Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 03:24
Behavioral task
behavioral1
Sample
de562345718da687c8db0feebea79450_NEIKI.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
de562345718da687c8db0feebea79450_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
de562345718da687c8db0feebea79450_NEIKI.exe
-
Size
1.5MB
-
MD5
de562345718da687c8db0feebea79450
-
SHA1
25befa2069c77df34c2ddf8adad4b159c46e903b
-
SHA256
e00d2fc361fcace63a761e8a9925eb513916a0ce8e63d9bce9a2b5f920896f48
-
SHA512
2e4033d7ca9245e9ba9ba799cd7d7ba88d93444e45a81d21730ec01a9ea88ce24e46e16fc4dafba51b0cda5593586f5de84c4855167206667ba4a5cc21ae8c11
-
SSDEEP
24576:uNDT4Ph2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2EvZHp3oWtec+fwv4cXce:CSbazR0vKLXZnec+Yv4cXcy6l6mFndwn
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kicmdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kblhgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnomcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjdfmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efcfga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibbcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbhomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llkbap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onmdoioa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejmebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icjhagdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgmapfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pggbla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kconkibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nekbmgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Endhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejmebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjilieka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kemejc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naajoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Albjlcao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baakhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndlim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmbhok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kconkibf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmapm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omfkke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dccagcgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpqdkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfqkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mffimglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glfhll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jejhecaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nocnbmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnffgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhngjmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Limfed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ooeggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhigphio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnffgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpkjko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocimgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odobjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkpagq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdgcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpbiommg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcegmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ginnnooi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbfhbeek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jejhecaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncgdbmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfgpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieidmbcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmebnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcegmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkhofjoj.