe 2204 Pdbahpec.exe 2972 Pnjfae32.exe 1116 Pddnnp32.exe -
Loads dropped DLL 64 IoCs
pid Process 2656 ddc39edb3f51a37feb8e1dfa32a771f0_NEIKI.exe 2656 ddc39edb3f51a37feb8e1dfa32a771f0_NEIKI.exe 2504 Ffcllo32.exe 2504 Ffcllo32.exe 2692 Gbjlaplk.exe 2692 Gbjlaplk.exe 2596 Gnpmfqap.exe 2596 Gnpmfqap.exe 2436 Gnbjlpom.exe 2436 Gnbjlpom.exe 2416 Gbqbaofc.exe 2416 Gbqbaofc.exe 2840 Gngcgp32.exe 2840 Gngcgp32.exe 696 Hjndlqal.exe 696 Hjndlqal.exe 1304 Hjqqap32.exe 1304 Hjqqap32.exe 340 Hdiejfej.exe 340 Hdiejfej.exe 1600 Hfjnla32.exe 1600 Hfjnla32.exe 1988 Hmcfhkjg.exe 1988 Hmcfhkjg.exe 1908 Iogoec32.exe 1908 Iogoec32.exe 1100 Ihpdoh32.exe 1100 Ihpdoh32.exe 2096 Iecdhm32.exe 2096 Iecdhm32.exe 2916 Ioliqbjn.exe 2916 Ioliqbjn.exe 2956 Inafbooe.exe 2956 Inafbooe.exe 1692 Ikefkcmo.exe 1692 Ikefkcmo.exe 1252 Jcpkpe32.exe 1252 Jcpkpe32.exe 1560 Jpdkii32.exe 1560 Jpdkii32.exe 780 Jgncfcaa.exe 780 Jgncfcaa.exe 2132 Jnhlbn32.exe 2132 Jnhlbn32.exe 648 Jgqpkc32.exe 648 Jgqpkc32.exe 2296 Jajala32.exe 2296 Jajala32.exe 2116 Jonbee32.exe 2116 Jonbee32.exe 2264 Kopokehd.exe 2264 Kopokehd.exe 2832 Kobkpdfa.exe 2832 Kobkpdfa.exe 2868 Kbcdbp32.exe 2868 Kbcdbp32.exe 2556 Kceqjhiq.exe 2556 Kceqjhiq.exe 2636 Kgbipf32.exe 2636 Kgbipf32.exe 2760 Kqknil32.exe 2760 Kqknil32.exe 2616 Lqmjnk32.exe 2616 Lqmjnk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kkkjkemj.dll Mdbiji32.exe File created C:\Windows\SysWOW64\Cmnmmikh.dll Opplolac.exe File created C:\Windows\SysWOW64\Afajafoa.exe Accnekon.exe File created C:\Windows\SysWOW64\Eohcninh.dll Akeijlfq.exe File opened for modification C:\Windows\SysWOW64\Dlgnmb32.exe Dkfbfjdf.exe File created C:\Windows\SysWOW64\Faakdene.dll Eabcggll.exe File opened for modification C:\Windows\SysWOW64\Eqjmncna.exe Egahen32.exe File created C:\Windows\SysWOW64\Kldhfkql.dll Hjqqap32.exe File opened for modification C:\Windows\SysWOW64\Ifampo32.exe Ihmpobck.exe File created C:\Windows\SysWOW64\Golnjpio.dll Bbbgod32.exe File created C:\Windows\SysWOW64\Cbgmigeq.exe Cjlheehe.exe File created C:\Windows\SysWOW64\Dhfcho32.dll Cnnnnh32.exe File opened for modification C:\Windows\SysWOW64\Eppcmncq.exe Eclbcj32.exe File opened for modification C:\Windows\SysWOW64\Hnkion32.exe Hfpdkl32.exe File opened for modification C:\Windows\SysWOW64\Dkfbfjdf.exe Dbojdmcd.exe File opened for modification C:\Windows\SysWOW64\Joiappkp.exe Jofejpmc.exe File created C:\Windows\SysWOW64\Coicmk32.dll Kobkpdfa.exe File created C:\Windows\SysWOW64\Lflplbpi.exe Lmdkcl32.exe File created C:\Windows\SysWOW64\Mildmcdo.dll Lmdkcl32.exe File created C:\Windows\SysWOW64\Ecfeho32.dll Mikhgqbi.exe File opened for modification C:\Windows\SysWOW64\Nmfqgbmm.exe Nbhfke32.exe File opened for modification C:\Windows\SysWOW64\Diphbfdi.exe Dpgcip32.exe File opened for modification C:\Windows\SysWOW64\Edclib32.exe Egokonjc.exe File created C:\Windows\SysWOW64\Demofaol.exe Dejbqb32.exe File created C:\Windows\SysWOW64\Gnpmfqap.exe Gbjlaplk.exe File created C:\Windows\SysWOW64\Bgnfdm32.exe Bepjha32.exe File created C:\Windows\SysWOW64\Danmmd32.exe Cifelgmd.exe File opened for modification C:\Windows\SysWOW64\Mbhjlbbh.exe Ledibnco.exe File opened for modification C:\Windows\SysWOW64\Bbonei32.exe Bpqain32.exe File opened for modification C:\Windows\SysWOW64\Hfpdkl32.exe Gjicfk32.exe File created C:\Windows\SysWOW64\Qdaglmcb.exe Qngopb32.exe File opened for modification C:\Windows\SysWOW64\Edfbaabj.exe Enlidg32.exe File opened for modification C:\Windows\SysWOW64\Pnmcfeia.exe Pgckjk32.exe File created C:\Windows\SysWOW64\Mdbiji32.exe Mimemp32.exe File opened for modification C:\Windows\SysWOW64\Pqnlhpfb.exe Pjcckf32.exe File opened for modification C:\Windows\SysWOW64\Danmmd32.exe Cifelgmd.exe File created C:\Windows\SysWOW64\Gedaglad.dll Hhhgcc32.exe File created