Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 03:25
Behavioral task
behavioral1
Sample
de5daf2a631d53b58c481da511ead240_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
de5daf2a631d53b58c481da511ead240_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
de5daf2a631d53b58c481da511ead240_NEIKI.exe
-
Size
276KB
-
MD5
de5daf2a631d53b58c481da511ead240
-
SHA1
37047241a47170fcbd72c6bebb9bdf8564d3d339
-
SHA256
96a3270ea39fe3740d13e124e5a948901b5fe9d475a484c6842027a9ac1cca7d
-
SHA512
fe83134ec91e9f5b0bad901e1dd9d85e803a49da8cc552a3299ae6e0cdf510d4faeb179e03104499b3fff3c0122091db5a88bfa3083aeb04fb439f3fb183919f
-
SSDEEP
6144:DrHKitdORLSdn7MUZst5qXsunbLwMddjPXmF6EC1LlzxAKN+xTU5AX/KXWZCKl/j:HHrmR+pMUQunbpd/mF6ECJlzxAKN2X/Z
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fffefjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imokehhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klbdgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqklqhpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epbfmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkdhoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehpalp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Folfoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgfcja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldjpbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnaiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnpbjnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akeijlfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbfiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gghkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkmqdpce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkddnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfejjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfbbjpgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pckajebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anahqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flqmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iphecepe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnbnpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhilph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdbbgdjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klbdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cchbgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfjann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nidkmojn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pclhdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chnbcpmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knkgpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaijak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilofhffj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lneaqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfpeeqig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoeeolig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnacpffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhhgcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaijak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcjqdmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmcjhdbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filgbdfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldoimh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfmddp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieigfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjlmpfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcjqdmla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fffefjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbdlkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihglhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmegncpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcjlnpmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qogbdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbohehoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opkccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajmfad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcldhnkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iibfajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcdjoaee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hebdfind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heealhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkqqnq32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000d0000000122d1-5.dat