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000c00000001226d-5.dat family_berbew behavioral1/files/0x0008000000016d33-20.dat family_berbew behavioral1/files/0x0007000000016d44-40.dat family_berbew behavioral1/memory/2672-42-0x0000000000270000-0x00000000002A6000-memory.dmp family_berbew behavioral1/files/0x0007000000016d55-48.dat family_berbew behavioral1/memory/2692-50-0x00000000002A0000-0x00000000002D6000-memory.dmp family_berbew behavioral1/files/0x0038000000016d1a-69.dat family_berbew behavioral1/files/0x0005000000018711-78.dat family_berbew behavioral1/files/0x0005000000018784-98.dat family_berbew behavioral1/files/0x0006000000018bc6-121.dat family_berbew behavioral1/files/0x00060000000190d6-145.dat family_berbew behavioral1/files/0x0005000000019349-158.dat family_berbew behavioral1/files/0x00050000000187a2-115.dat family_berbew behavioral1/files/0x00050000000193d2-164.dat family_berbew behavioral1/files/0x000500000001941b-181.dat family_berbew behavioral1/files/0x0005000000019437-192.dat family_berbew behavioral1/files/0x0005000000019470-213.dat family_berbew behavioral1/files/0x000500000001950d-222.dat family_berbew behavioral1/files/0x0005000000019590-236.dat family_berbew behavioral1/files/0x000500000001961c-247.dat family_berbew behavioral1/files/0x0005000000019624-265.dat family_berbew behavioral1/files/0x0005000000019626-275.dat family_berbew behavioral1/files/0x000500000001962a-288.dat family_berbew behavioral1/files/0x000500000001962e-296.dat family_berbew behavioral1/files/0x0005000000019716-350.dat family_berbew behavioral1/files/0x0005000000019900-361.dat family_berbew behavioral1/files/0x0005000000019962-372.dat family_berbew behavioral1/files/0x0005000000019c6a-393.dat family_berbew behavioral1/files/0x0005000000019c66-382.dat family_berbew behavioral1/files/0x0005000000019dcf-401.dat family_berbew behavioral1/files/0x0005000000019eb7-417.dat family_berbew behavioral1/files/0x000500000001a0f6-449.dat family_berbew behavioral1/files/0x000500000001a418-459.dat family_berbew behavioral1/files/0x000500000001a472-470.dat family_berbew behavioral1/files/0x000500000001a4d1-503.dat family_berbew behavioral1/files/0x000500000001a4db-514.dat family_berbew behavioral1/files/0x000500000001a4b3-494.dat family_berbew behavioral1/files/0x000500000001a47a-482.dat family_berbew behavioral1/files/0x000500000001a4eb-525.dat family_berbew behavioral1/files/0x000500000001a4ef-533.dat family_berbew behavioral1/files/0x000500000001a0b6-437.dat family_berbew behavioral1/files/0x000500000001a04e-426.dat family_berbew behavioral1/files/0x000500000001a4fc-567.dat family_berbew behavioral1/files/0x000500000001a500-578.dat family_berbew behavioral1/files/0x000500000001a505-589.dat family_berbew behavioral1/files/0x000500000001a511-604.dat family_berbew behavioral1/files/0x000500000001a516-620.dat family_berbew behavioral1/files/0x000500000001a509-598.dat family_berbew behavioral1/files/0x000500000001a4f8-556.dat family_berbew behavioral1/files/0x000500000001a4f3-546.dat family_berbew behavioral1/files/0x0005000000019702-340.dat family_berbew behavioral1/files/0x00050000000196bb-329.dat family_berbew behavioral1/files/0x0005000000019679-318.dat family_berbew behavioral1/files/0x0005000000019632-307.dat family_berbew behavioral1/files/0x000500000001a521-642.dat family_berbew behavioral1/files/0x000500000001a519-633.dat family_berbew behavioral1/files/0x000500000001a529-667.dat family_berbew behavioral1/files/0x000500000001a524-655.dat family_berbew behavioral1/files/0x0005000000019620-254.dat family_berbew behavioral1/files/0x000500000001a52e-678.dat family_berbew behavioral1/files/0x000500000001a53e-691.dat family_berbew behavioral1/files/0x000500000001a546-705.dat family_berbew behavioral1/files/0x000500000001a581-715.dat family_berbew behavioral1/files/0x000500000001a929-725.