C:\Windows\SysWOW64\Fcikef32.dll Mmogmjmn.exe File created C:\Windows\SysWOW64\Ahbakd32.dll Nfghdcfj.exe File opened for modification C:\Windows\SysWOW64\Anlhkbhq.exe Agbpnh32.exe File created C:\Windows\SysWOW64\Mapccndn.exe Mamgmofp.exe File created C:\Windows\SysWOW64\Aqhhanig.exe Ajnpecbj.exe File created C:\Windows\SysWOW64\Fpmbfbgo.exe Edfbaabj.exe File opened for modification C:\Windows\SysWOW64\Qgjqjjll.exe Pnalad32.exe File created C:\Windows\SysWOW64\Qblodoke.dll Ogcnkgoh.exe File created C:\Windows\SysWOW64\Jmiajbpa.dll Ihmpobck.exe File created C:\Windows\SysWOW64\Adfqgl32.exe Anlhkbhq.exe File created C:\Windows\SysWOW64\Jpdkii32.exe Jcpkpe32.exe File opened for modification C:\Windows\SysWOW64\Bjmbqhif.exe Bgnfdm32.exe File opened for modification C:\Windows\SysWOW64\Hmeolj32.exe Hhhgcc32.exe File opened for modification C:\Windows\SysWOW64\Nenakoho.exe Nlfmbibo.exe File created C:\Windows\SysWOW64\Lnpfoc32.dll Qnebjc32.exe File opened for modification C:\Windows\SysWOW64\Ogcnkgoh.exe Oaffbqaa.exe File created C:\Windows\SysWOW64\Nbhfke32.exe Npijoj32.exe File created C:\Windows\SysWOW64\Cmpdgf32.exe Cffljlpc.exe File opened for modification C:\Windows\SysWOW64\Medeaaej.exe Mdbiji32.exe File opened for modification C:\Windows\SysWOW64\Domqjm32.exe Diphbfdi.exe File created C:\Windows\SysWOW64\Egokonjc.exe Eabcggll.exe File created C:\Windows\SysWOW64\Ioakoq32.exe Ihhcbf32.exe File created C:\Windows\SysWOW64\Khabghdl.exe Kfbfkmeh.exe File opened for modification C:\Windows\SysWOW64\Mlfacfpc.exe Mnbpjb32.exe File created C:\Windows\SysWOW64\Kgigbp32.dll Fcbecl32.exe File opened for modification C:\Windows\SysWOW64\Gbhbdi32.exe Fhomkcoa.exe File created C:\Windows\SysWOW64\Aennba32.exe Ancefgfd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1200 804 WerFault.exe 663 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cplpppdf.dll" Lokgcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjgoje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Copjdhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mneedo32.dll" Gngcgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcpkpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akeijlfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdbahpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aennba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fheabelm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqknil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaffbqaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ommfga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbbbdcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlkmjn32.dll" Adfqgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edmkdcdl.dll" Ledibnco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bibpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphhqinm.dll" Bcjqdmla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koddccaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdaglmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcbecl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} ddc39edb3f51a37feb8e1dfa32a771f0_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmphhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpqain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbgmigeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qblodoke.dll" Ogcnkgoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeggbbci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmlgfnal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cohkpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dinklffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmkehj32.dll" Lklejh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noemqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcgdom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpgcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghakg32.dll" Mlkjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnacpffh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjhcegll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cemdajgc.dll" Iogoec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjmbqhif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmjq32.dll" Cepfgdnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqqpgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhnop32.dll" Dlfgcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ledibnco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkfbfjdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iigpli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchgdg32.dll" Aeggbbci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfbfkmeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnbjlpom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbqbaofc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgjqjjll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dljkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Domqjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejddn32.dll" Degiggjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeqkmn32.dll" Hhejnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljnnefda.dll" Koddccaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmcfhkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onocmadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgmbkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lokgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obidifcn.dll" Qjkjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cifelgmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fglmnmlc.dll" Dkfbfjdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdjccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obdojcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpdkii32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2656 wrote to memory of 2504 2656 ddc39edb3f51a37feb8e1dfa32a771f0_NEIKI.exe 28 PID 2656 wrote to memory of 2504 2656 ddc39edb3f51a37feb8e1dfa32a771f0_NEIKI.exe 28 PID 2656 wrote to memory of 2504 2656 ddc39edb3f51a37feb8e1dfa32a771f0_NEIKI.exe 28 PID 2656 wrote to memory of 2504 2656 ddc39edb3f51a37feb8e1dfa32a771f0_NEIKI.exe 28 PID 2504 wrote to memory of 2692 2504 Ffcllo32.exe 29 PID 2504 wrote to memory of 2692 2504 Ffcllo32.exe 29 PID 2504 wrote to memory of 2692 2504 Ffcllo32.exe 29 PID 2504 wrote to memory of 2692 2504 Ffcllo32.exe 29 PID 2692 wrote to memory of 2596 2692 Gbjlaplk.exe 30 PID 2692 wrote to memory of 2596 2692 Gbjlaplk.exe 30 PID 2692 wrote to memory of 2596 2692 Gbjlaplk.exe 30 PID 2692 wrote to memory of 2596 2692 Gbjlaplk.exe 30 PID 2596 wrote to memory of 2436 2596 Gnpmfqap.exe 31 PID 2596 wrote to memory of 2436 2596 Gnpmfqap.exe 31 PID 2596 wrote to memory of 2436 2596 Gnpmfqap.exe 31 PID 2596 wrote to memory of 2436 2596 Gnpmfqap.exe 31 PID 2436 wrote to memory of 2416 2436 Gnbjlpom.exe 32 PID 2436 wrote to memory of 2416 2436 Gnbjlpom.exe 32 PID 2436 wrote to memory of 2416 2436 Gnbjlpom.exe 32 PID 2436 wrote to memory of 2416 2436 Gnbjlpom.exe 32 PID 2416 wrote to memory of 2840 2416 Gbqbaofc.exe 33 PID 2416 wrote to memory of 2840 2416 Gbqbaofc.exe 33 PID 2416 wrote to memory of 2840 2416 Gbqbaofc.exe 33 PID 2416 wrote to memory of 2840 2416 Gbqbaofc.exe 33 PID 2840 wrote to memory of 696 2840 Gngcgp32.exe 34 PID 2840 wrote to memory of 696 2840 Gngcgp32.exe 34 PID 2840 wrote to memory of 696 2840 Gngcgp32.exe 34 PID 2840 wrote to memory of 696 2840 Gngcgp32.exe 34 PID 696 wrote to memory of 1304 696 Hjndlqal.exe 35 PID 696 wrote