Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 03:28
Behavioral task
behavioral1
Sample
df1c39e8748317397e231a252e401bf0_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
df1c39e8748317397e231a252e401bf0_NEIKI.exe
Resource
win10v2004-20240226-en
General
-
Target
df1c39e8748317397e231a252e401bf0_NEIKI.exe
-
Size
256KB
-
MD5
df1c39e8748317397e231a252e401bf0
-
SHA1
6fa60d04336607af2b3180bcc419e0276edfecf7
-
SHA256
26d37b33a7b4470a7b49c4c73b30dd6c1f1cc2a478b67717bf7ceb2871847388
-
SHA512
7b252093662ccefef14f2a3a4d4d36ef583630238fed78c92421007f9ac1c28654aba685e15d548e061f8e05ea6fb184fe44aa64ce8b2e8327e8b85464ee577a
-
SSDEEP
6144:2YgxWGjlpmmxieQbWGRdA6sQc/Yp7TVX3J/1awbWGRdA6sQc/YRU:2AIlpJxifbWGRdA6sQhPbWGRdA6sQxU
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oniebmda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghdgfbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hghillnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnkdnqhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcheib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmdeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnkoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggnmbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knkgpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbofmcij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkqqnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Calcpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnbejb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdkmeiei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkpahon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pegqpacp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbpenco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npdhaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epbbkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgmodel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkephn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lclicpkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfkloq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mblbnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgfoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hboddk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebnabb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igceej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcokiaji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggnmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khghgchk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hghillnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aclpaali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkolakkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goldfelp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hegpjaac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfjkdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjaeba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcheib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iichjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Legaoehg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lanbdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhiddoph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnomjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lclicpkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Danpemej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkeohhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gekfnoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jefbnacn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goiehm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhknaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njeccjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehpcehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhhgcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koddccaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jialfgcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlofgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nppofado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joiappkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppfomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odmckcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jllqplnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndhlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iichjc32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2876-0-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x002a000000015c3c-5.dat family_berbew