Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 10:20
Static task
static1
Behavioral task
behavioral1
Sample
f6622d3e89e6453c9bd3bce009eff459_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f6622d3e89e6453c9bd3bce009eff459_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
f6622d3e89e6453c9bd3bce009eff459_NEIKI.exe
-
Size
163KB
-
MD5
f6622d3e89e6453c9bd3bce009eff459
-
SHA1
7449d2a9225c533e8a31434c419fe15ccd738348
-
SHA256
9b306082d0d5b1420df014ae1450c42a2a9c75164f9c682cbc312e08288bc8dc
-
SHA512
5ebc935648dd42e9b3aadcfdd15ce314b07990dc016c3afebe3118b0ab054d77592a0f288fd959a93bff22c45df83a55969cab291aceadaf63b2582a1954f585
-
SSDEEP
1536:P162LCVWD8WuvlbhWBT/C42rdugJspJSnlProNVU4qNVUrk/9QbfBr+7GwKrPAsf:dWVzdhCTa4stmAnltOrWKDBr+yJb
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Nfnneb32.exeKaajei32.exeDdaemh32.exeIickckcl.exeEfpbih32.exeLlbqfe32.exeLpgqlc32.exeMnojacgm.exeGmpjagfa.exeHndlem32.exeQlgkki32.exeInojhc32.exeJabponba.exeQlgndbil.exeGaeqmk32.exeJcfgoadd.exeKnjdimdh.exeMmogmjmn.exePcghof32.exeFqfemqod.exeKadica32.exeJecnnk32.exeMiocmq32.exeKoaclfgl.exeHbboiknb.exeJedcpi32.exePpcmfn32.exeLeegbnan.exeNladco32.exeKgbipf32.exeOlpgconp.exeOfcqcp32.exeCocphf32.exeHjgehgnh.exeLbbnjgik.exeDpcjnabn.exeJeoeclek.exeEgebjmdn.exeLidilk32.exeGjbqjiem.exeQkibcg32.exeHcigco32.exeImgnjb32.exeNflfad32.exeDbadagln.exeFllaopcg.exeHlafnbal.exeNagbgl32.exePgnjde32.exeKqokgd32.exeOihdjk32.exeNpijoj32.exeJaoqqflp.exeDnpebj32.exeClhecl32.exeCebeem32.exeDqfabdaf.exeEpeajo32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfnneb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaajei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddaemh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iickckcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efpbih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llbqfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpgqlc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnojacgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmpjagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hndlem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlgkki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inojhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jabponba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlgndbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaeqmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcfgoadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knjdimdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmogmjmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcghof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqfemqod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kadica32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jecnnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miocmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koaclfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbboiknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jedcpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppcmfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leegbnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nladco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgbipf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olpgconp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofcqcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocphf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjgehgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbbnjgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpcjnabn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeoeclek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egebjmdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lidilk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjbqjiem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkibcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcigco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imgnjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nflfad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbadagln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fllaopcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlafnbal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nagbgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgnjde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqokgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihdjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npijoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaoqqflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnpebj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clhecl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cebeem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqfabdaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epeajo32.exe -