to memory of 1304 696 Hjndlqal.exe 35 PID 696 wrote to memory of 1304 696 Hjndlqal.exe 35 PID 696 wrote to memory of 1304 696 Hjndlqal.exe 35 PID 1304 wrote to memory of 340 1304 Hjqqap32.exe 36 PID 1304 wrote to memory of 340 1304 Hjqqap32.exe 36 PID 1304 wrote to memory of 340 1304 Hjqqap32.exe 36 PID 1304 wrote to memory of 340 1304 Hjqqap32.exe 36 PID 340 wrote to memory of 1600 340 Hdiejfej.exe 37 PID 340 wrote to memory of 1600 340 Hdiejfej.exe 37 PID 340 wrote to memory of 1600 340 Hdiejfej.exe 37 PID 340 wrote to memory of 1600 340 Hdiejfej.exe 37 PID 1600 wrote to memory of 1988 1600 Hfjnla32.exe 38 PID 1600 wrote to memory of 1988 1600 Hfjnla32.exe 38 PID 1600 wrote to memory of 1988 1600 Hfjnla32.exe 38 PID 1600 wrote to memory of 1988 1600 Hfjnla32.exe 38 PID 1988 wrote to memory of 1908 1988 Hmcfhkjg.exe 39 PID 1988 wrote to memory of 1908 1988 Hmcfhkjg.exe 39 PID 1988 wrote to memory of 1908 1988 Hmcfhkjg.exe 39 PID 1988 wrote to memory of 1908 1988 Hmcfhkjg.exe 39 PID 1908 wrote to memory of 1100 1908 Iogoec32.exe 40 PID 1908 wrote to memory of 1100 1908 Iogoec32.exe 40 PID 1908 wrote to memory of 1100 1908 Iogoec32.exe 40 PID 1908 wrote to memory of 1100 1908 Iogoec32.exe 40 PID 1100 wrote to memory of 2096 1100 Ihpdoh32.exe 41 PID 1100 wrote to memory of 2096 1100 Ihpdoh32.exe 41 PID 1100 wrote to memory of 2096 1100 Ihpdoh32.exe 41 PID 1100 wrote to memory of 2096 1100 Ihpdoh32.exe 41 PID 2096 wrote to memory of 2916 2096 Iecdhm32.exe 42 PID 2096 wrote to memory of 2916 2096 Iecdhm32.exe 42 PID 2096 wrote to memory of 2916 2096 Iecdhm32.exe 42 PID 2096 wrote to memory of 2916 2096 Iecdhm32.exe 42 PID 2916 wrote to memory of 2956 2916 Ioliqbjn.exe 43 PID 2916 wrote to memory of 2956 2916 Ioliqbjn.exe 43 PID 2916 wrote to memory of 2956 2916 Ioliqbjn.exe 43 PID 2916 wrote to memory of 2956 2916 Ioliqbjn.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddc39edb3f51a37feb8e1dfa32a771f0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\ddc39edb3f51a37feb8e1dfa32a771f0_NEIKI.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Ffcllo32.exeC:\Windows\system32\Ffcllo32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Gbjlaplk.exeC:\Windows\system32\Gbjlaplk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Gnpmfqap.exeC:\Windows\system32\Gnpmfqap.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Gnbjlpom.exeC:\Windows\system32\Gnbjlpom.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Gbqbaofc.exeC:\Windows\system32\Gbqbaofc.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Gngcgp32.exeC:\Windows\system32\Gngcgp32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Hjndlqal.exeC:\Windows\system32\Hjndlqal.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\Hjqqap32.exeC:\Windows\system32\Hjqqap32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Hdiejfej.exeC:\Windows\system32\Hdiejfej.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\SysWOW64\Hfjnla32.exeC:\Windows\system32\Hfjnla32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Hmcfhkjg.exeC:\Windows\system32\Hmcfhkjg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Iogoec32.exeC:\Windows\system32\Iogoec32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Ihpdoh32.exeC:\Windows\system32\Ihpdoh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Iecdhm32.exeC:\Windows\system32\Iecdhm32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Ioliqbjn.exeC:\Windows\system32\Ioliqbjn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Inafbooe.exeC:\Windows\system32\Inafbooe.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Ikefkcmo.exeC:\Windows\system32\Ikefkcmo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Jcpkpe32.exeC:\Windows\system32\Jcpkpe32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Jpdkii32.exeC:\Windows\system32\Jpdkii32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Jgncfcaa.exeC:\Windows\system32\Jgncfcaa.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:780 -