behavioral1/memory/2876-6-0x00000000003C0000-0x0000000000400000-memory.dmp family_berbew behavioral1/memory/3016-18-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0010000000015c5d-19.dat family_berbew behavioral1/memory/3016-21-0x0000000000260000-0x00000000002A0000-memory.dmp family_berbew behavioral1/memory/3064-33-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0007000000015cb9-34.dat family_berbew behavioral1/files/0x0007000000015db4-52.dat family_berbew behavioral1/memory/2592-59-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/2532-55-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000018ae2-61.dat family_berbew behavioral1/memory/1776-70-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000018b15-76.dat family_berbew behavioral1/memory/1776-78-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/memory/2436-85-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000018b37-90.dat family_berbew behavioral1/memory/1468-97-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000018b4a-103.dat family_berbew behavioral1/memory/1364-112-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000018b73-117.dat family_berbew behavioral1/memory/2676-125-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000018ba2-131.dat family_berbew behavioral1/memory/3044-140-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x00050000000192c9-146.dat family_berbew behavioral1/memory/752-154-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x000500000001931b-160.dat family_berbew behavioral1/memory/1664-168-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0005000000019368-174.dat family_berbew behavioral1/memory/2120-183-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x000500000001939b-188.dat family_berbew behavioral1/memory/1860-195-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0005000000019410-207.dat family_berbew behavioral1/memory/2552-209-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/1860-208-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/memory/2552-217-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/files/0x000500000001946f-215.dat family_berbew behavioral1/memory/2156-223-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0005000000019485-231.dat family_berbew behavioral1/memory/2156-230-0x00000000002D0000-0x0000000000310000-memory.dmp family_berbew behavioral1/memory/2968-237-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/2968-240-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/files/0x00040000000194d6-241.dat family_berbew behavioral1/memory/1984-248-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x00040000000194dc-250.dat family_berbew behavioral1/memory/1544-258-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x00050000000194ea-260.dat family_berbew behavioral1/memory/1724-269-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/1544-263-0x00000000001B0000-0x00000000001F0000-memory.dmp family_berbew behavioral1/memory/1724-271-0x0000000000230000-0x0000000000270000-memory.dmp family_berbew behavioral1/files/0x00050000000194ef-272.dat family_berbew behavioral1/memory/1096-276-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x00050000000194f4-282.dat family_berbew behavioral1/memory/1316-291-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0005000000019521-293.dat family_berbew behavioral1/memory/1344-298-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/1344-304-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/files/0x0005000000019570-307.dat family_berbew behavioral1/memory/2012-313-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x000500000001959e-315.dat family_berbew behavioral1/memory/2456-319-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/1208-330-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/2700-341-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x00050000000195a7-336.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3016 Ckahkk32.exe 3064 Ehjona32.exe 2532 Eniclh32.exe 2592 Enkpahon.exe 1776 Fffefjmi.exe 2436 Fofpoo32.exe 1468 Gcheib32.exe 1364 Ggfnopfg.exe 2676 Gcokiaji.exe 3044 Hhcmhdke.exe 752 Hhhgcc32.exe 1664 Ipehmebh.exe 2120 Iipiljgf.exe 1860 Jabdql32.exe 2552 Joiappkp.exe 2156 Jkpbdq32.exe 2968 Koddccaa.exe 1984 Kjihalag.exe 1544 Khoebi32.exe 1724 Khabghdl.exe 1096 Kgfoie32.exe 1316 Lneaqn32.exe 1344 Lgmeid32.exe 2012 Lmljgj32.exe 2456 Mjpkqonj.exe 1208 Miehak32.exe 2700 Mfihkoal.exe 2920 Mpamde32.exe 2656 Mjnjjbbh.exe 2380 Nnkcpq32.exe 2652 Ndhlhg32.exe 2416 Njdqka32.exe 2448 Nbpeoc32.exe 2204 Nijnln32.exe 2672 Ooicid32.exe 2696 Obgkpb32.exe 2308 Oonldcih.exe 1980 Ohfqmi32.exe 1680 Ogknoe32.exe 1516 Pilfpqaa.exe 608 Ppfomk32.exe 2736 Pecgea32.exe 768 Plmpblnb.exe 1924 Piqpkpml.exe 2960 Pegqpacp.exe 1528 Pkdihhag.exe 684 Phhjblpa.exe 1088 Qnebjc32.exe 544 Qngopb32.exe 2192 Qhmcmk32.exe 616 Abegfa32.exe 1480 Acfdnihk.exe 1604 Aqjdgmgd.exe 2564 Afgmodel.exe 2584 Anneqafn.exe 2492 Aopahjll.exe 2580 Ajeeeblb.exe 2796 Aqonbm32.exe 936 Amfognic.exe 1856 Bfncpcoc.exe 1940 Bkklhjnk.exe 2320 Bbeded32.exe 1576 Eihgfd32.exe 2972 Eaheeecg.exe -