Executes dropped EXE 64 IoCs
Processes:
Iggned32.exeJpdkii32.exeJlmicj32.exeJhffnk32.exeKncofa32.exeKjllab32.exeKdbpnk32.exeKgbipf32.exeKcijeg32.exeLfjcfb32.exeLmdkcl32.exeLbackc32.exeLnhdqdnd.exeLnjafd32.exeLgbeoibb.exeMnojacgm.exeMclcijfd.exeMpbdnk32.exeMmfdhojb.exeMbcmpfhi.exeMdbiji32.exeNpijoj32.exeNefbga32.exeNoogpfjh.exeNaalga32.exeNhlddkmc.exeNadimacd.exeOklnff32.exeOgcnkgoh.exeOlpgconp.exeOehklddp.exeOifdbb32.exeOemegc32.exePadeldeo.exePlijimee.exePddnnp32.exePkofjijm.exePqkobqhd.exePdihiook.exeAfdgfelo.exeAkhfoldn.exeBmibgd32.exeBccjdnbi.exeBnhoag32.exeBcegin32.exeBmnlbcfg.exeBlchcpko.exeBbmapj32.exeBmbemb32.exeBfkifhib.exeClgbno32.exeCepfgdnj.exeChnbcpmn.exeCbdgqimc.exeChqoipkk.exeCkolek32.exeChcloo32.exeComdkipe.exeCpnaca32.exeCfhiplmp.exeCifelgmd.exeDdliip32.exeDkfbfjdf.exeDpcjnabn.exepid process 1740 Iggned32.exe 2924 Jpdkii32.exe 2460 Jlmicj32.exe 1760 Jhffnk32.exe 2524 Kncofa32.exe 2420 Kjllab32.exe 2848 Kdbpnk32.exe 292 Kgbipf32.exe 1012 Kcijeg32.exe 2564 Lfjcfb32.exe 2704 Lmdkcl32.exe 1136 Lbackc32.exe 2104 Lnhdqdnd.exe 2324 Lnjafd32.exe 1636 Lgbeoibb.exe 1596 Mnojacgm.exe 2768 Mclcijfd.exe 2164 Mpbdnk32.exe 1244 Mmfdhojb.exe 1508 Mbcmpfhi.exe 1624 Mdbiji32.exe 1944 Npijoj32.exe 608 Nefbga32.exe 2308 Noogpfjh.exe 2868 Naalga32.exe 892 Nhlddkmc.exe 2248 Nadimacd.exe 1892 Oklnff32.exe 2448 Ogcnkgoh.exe 2632 Olpgconp.exe 2616 Oehklddp.exe 2392 Oifdbb32.exe 2412 Oemegc32.exe 2080 Padeldeo.exe 1008 Plijimee.exe 696 Pddnnp32.exe 2576 Pkofjijm.exe 1128 Pqkobqhd.exe 1664 Pdihiook.exe 1668 Afdgfelo.exe 2340 Akhfoldn.exe 2184 Bmibgd32.exe 2684 Bccjdnbi.exe 2156 Bnhoag32.exe 1832 Bcegin32.exe 2144 Bmnlbcfg.exe 1992 Blchcpko.exe 472 Bbmapj32.exe 1484 Bmbemb32.exe 1096 Bfkifhib.exe 2060 Clgbno32.exe 2764 Cepfgdnj.exe 1700 Chnbcpmn.exe 1584 Cbdgqimc.exe 2828 Chqoipkk.exe 2488 Ckolek32.exe 2548 Chcloo32.exe 1652 Comdkipe.exe 1972 Cpnaca32.exe 3056 Cfhiplmp.exe 1904 Cifelgmd.exe 2348 Ddliip32.exe 2040 Dkfbfjdf.exe 1772 Dpcjnabn.exe -
Loads dropped DLL 64 IoCs
Processes:
f6622d3e89e6453c9bd3bce009eff459_NEIKI.exeIggned32.exeJpdkii32.exeJlmicj32.exeJhffnk32.exeKncofa32.exeKjllab32.exeKdbpnk32.exeKgbipf32.exeKcijeg32.exeLfjcfb32.exeLmdkcl32.exeLbackc32.exeLnhdqdnd.exeLnjafd32.exeLgbeoibb.exeMnojacgm.exeMclcijfd.exeMpbdnk32.exeMmfdhojb.exeMbcmpfhi.exeMdbiji32.exeNpijoj32.exeNefbga32.exeNoogpfjh.exeNaalga32.exeNhlddkmc.exeNadimacd.exeOklnff32.exeOgcnkgoh.exeOlpgconp.exeOehklddp.exepid process 2240 f6622d3e89e6453c9bd3bce009eff459_NEIKI.exe 2240 f6622d3e89e6453c9bd3bce009eff459_NEIKI.exe 1740 Iggned32.exe 1740 Iggned32.exe 2924 Jpdkii32.exe 2924 Jpdkii32.exe 2460 Jlmicj32.exe 2460 Jlmicj32.exe 1760 Jhffnk32.exe 1760 Jhffnk32.exe 2524 Kncofa32.exe 2524 Kncofa32.exe 2420 Kjllab32.exe 2420 Kjllab32.exe 2848 Kdbpnk32.exe 2848 Kdbpnk32.exe 292 Kgbipf32.exe 292 Kgbipf32.exe 1012 Kcijeg32.exe 1012 Kcijeg32.exe 2564 Lfjcfb32.exe 2564 Lfjcfb32.exe 2704 Lmdkcl32.exe 2704 Lmdkcl32.exe 1136 Lbackc32.exe 1136 Lbackc32.exe 2104 Lnhdqdnd.exe 2104 Lnhdqdnd.exe 2324 Lnjafd32.exe 2324 Lnjafd32.exe 1636 Lgbeoibb.exe 1636 Lgbeoibb.exe 1596 Mnojacgm.exe 1596 Mnojacgm.exe 2768 Mclcijfd.exe 2768 Mclcijfd.exe 2164 Mpbdnk32.exe 2164 Mpbdnk32.exe 1244 Mmfdhojb.exe 1244 Mmfdhojb.exe 1508 Mbcmpfhi.exe 1508 Mbcmpfhi.exe 1624 Mdbiji32.exe 1624 Mdbiji32.exe 1944 Npijoj32.exe 1944 Npijoj32.exe 608 Nefbga32.exe 608 Nefbga32.exe 2308 Noogpfjh.exe 2308 Noogpfjh.exe 2868 Naalga32.exe 2868 Naalga32.exe 892 Nhlddkmc.exe 892 Nhlddkmc.exe 2248 Nadimacd.exe 2248 Nadimacd.exe 1892 Oklnff32.exe 1892 Oklnff32.exe 2448 Ogcnkgoh.exe 2448 Ogcnkgoh.exe 2632 Olpgconp.exe 2632 Olpgconp.exe 2616 Oehklddp.exe 2616 Oehklddp.exe -
Drops file in System32 directory 64 IoCs
Processes:
Kqokgd32.exeMbcmpfhi.exeMikjpiim.exeMeemgk32.exef6622d3e89e6453c9bd3bce009eff459_NEIKI.exeFdkklp32.exeEamilh32.exeLomgjb32.exeKaajei32.exeDphhka32.exeBbmapj32.exeNaimepkp.exeGpmjcg32.exeIjampgde.exeAebobgmi.exeMqjefamk.exeOfobgc32.exeKoaclfgl.exeJlnmel32.exeLchqcd32.exeHcigco32.exeCfhiplmp.exeLdllgiek.exePiqpkpml.exeObokcqhk.exeCofofolh.exeOehklddp.exeHanogipc.exeFpkchm32.exeFcqjfeja.exeGjngoj32.exeHlafnbal.exeOmbddbah.exeHdefnjkj.exeHfcjdkpg.exeOmnmal32.exeJjpdmi32.exeLnbdko32.exeIjaaae32.exeJlmicj32.exeLilfgq32.exeIlnomp32.exeGhdiokbq.exeDfkclf32.exeIcdhnn32.exeFqfemqod.exeHgbfnngi.exeHjgehgnh.exeBnochnpm.exeLofifi32.exeAddhcn32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Kbqgolpf.exe Kqokgd32.exe File created C:\Windows\SysWOW64\Bjfnik32.dll Mbcmpfhi.exe File created C:\Windows\SysWOW64\Nlefhcnc.exe Mikjpiim.exe File created C:\Windows\SysWOW64\Mhcicf32.exe Meemgk32.exe File opened for modification C:\Windows\SysWOW64\Iggned32.exe f6622d3e89e6453c9bd3bce009eff459_NEIKI.exe File opened for modification C:\Windows\SysWOW64\Fkecij32.exe Fdkklp32.exe File opened for modification C:\Windows\SysWOW64\Edlfhc32.exe Eamilh32.exe File created C:\Windows\SysWOW64\Lblcfnhj.exe Lomgjb32.exe