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2744 Djefobmk.exe 2672 Ebedndfa.exe 2692 Eeempocb.exe 2936 Fjilieka.exe 2476 Fjlhneio.exe 752 Gegfdb32.exe 2760 Glfhll32.exe 1504 Hmlnoc32.exe 1536 Hpkjko32.exe 2360 Hgdbhi32.exe 264 Hlakpp32.exe 2032 Hdhbam32.exe 2988 Incpoe32.exe 1396 Jejhecaj.exe 2272 Kemejc32.exe 1736 Kblhgk32.exe 1528 Kjcpii32.exe 2904 Lpdbloof.exe 1948 Leajdfnm.exe 1588 Limfed32.exe 340 Llkbap32.exe 896 Lahkigca.exe 2912 Lmolnh32.exe 3044 Mhdplq32.exe 2856 Monhhk32.exe 1852 Mhgmapfi.exe 1520 Maoajf32.exe 1964 Mdmmfa32.exe 2688 Mkgfckcj.exe 2816 Mmhodf32.exe 2628 Mcegmm32.exe 1848 Meccii32.exe 2572 Mlmlecec.exe 2776 Ncgdbmmp.exe 1552 Noqamn32.exe 1356 Nejiih32.exe 348 Nocnbmoo.exe 2828 Naajoinb.exe 2920 Nkiogn32.exe 984 Npfgpe32.exe 1580 Ofelmloo.exe 2240 Onmdoioa.exe 2244 Oqkqkdne.exe 1108 Ocimgp32.exe 2092 Ombapedi.exe 1460 Oopnlacm.exe 112 Oobjaqaj.exe 1680 Obafnlpn.exe 904 Odobjg32.exe 600 Omfkke32.exe 1624 Ooeggp32.exe 1524 Onhgbmfb.exe 2848 Pfoocjfd.exe 2652 Pkpagq32.exe 2564 Pnomcl32.exe 2616 Pamiog32.exe 1140 Pggbla32.exe 1712 Pjenhm32.exe 2504 Ppbfpd32.exe 2372 Qpecfc32.exe 556 Qbcpbo32.exe 2036 Qjjgclai.exe 332 Qmicohqm.exe 1340 Qpgpkcpp.exe -
Loads dropped DLL 64 IoCs
pid Process 1832 de562345718da687c8db0feebea79450_NEIKI.exe 1832 de562345718da687c8db0feebea79450_NEIKI.exe 2744 Djefobmk.exe 2744 Djefobmk.exe 2672 Ebedndfa.exe 2672 Ebedndfa.exe 2692 Eeempocb.exe 2692 Eeempocb.exe 2936 Fjilieka.exe 2936 Fjilieka.exe 2476 Fjlhneio.exe 2476 Fjlhneio.exe 752 Gegfdb32.exe 752 Gegfdb32.exe 2760 Glfhll32.exe 2760 Glfhll32.exe 1504 Hmlnoc32.exe 1504 Hmlnoc32.exe 1536 Hpkjko32.exe 1536 Hpkjko32.exe 2360 Hgdbhi32.exe 2360 Hgdbhi32.exe 264 Hlakpp32.exe 264 Hlakpp32.exe 2032 Hdhbam32.exe 2032 Hdhbam32.exe 2988 Incpoe32.exe 2988 Incpoe32.exe 1396 Jejhecaj.exe 1396 Jejhecaj.exe 2272 Kemejc32.exe 2272 Kemejc32.exe 1736 Kblhgk32.exe 1736 Kblhgk32.exe 1528 Kjcpii32.exe 1528 Kjcpii32.exe 2904 Lpdbloof.exe 2904 Lpdbloof.exe 1948 Leajdfnm.exe 1948 Leajdfnm.exe 1588 Limfed32.exe 1588 Limfed32.exe 340 Llkbap32.exe 340 Llkbap32.exe 896 Lahkigca.exe 896 Lahkigca.exe 2912 Lmolnh32.exe 2912 Lmolnh32.exe 3044 Mhdplq32.exe 3044 Mhdplq32.exe 2856 Monhhk32.exe 2856 Monhhk32.exe 1852 Mhgmapfi.exe 1852 Mhgmapfi.exe 1520 Maoajf32.exe 1520 Maoajf32.exe 1964 Mdmmfa32.exe 1964 Mdmmfa32.exe 2688 Mkgfckcj.exe 2688 Mkgfckcj.exe 2816 Mmhodf32.exe 2816 Mmhodf32.exe 2628 Mcegmm32.exe 2628 Mcegmm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Llkbap32.exe Limfed32.exe File created C:\Windows\SysWOW64\Eeopgmbf.dll Noqamn32.exe File opened for modification C:\Windows\SysWOW64\Cjfccn32.exe Cdikkg32.exe File created C:\Windows\SysWOW64\Amkoie32.dll Onhgbmfb.exe File opened for modification C:\Windows\SysWOW64\Jhngjmlo.exe Jkjfah32.exe File opened for modification C:\Windows\SysWOW64\Kfpgmdog.exe Kconkibf.exe File created C:\Windows\SysWOW64\Geiiogja.dll Bjlqhoba.exe File created C:\Windows\SysWOW64\Hanlnp32.exe Hbhomd32.exe File opened for modification C:\Windows\SysWOW64\Hhgdkjol.exe Hanlnp32.exe File created C:\Windows\SysWOW64\Aloeodfi.dll Fjilieka.exe File opened for modification C:\Windows\SysWOW64\Mlmlecec.exe Meccii32.exe File created C:\Windows\SysWOW64\Fljdpbcc.dll Nejiih32.exe File opened for modification C:\Windows\SysWOW64\Odobjg32.exe Obafnlpn.exe File created C:\Windows\SysWOW64\Ldhnfd32.dll Qbcpbo32.exe File created C:\Windows\SysWOW64\Lanaiahq.exe Kjdilgpc.exe File created C:\Windows\SysWOW64\Ebedndfa.exe Djefobmk.exe File opened for modification C:\Windows\SysWOW64\Ofelmloo.exe Npfgpe32.exe File created C:\Windows\SysWOW64\Egahmk32.dll Ooeggp32.exe File created C:\Windows\SysWOW64\Fpcqaf32.exe Fpqdkf32.exe File opened for modification C:\Windows\SysWOW64\Djefobmk.exe de562345718da687c8db0feebea79450_NEIKI.exe File created C:\Windows\SysWOW64\Ppbfpd32.exe Pjenhm32.exe File created C:\Windows\SysWOW64\Ibcidp32.dll Kqqboncb.exe File created C:\Windows\SysWOW64\Padajbnl.dll Kklpekno.exe File created C:\Windows\SysWOW64\Ibebkc32.dll Kicmdo32.exe File opened for modification C:\Windows\SysWOW64\Lmebnb32.exe Lanaiahq.exe File created C:\Windows\SysWOW64\Oakomajq.dll Dfamcogo.exe File created C:\Windows\SysWOW64\Hoogfn32.dll Eibbcm32.exe File created C:\Windows\SysWOW64\Ecjlgm32.dll Iipgcaob.exe File created