family_berbew behavioral1/files/0x000900000001267d-20.dat family_berbew behavioral1/files/0x00080000000126c7-34.dat family_berbew behavioral1/files/0x00090000000139d6-50.dat family_berbew behavioral1/files/0x0006000000014e3d-69.dat family_berbew behavioral1/files/0x0006000000014fe1-76.dat family_berbew behavioral1/files/0x001a000000012300-90.dat family_berbew behavioral1/files/0x00060000000155d4-107.dat family_berbew behavioral1/files/0x00060000000155e2-116.dat family_berbew behavioral1/files/0x0006000000015a2d-129.dat family_berbew behavioral1/files/0x0006000000015c0d-149.dat family_berbew behavioral1/files/0x0006000000015c2f-158.dat family_berbew behavioral1/files/0x0006000000015c52-179.dat family_berbew behavioral1/files/0x0006000000015c69-186.dat family_berbew behavioral1/files/0x0006000000015c87-199.dat family_berbew behavioral1/files/0x0006000000015d88-218.dat family_berbew behavioral1/files/0x0006000000015e7c-247.dat family_berbew behavioral1/files/0x0006000000015ec0-259.dat family_berbew behavioral1/files/0x000600000001604b-267.dat family_berbew behavioral1/files/0x0006000000016332-280.dat family_berbew behavioral1/memory/672-281-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew behavioral1/files/0x00060000000167db-299.dat family_berbew behavioral1/memory/2960-302-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew behavioral1/files/0x0006000000016b96-310.dat family_berbew behavioral1/files/0x0006000000016c1a-320.dat family_berbew behavioral1/files/0x0006000000016cf0-351.dat family_berbew behavioral1/files/0x0006000000016d11-362.dat family_berbew behavioral1/files/0x0006000000016d36-370.dat family_berbew behavioral1/files/0x0006000000016d55-392.dat family_berbew behavioral1/files/0x0006000000018ae8-448.dat family_berbew behavioral1/files/0x00050000000186a0-437.dat family_berbew behavioral1/files/0x000500000001868c-424.dat family_berbew behavioral1/memory/2336-419-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew behavioral1/files/0x000600000001704f-414.dat family_berbew behavioral1/files/0x0006000000016d89-403.dat family_berbew behavioral1/memory/2348-396-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew behavioral1/files/0x0006000000016d4a-383.dat family_berbew behavioral1/memory/2628-373-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew behavioral1/files/0x0006000000018b96-494.dat family_berbew behavioral1/files/0x0006000000018b6a-482.dat family_berbew behavioral1/files/0x0005000000019333-525.dat family_berbew behavioral1/files/0x00050000000192f4-515.dat family_berbew behavioral1/files/0x0005000000019377-537.dat family_berbew behavioral1/files/0x00050000000193b0-549.dat family_berbew behavioral1/files/0x0005000000019473-571.dat family_berbew behavioral1/files/0x00050000000194a4-582.dat family_berbew behavioral1/files/0x00040000000194d8-594.dat family_berbew behavioral1/files/0x00050000000194e8-604.dat family_berbew behavioral1/files/0x00050000000194ee-616.dat family_berbew behavioral1/files/0x00050000000194f2-628.dat family_berbew behavioral1/files/0x0005000000019547-649.dat family_berbew behavioral1/files/0x000500000001950c-639.dat family_berbew behavioral1/files/0x000500000001959c-661.dat family_berbew behavioral1/files/0x00050000000195a2-677.dat family_berbew behavioral1/files/0x00050000000195a6-690.dat family_berbew behavioral1/files/0x00050000000195a8-704.dat family_berbew behavioral1/files/0x00050000000195aa-713.dat family_berbew behavioral1/files/0x00050000000195ff-728.dat family_berbew behavioral1/files/0x0005000000019bd8-765.dat family_berbew behavioral1/files/0x0005000000019cba-778.dat family_berbew behavioral1/files/0x0005000000019d4d-790.dat family_berbew behavioral1/files/0x0005000000019f42-804.dat family_berbew behavioral1/files/0x0005000000019bd6-753.dat family_berbew behavioral1/files/0x00050000000196d8-742.