File created C:\Windows\SysWOW64\Khkbbc32.exe Kaajei32.exe File opened for modification C:\Windows\SysWOW64\Dbgdgm32.exe Dphhka32.exe File created C:\Windows\SysWOW64\Eieiegcc.dll File created C:\Windows\SysWOW64\Camcao32.dll Bbmapj32.exe File created C:\Windows\SysWOW64\Nkaane32.exe Naimepkp.exe File created C:\Windows\SysWOW64\Gpogiglp.exe Gpmjcg32.exe File opened for modification C:\Windows\SysWOW64\Ialadj32.exe Ijampgde.exe File opened for modification C:\Windows\SysWOW64\Hffjng32.exe File created C:\Windows\SysWOW64\Ljpnch32.exe File created C:\Windows\SysWOW64\Aokckm32.exe Aebobgmi.exe File created C:\Windows\SysWOW64\Fniamd32.dll Mqjefamk.exe File opened for modification C:\Windows\SysWOW64\Omhkcnfg.exe Ofobgc32.exe File created C:\Windows\SysWOW64\Gpcafifg.dll Koaclfgl.exe File created C:\Windows\SysWOW64\Kmnfciac.dll Jlnmel32.exe File created C:\Windows\SysWOW64\Njldiiel.dll Lchqcd32.exe File opened for modification C:\Windows\SysWOW64\Hfhcoj32.exe Hcigco32.exe File created C:\Windows\SysWOW64\Cifelgmd.exe Cfhiplmp.exe File created C:\Windows\SysWOW64\Maojpk32.dll Ldllgiek.exe File created C:\Windows\SysWOW64\Pomhcg32.exe Piqpkpml.exe File opened for modification C:\Windows\SysWOW64\Phlclgfc.exe Obokcqhk.exe File created C:\Windows\SysWOW64\Bpkbha32.dll Cofofolh.exe File created C:\Windows\SysWOW64\Jmnbbmon.dll File created C:\Windows\SysWOW64\Oifdbb32.exe Oehklddp.exe File created C:\Windows\SysWOW64\Jdloglhf.dll File created C:\Windows\SysWOW64\Kbkgig32.exe File created C:\Windows\SysWOW64\Hhhgcc32.exe Hanogipc.exe File created C:\Windows\SysWOW64\Ffeldglk.exe Fpkchm32.exe File created C:\Windows\SysWOW64\Fliook32.exe Fcqjfeja.exe File created C:\Windows\SysWOW64\Ichnpa32.dll Gjngoj32.exe File created C:\Windows\SysWOW64\Hanogipc.exe Hlafnbal.exe File created C:\Windows\SysWOW64\Cgklhh32.dll File opened for modification C:\Windows\SysWOW64\Pfkimhhi.exe Ombddbah.exe File created C:\Windows\SysWOW64\Igaegm32.dll Hdefnjkj.exe File created C:\Windows\SysWOW64\Hnjbeh32.exe Hfcjdkpg.exe File opened for modification C:\Windows\SysWOW64\Ochenfdn.exe Omnmal32.exe File created C:\Windows\SysWOW64\Obobnb32.dll Jjpdmi32.exe File opened for modification C:\Windows\SysWOW64\Ldllgiek.exe Lnbdko32.exe File created C:\Windows\SysWOW64\Iakino32.exe Ijaaae32.exe File created C:\Windows\SysWOW64\Hgajal32.dll Jlmicj32.exe File created C:\Windows\SysWOW64\Lcdjpfgh.exe Lilfgq32.exe File opened for modification C:\Windows\SysWOW64\Cpgglifo.exe File opened for modification C:\Windows\SysWOW64\Fclbgj32.exe File opened for modification C:\Windows\SysWOW64\Jjgonf32.exe File created C:\Windows\SysWOW64\Hgiekfhg.dll Ilnomp32.exe File created C:\Windows\SysWOW64\Gonale32.exe Ghdiokbq.exe File created C:\Windows\SysWOW64\Malbbh32.dll Dfkclf32.exe File created C:\Windows\SysWOW64\Mcgiogam.dll Icdhnn32.exe File opened for modification C:\Windows\SysWOW64\Cooddbfh.exe File opened for modification C:\Windows\SysWOW64\Gfcnegnk.exe Fqfemqod.exe File created C:\Windows\SysWOW64\Cfhlbe32.exe File created C:\Windows\SysWOW64\Hidcef32.exe Hgbfnngi.exe File opened for modification C:\Windows\SysWOW64\Hgkfal32.exe Hjgehgnh.exe File opened for modification C:\Windows\SysWOW64\Bhdhefpc.exe Bnochnpm.exe File created C:\Windows\SysWOW64\Ldbaopdj.exe Lofifi32.exe File created C:\Windows\SysWOW64\Lqcmmc32.dll Addhcn32.exe File opened for modification C:\Windows\SysWOW64\Cpbnaj32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 2728 4856 -
Modifies registry class 64 IoCs
Processes:
Ohfqmi32.exeIkagogco.exeDdiibc32.exeCncmcm32.exeQlgndbil.exeMnmpdlac.exeDcohghbk.exePfkimhhi.exeGaeqmk32.exeKdkelolf.exeOknhdjko.exeFfiepg32.exeGddobpbe.exeKfpifm32.exeIjehdl32.exeHaemloni.exeOlkfmi32.exeFnmjpk32.exeFheoiqgi.exeJlphbbbg.exeHoqjqhjf.exeOfaolcmh.exeAggiigmn.exeEoebgcol.exeBgddam32.exeJelhmlgm.exeHhhgcc32.exeDfhdnn32.exeGcjmmdbf.exeJcfgoadd.exeAnkedf32.exeEhfhgogp.exeLkggmldl.exeHmeolj32.exeHmpaom32.exeCofofolh.exeKcijeg32.exeBlfapfpg.exePflbpg32.exePmhgba32.exeGleqdb32.exeFpkchm32.exeKenhopmf.exeDilchhgg.exeMpbdnk32.exeBqeqqk32.exeCdmepgce.exeMclcijfd.exeIgoomk32.exeHkdgecna.exeGimaah32.exeNlanhh32.exeMlgiiaij.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllmhajo.dll" Ohfqmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqekiefo.dll" Ikagogco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnekggoo.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddiibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cncmcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlgndbil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnmpdlac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcohghbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmapcm32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeeima32.dll" Pfkimhhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaeqmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdkelolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmccgf32.dll" Oknhdjko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffiepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibpbf32.dll" Gddobpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcjcogfe.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fckada32.dll" Kfpifm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijehdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haemloni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olkfmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najnhfnn.dll" Fnmjpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fheoiqgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlphbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoqjqhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofaolcmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opgcne32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aggiigmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqdodila.dll" Eoebgcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgddam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefccdhf.dll" Jelhmlgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhhgcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfhdnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcjmmdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcfgoadd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ankedf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngppolhf.dll" Ehfhgogp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkggmldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kopnegcl.dll" Hmeolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmpaom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cofofolh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcijeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginaep32.dll" Blfapfpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qplbjk32.dll" Pflbpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmhgba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gleqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpkchm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kenhopmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dilchhgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paifph32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpbdnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqeqqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdmepgce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fheoiqgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mclcijfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igoomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkdgecna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajpqndbo.dll" Gimaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimbbpmc.dll" Nlanhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlgiiaij.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f6622d3e89e6453c9bd3bce009eff459_NEIKI.exeIggned32.exeJpdkii32.exeJlmicj32.exeJhffnk32.exeKncofa32.exeKjllab32.exeKdbpnk32.exeKgbipf32.exeKcijeg32.exeLfjcfb32.exeLmdkcl32.exeLbackc32.exeLnhdqdnd.exeLnjafd32.exeLgbeoibb.exedescription pid process target process PID 2240 wrote to memory of 1740 2240 f6622d3e89e6453c9bd3bce009eff459_NEIKI.exe Iggned32.exe PID 2240 wrote to memory of 1740 2240 f6622d3e89e6453c9bd3bce009eff459_NEIKI.exe Iggned32.exe PID 2240 wrote to memory of 1740 2240 f6622d3e89e6453c9bd3bce009eff459_NEIKI.exe Iggned32.exe PID 2240 wrote to memory of 1740 2240 f6622d3e89e6453c9bd3bce009eff459_NEIKI.exe Iggned32.exe PID 1740 wrote to memory of 2924 1740 Iggned32.exe Jpdkii32.exe PID 1740 wrote to memory of 2924 1740 Iggned32.exe Jpdkii32.exe PID 1740 wrote to memory of 2924 1740 Iggned32.exe Jpdkii32.exe PID 1740 wrote to memory of 2924 1740 Iggned32.exe Jpdkii32.exe PID 2924 wrote to memory of 2460 2924 Jpdkii32.exe Jlmicj32.exe PID 2924 wrote to memory of 2460 2924 Jpdkii32.exe Jlmicj32.exe PID 2924 wrote to memory of 2460 2924 Jpdkii32.exe Jlmicj32.exe PID 2924 wrote to memory of 2460 2924 Jpdkii32.exe Jlmicj32.exe PID 2460 wrote to memory of 1760 2460 Jlmicj32.exe Jhffnk32.exe PID 2460 wrote to memory of 1760 2460 Jlmicj32.exe Jhffnk32.exe PID 2460 wrote to memory of 1760 2460 Jlmicj32.exe Jhffnk32.exe PID 2460 wrote to memory of 1760 2460 Jlmicj32.exe Jhffnk32.exe PID 1760 wrote to memory of 2524 1760 Jhffnk32.exe Kncofa32.exe PID 1760 wrote to memory of 2524 1760 Jhffnk32.exe Kncofa32.exe PID 1760 wrote to memory of 2524 1760 Jhffnk32.exe Kncofa32.exe PID 1760 wrote to memory of 2524 1760 Jhffnk32.exe Kncofa32.exe PID 2524 wrote to memory of 2420 2524 Kncofa32.exe Kjllab32.exe PID 2524 wrote to memory of 2420 2524 Kncofa32.exe Kjllab32.exe PID 2524 wrote to memory of 2420 2524 Kncofa32.exe Kjllab32.exe PID 2524 wrote to memory of 2420 2524 Kncofa32.exe Kjllab32.exe PID 