C:\Windows\SysWOW64\Odobjg32.exe Obafnlpn.exe File opened for modification C:\Windows\SysWOW64\Bbjbaa32.exe Biamilfj.exe File created C:\Windows\SysWOW64\Fmbhok32.exe Fjaonpnn.exe File opened for modification C:\Windows\SysWOW64\Hpkjko32.exe Hmlnoc32.exe File opened for modification C:\Windows\SysWOW64\Kjcpii32.exe Kblhgk32.exe File created C:\Windows\SysWOW64\Bhigphio.exe Bghjhp32.exe File opened for modification C:\Windows\SysWOW64\Jhljdm32.exe Jnffgd32.exe File created C:\Windows\SysWOW64\Oaajloig.dll Mkhofjoj.exe File created C:\Windows\SysWOW64\Mcegmm32.exe Mmhodf32.exe File created C:\Windows\SysWOW64\Nkiogn32.exe Naajoinb.exe File created C:\Windows\SysWOW64\Qiejdkkn.dll Obafnlpn.exe File created C:\Windows\SysWOW64\Blbfjg32.exe Bbjbaa32.exe File created C:\Windows\SysWOW64\Chnqkg32.exe Baakhm32.exe File created C:\Windows\SysWOW64\Gpgmpikn.dll Hhckpk32.exe File created C:\Windows\SysWOW64\Bmnkpm32.dll Mhdplq32.exe File created C:\Windows\SysWOW64\Oegjkb32.dll Aaobdjof.exe File created C:\Windows\SysWOW64\Hlakpp32.exe Hgdbhi32.exe File created C:\Windows\SysWOW64\Lpdbloof.exe Kjcpii32.exe File created C:\Windows\SysWOW64\Cojema32.exe Cklmgb32.exe File created C:\Windows\SysWOW64\Endhhp32.exe Egjpkffe.exe File opened for modification C:\Windows\SysWOW64\Fmbhok32.exe Fjaonpnn.exe File created C:\Windows\SysWOW64\Pgegdo32.dll Hhgdkjol.exe File opened for modification C:\Windows\SysWOW64\Kklpekno.exe Kfpgmdog.exe File created C:\Windows\SysWOW64\Kemedbfd.dll Mdmmfa32.exe File opened for modification C:\Windows\SysWOW64\Ppbfpd32.exe Pjenhm32.exe File created C:\Windows\SysWOW64\Qmicohqm.exe Qjjgclai.exe File created C:\Windows\SysWOW64\Dnoomqbg.exe Ddgjdk32.exe File created C:\Windows\SysWOW64\Ihfhdp32.dll Hpefdl32.exe File opened for modification C:\Windows\SysWOW64\Jkjfah32.exe Jhljdm32.exe File created C:\Windows\SysWOW64\Ocjcidbb.dll Fjlhneio.exe File created C:\Windows\SysWOW64\Mmnclh32.dll Ddgjdk32.exe File created C:\Windows\SysWOW64\Pdobjm32.dll Gfhladfn.exe File created C:\Windows\SysWOW64\Qocjhb32.dll Kiijnq32.exe File created C:\Windows\SysWOW64\Negpnjgm.dll Mpmapm32.exe File created C:\Windows\SysWOW64\Ocimgp32.exe Oqkqkdne.exe File created C:\Windows\SysWOW64\Dfmdho32.exe Cjfccn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1844 2300 WerFault.exe 195 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfmffhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjjgclai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogilika.dll" Cjfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eibbcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhngjmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhmkol32.dll" Fllnlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kneagg32.dll" Fcefji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhgdkjol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icmegf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bghjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkfeekif.dll" Gfmemc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node de562345718da687c8db0feebea79450_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofelmloo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obmhdd32.dll" Pamiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkpagq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oegjkb32.dll" Aaobdjof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejmebq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lahkigca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glfhll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kblhgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ooeggp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocimgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpbiommg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daiohhgh.dll" Icjhagdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jonpde32.dll" Pkpagq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bafidiio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kklpekno