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1740 Lnjafd32.exe 2924 Meffhnal.exe 2508 Mhilph32.exe 1760 Mfoiqe32.exe 2412 Mpgmijgc.exe 2428 Nbhfke32.exe 2332 Nidkmojn.exe 1248 Naopaa32.exe 2400 Naalga32.exe 2588 Npgihn32.exe 1128 Opkccm32.exe 1824 Opnpimdf.exe 1728 Oghhfg32.exe 1688 Pdbahpec.exe 2812 Pohfehdi.exe 1716 Pojbkh32.exe 628 Pjcckf32.exe 1068 Pclhdl32.exe 956 Pnalad32.exe 784 Qjhmfekp.exe 672 Qoeeolig.exe 1940 Qogbdl32.exe 2960 Ajmfad32.exe 2320 Afdgfelo.exe 2876 Anolkh32.exe 1700 Aggpdnpj.exe 2248 Anahqh32.exe 1608 Akeijlfq.exe 2136 Acqnnndl.exe 2628 Bepjha32.exe 2632 Bfccei32.exe 2348 Bjallg32.exe 2372 Bcjqdmla.exe 2336 Bpqain32.exe 2020 Cofnjj32.exe 2080 Chnbcpmn.exe 1488 Cbdgqimc.exe 1532 Cojhejbh.exe 2692 Ckahkk32.exe 1524 Ehgbhbgn.exe 1644 Epbfmd32.exe 940 Epecbd32.exe 2768 Eniclh32.exe 2736 Efdhpjok.exe 3008 Elnqmd32.exe 1304 Fffefjmi.exe 2212 Flqmbd32.exe 1288 Ffibkj32.exe 2792 Fmcjhdbc.exe 980 Ffkoai32.exe 2796 Fmegncpp.exe 1152 Fbbofjnh.exe 2860 Filgbdfd.exe 2668 Fbdlkj32.exe 2724 Fkmqdpce.exe 2832 Gbfiaj32.exe 2848 Ggcaiqhj.exe 1012 Gegabegc.exe 3024 Gmbfggdo.exe 1920 Gghkdp32.exe 2172 Gaqomeke.exe 1056 Gfmgelil.exe 1928 Gpelnb32.exe 1168 Hebdfind.exe -
Loads dropped DLL 64 IoCs
pid Process 2240 de5daf2a631d53b58c481da511ead240_NEIKI.exe 2240 de5daf2a631d53b58c481da511ead240_NEIKI.exe 1740 Lnjafd32.exe 1740 Lnjafd32.exe 2924 Meffhnal.exe 2924 Meffhnal.exe 2508 Mhilph32.exe 2508 Mhilph32.exe 1760 Mfoiqe32.exe 1760 Mfoiqe32.exe 2412 Mpgmijgc.exe 2412 Mpgmijgc.exe 2428 Nbhfke32.exe 2428 Nbhfke32.exe 2332 Nidkmojn.exe 2332 Nidkmojn.exe 1248 Naopaa32.exe 1248 Naopaa32.exe 2400 Naalga32.exe 2400 Naalga32.exe 2588 Npgihn32.exe 2588 Npgihn32.exe 1128 Opkccm32.exe 1128 Opkccm32.exe 1824 Opnpimdf.exe 1824 Opnpimdf.exe 1728 Oghhfg32.exe 1728 Oghhfg32.exe 1688 Pdbahpec.exe 1688 Pdbahpec.exe 2812 Pohfehdi.exe 2812 Pohfehdi.exe 1716 Pojbkh32.exe 1716 Pojbkh32.exe 628 Pjcckf32.exe 628 Pjcckf32.exe 1068 Pclhdl32.exe 1068 Pclhdl32.exe 956 Pnalad32.exe 956 Pnalad32.exe 784 Qjhmfekp.exe 784 Qjhmfekp.exe 672 Qoeeolig.exe 672 Qoeeolig.exe 1940 Qogbdl32.exe 1940 Qogbdl32.exe 2960 Ajmfad32.exe 2960 Ajmfad32.exe 2320 Afdgfelo.exe 2320 Afdgfelo.exe 2876 Anolkh32.exe 2876 Anolkh32.exe 1700 Aggpdnpj.exe 1700 Aggpdnpj.exe 2248 Anahqh32.exe 2248 Anahqh32.exe 1608 Akeijlfq.exe 1608 Akeijlfq.exe 2136 Acqnnndl.exe 2136 Acqnnndl.exe 2628 Bepjha32.exe 2628 Bepjha32.exe 2632 Bfccei32.exe 2632 Bfccei32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hnkion32.exe Hebdfind.exe File opened for modification C:\Windows\SysWOW64\Hmeolj32.exe Hhhgcc32.exe File created C:\Windows\SysWOW64\Knbhlkkc.exe Kdjccf32.exe File created C:\Windows\SysWOW64\Ecbhdi32.exe Elipgofb.exe File opened for modification C:\Windows\SysWOW64\Hldlga32.exe Hfhcoj32.exe File created C:\Windows\SysWOW64\Dejdjfjb.dll Hpbdmo32.exe File created C:\Windows\SysWOW64\Bmpkqklh.exe Andgop32.exe File created C:\Windows\SysWOW64\Ffkoai32.exe Fmcjhdbc.exe File created C:\Windows\SysWOW64\Hfmddp32.exe Hmeolj32.exe File created C:\Windows\SysWOW64\Nmepgp32.dll Hldlga32.exe File opened for modification C:\Windows\SysWOW64\Hihlqeib.exe Hcldhnkk.exe File opened for modification C:\Windows\SysWOW64\Lhknaf32.exe Lbafdlod.exe File created C:\Windows\SysWOW64\Lpfhgcpi.dll Naopaa32.exe File created C:\Windows\SysWOW64\Aggpdnpj.exe Anolkh32.exe File created C:\Windows\SysWOW64\Cmhlga32.dll Jgdfdbhk.exe File opened for modification C:\Windows\SysWOW64\Knnkpobc.exe Khabghdl.exe File opened for modification C:\Windows\SysWOW64\Imokehhl.exe Ibejdjln.exe File created C:\Windows\SysWOW64\Aippal32.dll Fkmqdpce.exe File opened for modification C:\Windows\SysWOW64\Ijklknbn.exe Ipehmebh.exe File created C:\Windows\SysWOW64\Lfpeeqig.exe Ldoimh32.exe File opened for modification C:\Windows\SysWOW64\Gfcnegnk.exe Fjlmpfhg.exe File created C:\Windows\SysWOW64\Dcqlnqml.dll Kjokokha.exe File created C:\Windows\SysWOW64\Ihglhp32.exe Ioohokoo.exe File created C:\Windows\SysWOW64\Naopaa32.exe