2420 wrote to memory of 2848 2420 Kjllab32.exe Kdbpnk32.exe PID 2420 wrote to memory of 2848 2420 Kjllab32.exe Kdbpnk32.exe PID 2420 wrote to memory of 2848 2420 Kjllab32.exe Kdbpnk32.exe PID 2420 wrote to memory of 2848 2420 Kjllab32.exe Kdbpnk32.exe PID 2848 wrote to memory of 292 2848 Kdbpnk32.exe Kgbipf32.exe PID 2848 wrote to memory of 292 2848 Kdbpnk32.exe Kgbipf32.exe PID 2848 wrote to memory of 292 2848 Kdbpnk32.exe Kgbipf32.exe PID 2848 wrote to memory of 292 2848 Kdbpnk32.exe Kgbipf32.exe PID 292 wrote to memory of 1012 292 Kgbipf32.exe Kcijeg32.exe PID 292 wrote to memory of 1012 292 Kgbipf32.exe Kcijeg32.exe PID 292 wrote to memory of 1012 292 Kgbipf32.exe Kcijeg32.exe PID 292 wrote to memory of 1012 292 Kgbipf32.exe Kcijeg32.exe PID 1012 wrote to memory of 2564 1012 Kcijeg32.exe Lfjcfb32.exe PID 1012 wrote to memory of 2564 1012 Kcijeg32.exe Lfjcfb32.exe PID 1012 wrote to memory of 2564 1012 Kcijeg32.exe Lfjcfb32.exe PID 1012 wrote to memory of 2564 1012 Kcijeg32.exe Lfjcfb32.exe PID 2564 wrote to memory of 2704 2564 Lfjcfb32.exe Lmdkcl32.exe PID 2564 wrote to memory of 2704 2564 Lfjcfb32.exe Lmdkcl32.exe PID 2564 wrote to memory of 2704 2564 Lfjcfb32.exe Lmdkcl32.exe PID 2564 wrote to memory of 2704 2564 Lfjcfb32.exe Lmdkcl32.exe PID 2704 wrote to memory of 1136 2704 Lmdkcl32.exe Lbackc32.exe PID 2704 wrote to memory of 1136 2704 Lmdkcl32.exe Lbackc32.exe PID 2704 wrote to memory of 1136 2704 Lmdkcl32.exe Lbackc32.exe PID 2704 wrote to memory of 1136 2704 Lmdkcl32.exe Lbackc32.exe PID 1136 wrote to memory of 2104 1136 Lbackc32.exe Lnhdqdnd.exe PID 1136 wrote to memory of 2104 1136 Lbackc32.exe Lnhdqdnd.exe PID 1136 wrote to memory of 2104 1136 Lbackc32.exe Lnhdqdnd.exe PID 1136 wrote to memory of 2104 1136 Lbackc32.exe Lnhdqdnd.exe PID 2104 wrote to memory of 2324 2104 Lnhdqdnd.exe Lnjafd32.exe PID 2104 wrote to memory of 2324 2104 Lnhdqdnd.exe Lnjafd32.exe PID 2104 wrote to memory of 2324 2104 Lnhdqdnd.exe Lnjafd32.exe PID 2104 wrote to memory of 2324 2104 Lnhdqdnd.exe Lnjafd32.exe PID 2324 wrote to memory of 1636 2324 Lnjafd32.exe Lgbeoibb.exe PID 2324 wrote to memory of 1636 2324 Lnjafd32.exe Lgbeoibb.exe PID 2324 wrote to memory of 1636 2324 Lnjafd32.exe Lgbeoibb.exe PID 2324 wrote to memory of 1636 2324 Lnjafd32.exe Lgbeoibb.exe PID 1636 wrote to memory of 1596 1636 Lgbeoibb.exe Mnojacgm.exe PID 1636 wrote to memory of 1596 1636 Lgbeoibb.exe Mnojacgm.exe PID 1636 wrote to memory of 1596 1636 Lgbeoibb.exe Mnojacgm.exe PID 1636 wrote to memory of 1596 1636 Lgbeoibb.exe Mnojacgm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6622d3e89e6453c9bd3bce009eff459_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\f6622d3e89e6453c9bd3bce009eff459_NEIKI.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Iggned32.exeC:\Windows\system32\Iggned32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Jpdkii32.exeC:\Windows\system32\Jpdkii32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Jlmicj32.exeC:\Windows\system32\Jlmicj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Kncofa32.exeC:\Windows\system32\Kncofa32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Kjllab32.exeC:\Windows\system32\Kjllab32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Kgbipf32.exeC:\Windows\system32\Kgbipf32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Lbackc32.exeC:\Windows\system32\Lbackc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Lnhdqdnd.exeC:\Windows\system32\Lnhdqdnd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Lnjafd32.exeC:\Windows\system32\Lnjafd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Lgbeoibb.exeC:\Windows\system32\Lgbeoibb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Mnojacgm.exeC:\Windows\system32\Mnojacgm.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Mmfdhojb.exeC:\Windows\system32\Mmfdhojb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1244 -
C:\Windows\SysWOW64\Mbcmpfhi.exeC:\Windows\system32\Mbcmpfhi.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Npijoj32.exeC:\Windows\system32\Npijoj32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\Nefbga32.exeC:\Windows\system32\Nefbga32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:608 -
C:\Windows\SysWOW64\Noogpfjh.exeC:\Windows\system32\Noogpfjh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Windows\SysWOW64\Naalga32.exeC:\Windows\system32\Naalga32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1892 -