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfnfdcqd.dll" Mmhodf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pggbla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhckpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" de562345718da687c8db0feebea79450_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Noqamn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjdfmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhljdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnpinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papnde32.dll" Keednado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gegfdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obafnlpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Limfed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dogefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icdepo32.dll" Gdgcpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpefdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjclpeak.dll" Ngfflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Noqamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcjfoqkg.dll" Aplifb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjbpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Magqncba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ieidmbcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Padajbnl.dll" Kklpekno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijlhmj32.dll" Mcegmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgefik32.dll" Ocimgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qpecfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haloha32.dll" Bghjhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehgppi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkhofjoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llkbap32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1832 wrote to memory of 2744 1832 de562345718da687c8db0feebea79450_NEIKI.exe 28 PID 1832 wrote to memory of 2744 1832 de562345718da687c8db0feebea79450_NEIKI.exe 28 PID 1832 wrote to memory of 2744 1832 de562345718da687c8db0feebea79450_NEIKI.exe 28 PID 1832 wrote to memory of 2744 1832 de562345718da687c8db0feebea79450_NEIKI.exe 28 PID 2744 wrote to memory of 2672 2744 Djefobmk.exe 29 PID 2744 wrote to memory of 2672 2744 Djefobmk.exe 29 PID 2744 wrote to memory of 2672 2744 Djefobmk.exe 29 PID 2744 wrote to memory of 2672 2744 Djefobmk.exe 29 PID 2672 wrote to memory of 2692 2672 Ebedndfa.exe 30 PID 2672 wrote to memory of 2692 2672 Ebedndfa.exe 30 PID 2672 wrote to memory of 2692 2672 Ebedndfa.exe 30 PID 2672 wrote to memory of 2692 2672 Ebedndfa.exe 30 PID 2692 wrote to memory of 2936 2692 Eeempocb.exe 31 PID 2692 wrote to memory of 2936 2692 Eeempocb.exe 31 PID 2692 wrote to memory of 2936 2692 Eeempocb.exe 31 PID 2692 wrote to memory of 2936 2692 Eeempocb.exe 31 PID 2936 wrote to memory of 2476 2936 Fjilieka.exe 32 PID 2936 wrote to memory of 2476 2936 Fjilieka.exe 32 PID 2936 wrote to memory of 2476 2936 Fjilieka.exe 32 PID 2936 wrote to memory of 2476 2936 Fjilieka.exe 32 PID 2476 wrote to memory of 752 2476 Fjlhneio.exe 33 PID 2476 wrote to memory of 752 2476 Fjlhneio.exe 33 PID 2476 wrote to memory of 752 2476 Fjlhneio.exe 33 PID 2476 wrote to memory of 752 2476 Fjlhneio.exe 33 PID 752 wrote to memory of 2760 752 Gegfdb32.exe 34 PID 752 wrote to memory of 2760 752 Gegfdb32.exe 34 PID 752 wrote to memory of 2760 752 Gegfdb32.exe 34 PID 752 wrote to memory of 2760 752 Gegfdb32.exe 34 PID 2760 wrote to memory of 1504 2760 Glfhll32.exe 35 PID 2760 wrote to memory of 1504 2760 Glfhll32.exe 35 PID 2760 wrote to memory of 1504 2760 Glfhll32.exe 35 PID 2760 wrote to memory of 1504 2760 Glfhll32.exe 35 PID 1504 wrote to memory of 1536 1504 Hmlnoc32.exe 36 PID 1504 wrote to memory of 1536 1504 Hmlnoc32.exe 36 PID 1504 wrote to memory of 1536 1504 Hmlnoc32.exe 36 PID 1504 wrote to memory of 1536 1504 Hmlnoc32.exe 36 PID 1536 wrote to memory of 2360 1536 Hpkjko32.exe 37 PID 1536 wrote to memory of 2360 1536 Hpkjko32.exe 37 PID 1536 wrote to