Nidkmojn.exe File created C:\Windows\SysWOW64\Bcjqdmla.exe Bjallg32.exe File opened for modification C:\Windows\SysWOW64\Ibfaopoi.exe Iphecepe.exe File created C:\Windows\SysWOW64\Ilofhffj.exe Ijmipn32.exe File opened for modification C:\Windows\SysWOW64\Kljabgnh.exe Kcamjb32.exe File created C:\Windows\SysWOW64\Ddonghfa.dll Fnflke32.exe File opened for modification C:\Windows\SysWOW64\Gmpcgace.exe Gfejjgli.exe File created C:\Windows\SysWOW64\Nphgph32.dll Jpdnbbah.exe File created C:\Windows\SysWOW64\Kaompi32.exe Klbdgb32.exe File created C:\Windows\SysWOW64\Pnalad32.exe Pclhdl32.exe File created C:\Windows\SysWOW64\Ndjcbk32.dll Lkdhoc32.exe File created C:\Windows\SysWOW64\Mnomjl32.exe Mkqqnq32.exe File created C:\Windows\SysWOW64\Pojbkh32.exe Pohfehdi.exe File opened for modification C:\Windows\SysWOW64\Qoeeolig.exe Qjhmfekp.exe File opened for modification C:\Windows\SysWOW64\Bepjha32.exe Acqnnndl.exe File opened for modification C:\Windows\SysWOW64\Mpgmijgc.exe Mfoiqe32.exe File created C:\Windows\SysWOW64\Nabkgh32.dll Gbfiaj32.exe File created C:\Windows\SysWOW64\Ielclkhe.exe Ilcoce32.exe File opened for modification C:\Windows\SysWOW64\Kcamjb32.exe Klhemhpk.exe File opened for modification C:\Windows\SysWOW64\Jpgjgboe.exe Jimbkh32.exe File opened for modification C:\Windows\SysWOW64\Lfbbjpgd.exe Lqejbiim.exe File created C:\Windows\SysWOW64\Jkjplo32.dll Bfccei32.exe File created C:\Windows\SysWOW64\Ckahkk32.exe Cojhejbh.exe File created C:\Windows\SysWOW64\Ifdofiam.dll Ckahkk32.exe File created C:\Windows\SysWOW64\Nmoadk32.dll Fffefjmi.exe File created C:\Windows\SysWOW64\Mlfbgb32.dll Ioohokoo.exe File opened for modification C:\Windows\SysWOW64\Illbhp32.exe Ieajkfmd.exe File opened for modification C:\Windows\SysWOW64\Pjcckf32.exe Pojbkh32.exe File created C:\Windows\SysWOW64\Epbfmd32.exe Ehgbhbgn.exe File created C:\Windows\SysWOW64\Cgohil32.dll Ijklknbn.exe File created C:\Windows\SysWOW64\Ekaggl32.dll Kcamjb32.exe File created C:\Windows\SysWOW64\Kcdjoaee.exe Kljabgnh.exe File opened for modification C:\Windows\SysWOW64\Mbnljqic.exe Mkddnf32.exe File created C:\Windows\SysWOW64\Ipeaco32.exe Ieomef32.exe File opened for modification C:\Windows\SysWOW64\Mqklqhpg.exe Mnmpdlac.exe File created C:\Windows\SysWOW64\Hnpbjnpo.exe Hbiaemkk.exe File opened for modification C:\Windows\SysWOW64\Ioooiack.exe Iibfajdc.exe File opened for modification C:\Windows\SysWOW64\Kgkleabc.exe Knbhlkkc.exe File created C:\Windows\SysWOW64\Illbhp32.exe Ieajkfmd.exe File created C:\Windows\SysWOW64\Ohbamn32.dll Jhbold32.exe File created C:\Windows\SysWOW64\Daddfpbk.dll Ilofhffj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3744 3704 WerFault.exe 240 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeajjfgn.dll" Epecbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acapig32.dll" Jenpajfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elooehob.dll" Kcdjoaee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldoimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liobdl32.dll" Lqejbiim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpbdmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihglhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphgph32.dll" Jpdnbbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppkbfk32.dll" Opnpimdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cofnjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elnqmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cofnjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cchbgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll" Calcpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akeijlfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpelnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkdhoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndpojd32.dll" Lqqpgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aggpdnpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfpeeqig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdgeded.dll" Mbnljqic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfcnegnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajcbch32.dll" Hidcef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddnjc32.dll" Kgnbnpkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paknelgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqfnjifg.dll" de5daf2a631d53b58c481da511ead240_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cojhejbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfglep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbnljqic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfejjgli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpgjgboe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqpflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjhjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meffhnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkjjmbgi.dll" Oghhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehgbhbgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efdhpjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phkckneq.dll" Mqklqhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqnifg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epbfmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmqmci32.dll" Ffibkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ielclkhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcdjoaee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khabghdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anneqafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Andgop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllgcqbk.dll" Filgbdfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqpagjge.dll" Fggkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkiolmdc.dll" Fcbecl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhbold32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akeijlfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmegncpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpbdmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qogbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmoadk32.dll" Fffefjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdjccf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhbnbpjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkiicmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgnbnpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhiakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpqain32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Filgbdfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieigfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnflke32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2240 wrote to memory of 1740 2240 de5daf2a631d53b58c481da511ead240_NEIKI.exe 28 PID 2240 wrote to memory of 1740 2240 de5daf2a631d53b58c481da511ead240_NEIKI.exe 28 PID 2240 wrote to memory of 1740 2240 de5daf2a631d53b58c481da511ead240_NEIKI.exe 28 PID 2240 wrote to memory of 1740 2240 de5daf2a631d53b58c481da511ead240_NEIKI.exe 28 PID 1740 wrote to memory of 2924 1740 Lnjafd32.exe 29 PID 1740 wrote to memory of 2924 1740 Lnjafd32.exe 29 PID 1740 wrote to memory of 2924 1740 Lnjafd32.exe 29 PID 1740 wrote to memory of 2924 1740 Lnjafd32.exe 29 PID 2924 wrote to memory of 2508 2924 Meffhnal.exe 30 PID 2924 wrote to memory of 2508 2924 Meffhnal.exe 30 PID 2924 wrote to memory of 2508 2924 Meffhnal.exe 30 PID 2924 wrote to memory of 2508 2924 Meffhnal.exe 30 PID 2508 wrote to memory of 1760 2508 Mhilph32.exe 31 PID 2508 wrote to memory of 1760 2508 Mhilph32.exe 31 PID 2508 wrote to memory of 1760 2508 Mhilph32.exe 31 PID 2508 wrote to memory of 1760 2508 Mhilph32.exe 31 PID 1760 wrote to memory of 2412 1760 Mfoiqe32.exe 32 PID 1760 wrote to memory of 2412 1760 Mfoiqe32.exe 32 PID 1760 wrote to memory of 2412 1760 Mfoiqe32.exe 32 PID 1760 wrote to memory of 2412 1760 Mfoiqe32.exe 32 PID 2412 wrote to memory of 2428 2412 Mpgmijgc.exe 33 PID 2412 wrote to memory of 2428 2412 Mpgmijgc.exe 33 PID 2412 wrote to memory of 2428 2412 Mpgmijgc.exe 33 PID 2412 wrote to memory of 2428 2412 Mpgmijgc.exe 33 PID 2428 wrote to memory of 2332 2428 Nbhfke32.exe 34 PID 2428 