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Oehklddp.exeC:\Windows\system32\Oehklddp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe33⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe34⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe35⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Plijimee.exeC:\Windows\system32\Plijimee.exe36⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Pddnnp32.exeC:\Windows\system32\Pddnnp32.exe37⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe38⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe39⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe40⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Afdgfelo.exeC:\Windows\system32\Afdgfelo.exe41⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe42⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Bmibgd32.exeC:\Windows\system32\Bmibgd32.exe43⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Bccjdnbi.exeC:\Windows\system32\Bccjdnbi.exe44⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe45⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Bcegin32.exeC:\Windows\system32\Bcegin32.exe46⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Bmnlbcfg.exeC:\Windows\system32\Bmnlbcfg.exe47⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe48⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:472 -
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe50⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe51⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe52⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Cepfgdnj.exeC:\Windows\system32\Cepfgdnj.exe53⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe54⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe55⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Chqoipkk.exeC:\Windows\system32\Chqoipkk.exe56⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe57⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Chcloo32.exeC:\Windows\system32\Chcloo32.exe58⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe59⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Cpnaca32.exeC:\Windows\system32\Cpnaca32.exe60⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Cfhiplmp.exeC:\Windows\system32\Cfhiplmp.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3056 -
C:\Windows\SysWOW64\Cifelgmd.exeC:\Windows\system32\Cifelgmd.exe62⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe63⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Dkfbfjdf.exeC:\Windows\system32\Dkfbfjdf.exe64⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Dpcjnabn.exeC:\Windows\system32\Dpcjnabn.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe66⤵PID:3012
-
C:\Windows\SysWOW64\Dpegcq32.exeC:\Windows\system32\Dpegcq32.exe67⤵PID:1924
-
C:\Windows\SysWOW64\Dcccpl32.exeC:\Windows\system32\Dcccpl32.exe68⤵PID:940
-
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe69⤵PID:2784
-
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe70⤵PID:240
-
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe71⤵PID:3036
-
C:\Windows\SysWOW64\Domqjm32.exeC:\Windows\system32\Domqjm32.exe72⤵PID:2888
-
C:\Windows\SysWOW64\Ddiibc32.exeC:\Windows\system32\Ddiibc32.exe73⤵
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Eamilh32.exeC:\Windows\system32\Eamilh32.exe74⤵
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe75⤵PID:2252
-
C:\Windows\SysWOW64\Ekfndmfb.exeC:\Windows\system32\Ekfndmfb.exe76⤵PID:2500
-
C:\Windows\SysWOW64\Epbfmd32.exeC:\Windows\system32\Epbfmd32.exe77⤵PID:2444
-
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe78⤵PID:2840
-
C:\Windows\SysWOW64\Eabcggll.exeC:\Windows\system32\Eabcggll.exe79⤵PID:328
-
C:\Windows\SysWOW64\Eccpoo32.exeC:\Windows\system32\Eccpoo32.exe80⤵PID:888
-
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe81⤵PID:1488
-
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe82⤵PID:872
-
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe83⤵PID:1524
-
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe84⤵PID:1984
-
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe85⤵PID:2832
-
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe86⤵PID:2464
-
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe87⤵PID:1544
-
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe88⤵PID:908
-
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe89⤵PID:2176
-
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe90⤵PID:1724
-
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe91⤵PID:1920
-
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe92⤵PID:2124
-
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe93⤵PID:2512
-
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe94⤵PID:2800
-
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe95⤵PID:2312
-
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe96⤵PID:2480
-
C:\Windows\SysWOW64\Gjbmelgm.exeC:\Windows\system32\Gjbmelgm.exe97⤵PID:456
-
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1056 -
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe99⤵PID:2756
-
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe100⤵PID:852
-
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe101⤵PID:812
-
C:\Windows\SysWOW64\Gfkkpmko.exeC:\Windows\system32\Gfkkpmko.exe102⤵PID:2916
-
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe103⤵PID:2568
-
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe104⤵PID:2956
-
C:\Windows\SysWOW64\Gildahhp.exeC:\Windows\system32\Gildahhp.exe105⤵PID:1744
-
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe106⤵PID:1304
-
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe107⤵PID:3000
-
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe108⤵PID:2752
-
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe109⤵PID:1404
-
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe110⤵PID:2780
-
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe111⤵PID:2660
-
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe113⤵
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe114⤵
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe115⤵
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe116⤵PID:2908
-
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1928 -
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe118⤵PID:1784
-
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe119⤵PID:2952
-
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe120⤵PID:1968
-
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe121⤵PID:1472
-
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe122⤵PID:1732
-
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe123⤵PID:1656
-
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe124⤵PID:2948
-
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe125⤵PID:2820
-
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe126⤵PID:580
-
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe127⤵PID:2508
-
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe128⤵PID:2492
-
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe129⤵PID:2992
-
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe130⤵PID:1200
-
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe131⤵PID:2628
-
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe132⤵PID:1532
-
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe133⤵
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe134⤵PID:628
-
C:\Windows\SysWOW64\Lomgjb32.exeC:\Windows\system32\Lomgjb32.exe135⤵
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe136⤵PID:1964
-
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe137⤵PID:2076
-
C:\Windows\SysWOW64\Lnbdko32.exeC:\Windows\system32\Lnbdko32.exe138⤵
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe139⤵
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe140⤵PID:3032
-
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe141⤵PID:2380
-
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe142⤵PID:836
-
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe143⤵PID:2096
-
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe144⤵PID:2612
-
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe145⤵PID:2428
-
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe146⤵PID:2180
-
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe147⤵PID:2984
-
C:\Windows\SysWOW64\Mfdopp32.exeC:\Windows\system32\Mfdopp32.exe148⤵PID:2876
-
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:800 -
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe150⤵PID:2288
-
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe151⤵PID:2084
-
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe152⤵PID:2532
-
C:\Windows\SysWOW64\Melifl32.exeC:\Windows\system32\Melifl32.exe153⤵PID:556
-
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe154⤵PID:2740
-
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe155⤵PID:2328
-
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe156⤵PID:1216
-
C:\Windows\SysWOW64\Mngjeamd.exeC:\Windows\system32\Mngjeamd.exe157⤵PID:936
-
C:\Windows\SysWOW64\Meabakda.exeC:\Windows\system32\Meabakda.exe158⤵PID:960
-
C:\Windows\SysWOW64\Mlkjne32.exeC:\Windows\system32\Mlkjne32.exe159⤵PID:3064
-
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe160⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2280 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe161⤵PID:1988
-
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe162⤵PID:2220
-
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe163⤵PID:2364
-
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe164⤵PID:308
-
C:\Windows\SysWOW64\Niedqnen.exeC:\Windows\system32\Niedqnen.exe165⤵PID:2788
-
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe166⤵PID:2968
-
C:\Windows\SysWOW64\Njdqka32.exeC:\Windows\system32\Njdqka32.exe167⤵PID:2860
-
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe168⤵PID:2644
-
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe169⤵PID:1592
-
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe170⤵PID:1048
-
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe171⤵PID:2504
-
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3020 -
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe173⤵
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe174⤵PID:2396
-
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe175⤵PID:2736
-