C:\Windows\SysWOW64\Jnhlbn32.exeC:\Windows\system32\Jnhlbn32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Jgqpkc32.exeC:\Windows\system32\Jgqpkc32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:648 -
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Kopokehd.exeC:\Windows\system32\Kopokehd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Kobkpdfa.exeC:\Windows\system32\Kobkpdfa.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Kbcdbp32.exeC:\Windows\system32\Kbcdbp32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Kceqjhiq.exeC:\Windows\system32\Kceqjhiq.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Kgbipf32.exeC:\Windows\system32\Kgbipf32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Kqknil32.exeC:\Windows\system32\Kqknil32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Lqmjnk32.exeC:\Windows\system32\Lqmjnk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\Lflplbpi.exeC:\Windows\system32\Lflplbpi.exe34⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Lpedeg32.exeC:\Windows\system32\Lpedeg32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Lklejh32.exeC:\Windows\system32\Lklejh32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Ledibnco.exeC:\Windows\system32\Ledibnco.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Mbhjlbbh.exeC:\Windows\system32\Mbhjlbbh.exe38⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Mamgmofp.exeC:\Windows\system32\Mamgmofp.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\Mapccndn.exeC:\Windows\system32\Mapccndn.exe40⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Mimemp32.exeC:\Windows\system32\Mimemp32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:580 -
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe45⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Npijoj32.exeC:\Windows\system32\Npijoj32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Nbhfke32.exeC:\Windows\system32\Nbhfke32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:300 -
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe48⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe50⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe51⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Oaffbqaa.exeC:\Windows\system32\Oaffbqaa.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe55⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe57⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe58⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe60⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe61⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Pcaepg32.exeC:\Windows\system32\Pcaepg32.exe62⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Pnjfae32.exeC:\Windows\system32\Pnjfae32.exe64⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Pddnnp32.exeC:\Windows\system32\Pddnnp32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe66⤵
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe67⤵PID:2276
-
C:\Windows\SysWOW64\Pdgkco32.exeC:\Windows\system32\Pdgkco32.exe68⤵PID:2144
-
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe70⤵PID:292
-
C:\Windows\SysWOW64\Pclhdl32.exeC:\Windows\system32\Pclhdl32.exe71⤵PID:804
-
C:\Windows\SysWOW64\Pnalad32.exeC:\Windows\system32\Pnalad32.exe72⤵
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2444 -
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe75⤵PID:2032
-
C:\Windows\SysWOW64\Qjkjle32.exeC:\Windows\system32\Qjkjle32.exe76⤵
- Modifies registry class
PID:240 -
C:\Windows\SysWOW64\Accnekon.exeC:\Windows\system32\Accnekon.exe77⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Afajafoa.exeC:\Windows\system32\Afajafoa.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2396 -