wrote to memory of 2332 2428 Nbhfke32.exe 34 PID 2428 wrote to memory of 2332 2428 Nbhfke32.exe 34 PID 2428 wrote to memory of 2332 2428 Nbhfke32.exe 34 PID 2332 wrote to memory of 1248 2332 Nidkmojn.exe 35 PID 2332 wrote to memory of 1248 2332 Nidkmojn.exe 35 PID 2332 wrote to memory of 1248 2332 Nidkmojn.exe 35 PID 2332 wrote to memory of 1248 2332 Nidkmojn.exe 35 PID 1248 wrote to memory of 2400 1248 Naopaa32.exe 36 PID 1248 wrote to memory of 2400 1248 Naopaa32.exe 36 PID 1248 wrote to memory of 2400 1248 Naopaa32.exe 36 PID 1248 wrote to memory of 2400 1248 Naopaa32.exe 36 PID 2400 wrote to memory of 2588 2400 Naalga32.exe 37 PID 2400 wrote to memory of 2588 2400 Naalga32.exe 37 PID 2400 wrote to memory of 2588 2400 Naalga32.exe 37 PID 2400 wrote to memory of 2588 2400 Naalga32.exe 37 PID 2588 wrote to memory of 1128 2588 Npgihn32.exe 38 PID 2588 wrote to memory of 1128 2588 Npgihn32.exe 38 PID 2588 wrote to memory of 1128 2588 Npgihn32.exe 38 PID 2588 wrote to memory of 1128 2588 Npgihn32.exe 38 PID 1128 wrote to memory of 1824 1128 Opkccm32.exe 39 PID 1128 wrote to memory of 1824 1128 Opkccm32.exe 39 PID 1128 wrote to memory of 1824 1128 Opkccm32.exe 39 PID 1128 wrote to memory of 1824 1128 Opkccm32.exe 39 PID 1824 wrote to memory of 1728 1824 Opnpimdf.exe 40 PID 1824 wrote to memory of 1728 1824 Opnpimdf.exe 40 PID 1824 wrote to memory of 1728 1824 Opnpimdf.exe 40 PID 1824 wrote to memory of 1728 1824 Opnpimdf.exe 40 PID 1728 wrote to memory of 1688 1728 Oghhfg32.exe 41 PID 1728 wrote to memory of 1688 1728 Oghhfg32.exe 41 PID 1728 wrote to memory of 1688 1728 Oghhfg32.exe 41 PID 1728 wrote to memory of 1688 1728 Oghhfg32.exe 41 PID 1688 wrote to memory of 2812 1688 Pdbahpec.exe 42 PID 1688 wrote to memory of 2812 1688 Pdbahpec.exe 42 PID 1688 wrote to memory of 2812 1688 Pdbahpec.exe 42 PID 1688 wrote to memory of 2812 1688 Pdbahpec.exe 42 PID 2812 wrote to memory of 1716 2812 Pohfehdi.exe 43 PID 2812 wrote to memory of 1716 2812 Pohfehdi.exe 43 PID 2812 wrote to memory of 1716 2812 Pohfehdi.exe 43 PID 2812 wrote to memory of 1716 2812 Pohfehdi.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\de5daf2a631d53b58c481da511ead240_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\de5daf2a631d53b58c481da511ead240_NEIKI.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Lnjafd32.exeC:\Windows\system32\Lnjafd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Meffhnal.exeC:\Windows\system32\Meffhnal.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Mhilph32.exeC:\Windows\system32\Mhilph32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Mfoiqe32.exeC:\Windows\system32\Mfoiqe32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Mpgmijgc.exeC:\Windows\system32\Mpgmijgc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Nbhfke32.exeC:\Windows\system32\Nbhfke32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Naopaa32.exeC:\Windows\system32\Naopaa32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Naalga32.exeC:\Windows\system32\Naalga32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:628 -
C:\Windows\SysWOW64\Pclhdl32.exeC:\Windows\system32\Pclhdl32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1068 -
C:\Windows\SysWOW64\Pnalad32.exeC:\Windows\system32\Pnalad32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\Qjhmfekp.exeC:\Windows\system32\Qjhmfekp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:784 -
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:672 -
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Ajmfad32.exeC:\Windows\system32\Ajmfad32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Afdgfelo.exeC:\Windows\system32\Afdgfelo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Aggpdnpj.exeC:\Windows\system32\Aggpdnpj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Akeijlfq.exeC:\Windows\system32\Akeijlfq.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Bepjha32.exeC:\Windows\system32\Bepjha32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Cofnjj32.exeC:\Windows\system32\Cofnjj32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe38⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Ehgbhbgn.exeC:\Windows\system32\Ehgbhbgn.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Epbfmd32.exeC:\Windows\system32\Epbfmd32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Eniclh32.exeC:\Windows\system32\Eniclh32.exe44⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1288 -