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe176⤵PID:2692
-
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe177⤵PID:3004
-
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe178⤵PID:2300
-
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe179⤵PID:2856
-
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe180⤵
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe181⤵PID:1064
-
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe182⤵PID:1616
-
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe183⤵PID:1688
-
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe184⤵PID:1604
-
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe185⤵PID:1684
-
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe186⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1996 -
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe187⤵PID:944
-
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe188⤵PID:1288
-
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe189⤵PID:2596
-
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe190⤵PID:2884
-
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe191⤵PID:2004
-
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe192⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:756 -
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe193⤵
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Pomhcg32.exeC:\Windows\system32\Pomhcg32.exe194⤵PID:1888
-
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe195⤵PID:1368
-
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe196⤵PID:864
-
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe197⤵PID:2208
-
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe198⤵PID:3100
-
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe199⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3140 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe200⤵PID:3180
-
C:\Windows\SysWOW64\Qdaglmcb.exeC:\Windows\system32\Qdaglmcb.exe201⤵PID:3220
-
C:\Windows\SysWOW64\Akkoig32.exeC:\Windows\system32\Akkoig32.exe202⤵PID:3260
-
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe203⤵PID:3300
-
C:\Windows\SysWOW64\Aknlofim.exeC:\Windows\system32\Aknlofim.exe204⤵PID:3340
-
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe205⤵PID:3380
-
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe206⤵PID:3420
-
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe207⤵PID:3460
-
C:\Windows\SysWOW64\Amaelomh.exeC:\Windows\system32\Amaelomh.exe208⤵PID:3500
-
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe209⤵
- Modifies registry class
PID:3540 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe210⤵PID:3580
-
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe211⤵PID:3620
-
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe212⤵PID:3660
-
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe213⤵PID:3700
-
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe214⤵PID:3744
-
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe215⤵PID:3784
-
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe216⤵PID:3824
-
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe217⤵PID:3864
-
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe218⤵PID:3904
-
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe219⤵PID:3944
-
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe220⤵PID:3984
-
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe221⤵PID:4024
-
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe222⤵PID:4064
-
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe223⤵PID:1068
-
C:\Windows\SysWOW64\Bkbaii32.exeC:\Windows\system32\Bkbaii32.exe224⤵PID:3124
-
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe225⤵PID:3176
-
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe226⤵PID:3240
-
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe227⤵PID:3288
-
C:\Windows\SysWOW64\Caaggpdh.exeC:\Windows\system32\Caaggpdh.exe228⤵PID:3332
-
C:\Windows\SysWOW64\Cgkocj32.exeC:\Windows\system32\Cgkocj32.exe229⤵PID:3372
-
C:\Windows\SysWOW64\Cjjkpe32.exeC:\Windows\system32\Cjjkpe32.exe230⤵PID:3428
-
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe231⤵PID:3472
-
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe232⤵PID:3520
-
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe233⤵PID:3356
-
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe234⤵PID:3604
-
C:\Windows\SysWOW64\Cfcijf32.exeC:\Windows\system32\Cfcijf32.exe235⤵PID:3668
-
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe236⤵PID:3708
-
C:\Windows\SysWOW64\Elfcbo32.exeC:\Windows\system32\Elfcbo32.exe237⤵PID:3756
-
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe238⤵PID:3800
-
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe239⤵PID:3852
-
C:\Windows\SysWOW64\Elipgofb.exeC:\Windows\system32\Elipgofb.exe240⤵PID:3900
-
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe241⤵PID:3956
-
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe242⤵PID:4012