memory of 2360 1536 Hpkjko32.exe 37 PID 1536 wrote to memory of 2360 1536 Hpkjko32.exe 37 PID 2360 wrote to memory of 264 2360 Hgdbhi32.exe 38 PID 2360 wrote to memory of 264 2360 Hgdbhi32.exe 38 PID 2360 wrote to memory of 264 2360 Hgdbhi32.exe 38 PID 2360 wrote to memory of 264 2360 Hgdbhi32.exe 38 PID 264 wrote to memory of 2032 264 Hlakpp32.exe 39 PID 264 wrote to memory of 2032 264 Hlakpp32.exe 39 PID 264 wrote to memory of 2032 264 Hlakpp32.exe 39 PID 264 wrote to memory of 2032 264 Hlakpp32.exe 39 PID 2032 wrote to memory of 2988 2032 Hdhbam32.exe 40 PID 2032 wrote to memory of 2988 2032 Hdhbam32.exe 40 PID 2032 wrote to memory of 2988 2032 Hdhbam32.exe 40 PID 2032 wrote to memory of 2988 2032 Hdhbam32.exe 40 PID 2988 wrote to memory of 1396 2988 Incpoe32.exe 41 PID 2988 wrote to memory of 1396 2988 Incpoe32.exe 41 PID 2988 wrote to memory of 1396 2988 Incpoe32.exe 41 PID 2988 wrote to memory of 1396 2988 Incpoe32.exe 41 PID 1396 wrote to memory of 2272 1396 Jejhecaj.exe 42 PID 1396 wrote to memory of 2272 1396 Jejhecaj.exe 42 PID 1396 wrote to memory of 2272 1396 Jejhecaj.exe 42 PID 1396 wrote to memory of 2272 1396 Jejhecaj.exe 42 PID 2272 wrote to memory of 1736 2272 Kemejc32.exe 43 PID 2272 wrote to memory of 1736 2272 Kemejc32.exe 43 PID 2272 wrote to memory of 1736 2272 Kemejc32.exe 43 PID 2272 wrote to memory of 1736 2272 Kemejc32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\de562345718da687c8db0feebea79450_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\de562345718da687c8db0feebea79450_NEIKI.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Hlakpp32.exeC:\Windows\system32\Hlakpp32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:340 -
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1852 -
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1848 -
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe34⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1356 -
C:\Windows\SysWOW64\Nocnbmoo.exeC:\Windows\system32\Nocnbmoo.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe40⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:984 -
C:\Windows\SysWOW64\Ofelmloo.exeC:\Windows\system32\Ofelmloo.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Oqkqkdne.exeC:\Windows\system32\Oqkqkdne.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe46⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe47⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe48⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Odobjg32.exeC:\Windows\system32\Odobjg32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:904 -
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe54⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Pamiog32.exeC:\Windows\system32\Pamiog32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe60⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:556 -
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Qpgpkcpp.exeC:\Windows\system32\Qpgpkcpp.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe66⤵PID:1176
-
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe67⤵PID:2748
-
C:\Windows\SysWOW64\Aplifb32.exeC:\Windows\system32\Aplifb32.exe68⤵
- Modifies registry class
PID:576 -
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe69⤵
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe70⤵PID:1780
-
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:940 -
C:\Windows\SysWOW64\Aaobdjof.exeC:\Windows\system32\Aaobdjof.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe74⤵
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Bbjbaa32.exeC:\Windows\system32\Bbjbaa32.exe76⤵
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe77⤵
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Bghjhp32.exeC:\Windows\system32\Bghjhp32.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Bhigphio.exeC:\Windows\system32\Bhigphio.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2536 -
C:\Windows\SysWOW64\Baakhm32.exeC:\Windows\system32\Baakhm32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:304 -