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Ffkoai32.exeC:\Windows\system32\Ffkoai32.exe51⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe53⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Filgbdfd.exeC:\Windows\system32\Filgbdfd.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Gbfiaj32.exeC:\Windows\system32\Gbfiaj32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe58⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe59⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe60⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Gghkdp32.exeC:\Windows\system32\Gghkdp32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Gaqomeke.exeC:\Windows\system32\Gaqomeke.exe62⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe63⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1168 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe66⤵PID:2288
-
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1244 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe68⤵PID:1708
-
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe69⤵
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2076 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe72⤵
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2176 -
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe74⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe75⤵
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe77⤵PID:1604
-
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe78⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe80⤵PID:768
-
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe82⤵PID:1216
-
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe84⤵
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe85⤵
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe86⤵PID:944
-
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe87⤵
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Jlhhndno.exeC:\Windows\system32\Jlhhndno.exe88⤵PID:1048
-
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe89⤵PID:2864
-
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe90⤵PID:2316
-
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe91⤵PID:1832
-
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe92⤵
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2916 -
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2244 -
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe96⤵
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe97⤵PID:1612
-
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe98⤵
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe99⤵
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe100⤵
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe103⤵PID:2712
-
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe104⤵PID:3020
-
C:\Windows\SysWOW64\Lomgjb32.exeC:\Windows\system32\Lomgjb32.exe105⤵PID:1584
-
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2448 -
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe108⤵
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe109⤵PID:1372
-
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2480 -
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Lfbbjpgd.exeC:\Windows\system32\Lfbbjpgd.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2044 -
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe115⤵PID:1684
-
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe116⤵PID:3004
-
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe117⤵PID:1616
-
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe118⤵
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe120⤵
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2124 -
C:\Windows\SysWOW64\Anneqafn.exeC:\Windows\system32\Anneqafn.exe122⤵
- Modifies registry class
PID:2544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-