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2876 -
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe80⤵PID:1936
-
C:\Windows\SysWOW64\Aeggbbci.exeC:\Windows\system32\Aeggbbci.exe81⤵
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Akqpom32.exeC:\Windows\system32\Akqpom32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2780 -
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe83⤵PID:2776
-
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe84⤵PID:868
-
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe85⤵PID:1236
-
C:\Windows\SysWOW64\Aapemc32.exeC:\Windows\system32\Aapemc32.exe86⤵PID:1696
-
C:\Windows\SysWOW64\Akeijlfq.exeC:\Windows\system32\Akeijlfq.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:1308 -
C:\Windows\SysWOW64\Ancefgfd.exeC:\Windows\system32\Ancefgfd.exe88⤵
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Aennba32.exeC:\Windows\system32\Aennba32.exe89⤵
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe90⤵PID:2400
-
C:\Windows\SysWOW64\Bepjha32.exeC:\Windows\system32\Bepjha32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe92⤵
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Bjmbqhif.exeC:\Windows\system32\Bjmbqhif.exe93⤵
- Modifies registry class
PID:684 -
C:\Windows\SysWOW64\Bagkmb32.exeC:\Windows\system32\Bagkmb32.exe94⤵PID:2104
-
C:\Windows\SysWOW64\Bcegin32.exeC:\Windows\system32\Bcegin32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2328 -
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe96⤵
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Bcgdom32.exeC:\Windows\system32\Bcgdom32.exe97⤵
- Modifies registry class
PID:776 -
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2580 -
C:\Windows\SysWOW64\Bmphhc32.exeC:\Windows\system32\Bmphhc32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1416 -
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe100⤵
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe101⤵PID:872
-
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe103⤵PID:1572
-
C:\Windows\SysWOW64\Ciifbchf.exeC:\Windows\system32\Ciifbchf.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2040 -
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1328 -
C:\Windows\SysWOW64\Cepfgdnj.exeC:\Windows\system32\Cepfgdnj.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Cljodo32.exeC:\Windows\system32\Cljodo32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1928 -
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe108⤵
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe109⤵PID:2440
-
C:\Windows\SysWOW64\Cllkin32.exeC:\Windows\system32\Cllkin32.exe110⤵PID:1912
-
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe111⤵PID:1208
-
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe112⤵PID:548
-
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe113⤵
- Drops file in System32 directory
PID:564 -
C:\Windows\SysWOW64\Cmpdgf32.exeC:\Windows\system32\Cmpdgf32.exe114⤵PID:2188
-
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe115⤵PID:2884
-
C:\Windows\SysWOW64\Cifelgmd.exeC:\Windows\system32\Cifelgmd.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:1144 -
C:\Windows\SysWOW64\Danmmd32.exeC:\Windows\system32\Danmmd32.exe117⤵PID:1704
-
C:\Windows\SysWOW64\Dbojdmcd.exeC:\Windows\system32\Dbojdmcd.exe118⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Dkfbfjdf.exeC:\Windows\system32\Dkfbfjdf.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Dlgnmb32.exeC:\Windows\system32\Dlgnmb32.exe120⤵PID:2196
-
C:\Windows\SysWOW64\Dgmbkk32.exeC:\Windows\system32\Dgmbkk32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\Dljkcb32.exeC:\Windows\system32\Dljkcb32.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-