C:\Windows\SysWOW64\Chnqkg32.exeC:\Windows\system32\Chnqkg32.exe81⤵PID:2560
-
C:\Windows\SysWOW64\Cklmgb32.exeC:\Windows\system32\Cklmgb32.exe82⤵
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Cojema32.exeC:\Windows\system32\Cojema32.exe83⤵PID:1764
-
C:\Windows\SysWOW64\Cpkbdiqb.exeC:\Windows\system32\Cpkbdiqb.exe84⤵PID:2964
-
C:\Windows\SysWOW64\Cjdfmo32.exeC:\Windows\system32\Cjdfmo32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1352 -
C:\Windows\SysWOW64\Cdikkg32.exeC:\Windows\system32\Cdikkg32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Cjfccn32.exeC:\Windows\system32\Cjfccn32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Dfmdho32.exeC:\Windows\system32\Dfmdho32.exe88⤵PID:2472
-
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2252 -
C:\Windows\SysWOW64\Dogefd32.exeC:\Windows\system32\Dogefd32.exe90⤵
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Dccagcgk.exeC:\Windows\system32\Dccagcgk.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2016 -
C:\Windows\SysWOW64\Dfamcogo.exeC:\Windows\system32\Dfamcogo.exe92⤵
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Ddgjdk32.exeC:\Windows\system32\Ddgjdk32.exe93⤵
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Dnoomqbg.exeC:\Windows\system32\Dnoomqbg.exe94⤵PID:3000
-
C:\Windows\SysWOW64\Ddigjkid.exeC:\Windows\system32\Ddigjkid.exe95⤵PID:876
-
C:\Windows\SysWOW64\Ehgppi32.exeC:\Windows\system32\Ehgppi32.exe96⤵
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Egjpkffe.exeC:\Windows\system32\Egjpkffe.exe97⤵
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Endhhp32.exeC:\Windows\system32\Endhhp32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2548 -
C:\Windows\SysWOW64\Eccmffjf.exeC:\Windows\system32\Eccmffjf.exe99⤵PID:2824
-
C:\Windows\SysWOW64\Egoife32.exeC:\Windows\system32\Egoife32.exe100⤵PID:1388
-
C:\Windows\SysWOW64\Ejmebq32.exeC:\Windows\system32\Ejmebq32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:820 -
C:\Windows\SysWOW64\Efcfga32.exeC:\Windows\system32\Efcfga32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2204 -
C:\Windows\SysWOW64\Eibbcm32.exeC:\Windows\system32\Eibbcm32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Fjaonpnn.exeC:\Windows\system32\Fjaonpnn.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Fmbhok32.exeC:\Windows\system32\Fmbhok32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2568 -
C:\Windows\SysWOW64\Fpqdkf32.exeC:\Windows\system32\Fpqdkf32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Fpcqaf32.exeC:\Windows\system32\Fpcqaf32.exe107⤵PID:2456
-
C:\Windows\SysWOW64\Fadminnn.exeC:\Windows\system32\Fadminnn.exe108⤵PID:856
-
C:\Windows\SysWOW64\Fikejl32.exeC:\Windows\system32\Fikejl32.exe109⤵PID:2788
-
C:\Windows\SysWOW64\Fcefji32.exeC:\Windows\system32\Fcefji32.exe110⤵
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Fllnlg32.exeC:\Windows\system32\Fllnlg32.exe111⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Gdgcpi32.exeC:\Windows\system32\Gdgcpi32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Gfhladfn.exeC:\Windows\system32\Gfhladfn.exe113⤵
- Drops file in System32 directory
PID:976 -
C:\Windows\SysWOW64\Gifhnpea.exeC:\Windows\system32\Gifhnpea.exe114⤵PID:2084
-
C:\Windows\SysWOW64\Gmdadnkh.exeC:\Windows\system32\Gmdadnkh.exe115⤵PID:2892
-
C:\Windows\SysWOW64\Gdniqh32.exeC:\Windows\system32\Gdniqh32.exe116⤵PID:2332
-
C:\Windows\SysWOW64\Gfmemc32.exeC:\Windows\system32\Gfmemc32.exe117⤵
- Modifies registry class
PID:1284 -
C:\Windows\SysWOW64\Ginnnooi.exeC:\Windows\system32\Ginnnooi.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1020 -
C:\Windows\SysWOW64\Hhckpk32.exeC:\Windows\system32\Hhckpk32.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Hbhomd32.exeC:\Windows\system32\Hbhomd32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1228 -
C:\Windows\SysWOW64\Hanlnp32.exeC:\Windows\system32\Hanlnp32.exe121⤵
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Hhgdkjol.exeC:\Windows\system32\Hhgdkjol.exe122⤵
- Drops file in System32 directory
- Modifies registry class
PID:2600
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-