Loads dropped DLL 64 IoCs
pid Process 2876 df1c39e8748317397e231a252e401bf0_NEIKI.exe 2876 df1c39e8748317397e231a252e401bf0_NEIKI.exe 3016 Ckahkk32.exe 3016 Ckahkk32.exe 3064 Ehjona32.exe 3064 Ehjona32.exe 2532 Eniclh32.exe 2532 Eniclh32.exe 2592 Enkpahon.exe 2592 Enkpahon.exe 1776 Fffefjmi.exe 1776 Fffefjmi.exe 2436 Fofpoo32.exe 2436 Fofpoo32.exe 1468 Gcheib32.exe 1468 Gcheib32.exe 1364 Ggfnopfg.exe 1364 Ggfnopfg.exe 2676 Gcokiaji.exe 2676 Gcokiaji.exe 3044 Hhcmhdke.exe 3044 Hhcmhdke.exe 752 Hhhgcc32.exe 752 Hhhgcc32.exe 1664 Ipehmebh.exe 1664 Ipehmebh.exe 2120 Iipiljgf.exe 2120 Iipiljgf.exe 1860 Jabdql32.exe 1860 Jabdql32.exe 2552 Joiappkp.exe 2552 Joiappkp.exe 2156 Jkpbdq32.exe 2156 Jkpbdq32.exe 2968 Koddccaa.exe 2968 Koddccaa.exe 1984 Kjihalag.exe 1984 Kjihalag.exe 1544 Khoebi32.exe 1544 Khoebi32.exe 1724 Khabghdl.exe 1724 Khabghdl.exe 1096 Kgfoie32.exe 1096 Kgfoie32.exe 1316 Lneaqn32.exe 1316 Lneaqn32.exe 1344 Lgmeid32.exe 1344 Lgmeid32.exe 2012 Lmljgj32.exe 2012 Lmljgj32.exe 2456 Mjpkqonj.exe 2456 Mjpkqonj.exe 1208 Miehak32.exe 1208 Miehak32.exe 2700 Mfihkoal.exe 2700 Mfihkoal.exe 2920 Mpamde32.exe 2920 Mpamde32.exe 2656 Mjnjjbbh.exe 2656 Mjnjjbbh.exe 2380 Nnkcpq32.exe 2380 Nnkcpq32.exe 2652 Ndhlhg32.exe 2652 Ndhlhg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hkolakkb.exe Hdecea32.exe File created C:\Windows\SysWOW64\Fdpcbceo.dll Mfeaiime.exe File created C:\Windows\SysWOW64\Bgcmiq32.dll Iaimipjl.exe File opened for modification C:\Windows\SysWOW64\Lepaccmo.exe Lkjmfjmi.exe File created C:\Windows\SysWOW64\Gplaplgi.dll Mpamde32.exe File opened for modification C:\Windows\SysWOW64\Ippdgc32.exe Imahkg32.exe File created C:\Windows\SysWOW64\Kmkbjj32.dll Haqnea32.exe File created C:\Windows\SysWOW64\Nncojg32.dll Icafgmbe.exe File created C:\Windows\SysWOW64\Imbjcpnn.exe Igebkiof.exe File created C:\Windows\SysWOW64\Qngopb32.exe Qnebjc32.exe File created C:\Windows\SysWOW64\Lbfook32.exe Lgqkbb32.exe File opened for modification C:\Windows\SysWOW64\Aqonbm32.exe Ajeeeblb.exe File created C:\Windows\SysWOW64\Oiimgf32.dll Eaphjp32.exe File created C:\Windows\SysWOW64\Kejjjbbm.dll Plmbkd32.exe File opened for modification C:\Windows\SysWOW64\Fdkmeiei.exe Famaimfe.exe File opened for modification C:\Windows\SysWOW64\Fhdjgoha.exe Fnofjfhk.exe File created C:\Windows\SysWOW64\Kcnfobob.dll Lgqkbb32.exe File created C:\Windows\SysWOW64\Hblgnkdh.exe Hmoofdea.exe File opened for modification C:\Windows\SysWOW64\Jcciqi32.exe Jllqplnp.exe File created C:\Windows\SysWOW64\Ibcihh32.dll Bieopm32.exe File created C:\Windows\SysWOW64\Fkhbgbkc.exe Fpbnjjkm.exe File opened for modification C:\Windows\SysWOW64\Gmmfaa32.exe Goiehm32.exe File opened for modification C:\Windows\SysWOW64\Khielcfh.exe Kncaojfb.exe File opened for modification C:\Windows\SysWOW64\Lgfjggll.exe Llpfjomf.exe File created C:\Windows\SysWOW64\Fjfikeqd.dll Fncpef32.exe File opened for modification C:\Windows\SysWOW64\Djfdob32.exe Dcllbhdn.exe File created C:\Windows\SysWOW64\Odmckcmq.exe Onqkclni.exe File opened for modification C:\Windows\SysWOW64\Gefmcp32.exe Goldfelp.exe File created C:\Windows\SysWOW64\Lhiddoph.exe Lghgmg32.exe File created C:\Windows\SysWOW64\Pilfpqaa.exe Ogknoe32.exe File created C:\Windows\SysWOW64\Qpjqdl32.dll Kljdkpfl.exe File opened for modification C:\Windows\SysWOW64\Dlljaj32.exe Debadpeg.exe File opened for modification C:\Windows\SysWOW64\Icafgmbe.exe Imgnjb32.exe File opened for modification C:\Windows\SysWOW64\Kncaojfb.exe Khghgchk.exe File created C:\Windows\SysWOW64\Djfdob32.exe Dcllbhdn.exe File opened for modification C:\Windows\SysWOW64\Ibkmchbh.exe Ipmqgmcd.exe File created C:\Windows\SysWOW64\Fmdpgmhn.dll Mdogedmh.exe File opened for modification C:\Windows\SysWOW64\Hklhae32.exe Hqgddm32.exe File opened for modification C:\Windows\SysWOW64\Jkpbdq32.exe Joiappkp.exe File created C:\Windows\SysWOW64\Ccofjipn.dll Calcpm32.exe File created C:\Windows\SysWOW64\Aoaqogml.dll Dljmlj32.exe File created C:\Windows\SysWOW64\Dbobli32.dll Oecmogln.exe File created C:\Windows\SysWOW64\Qhkipdeb.exe Qaapcj32.exe File created C:\Windows\SysWOW64\Gcedad32.exe Gpggei32.exe File created C:\Windows\SysWOW64\Hnbbcale.dll Goldfelp.exe File created C:\Windows\SysWOW64\Hjaeba32.exe Hnkdnqhm.exe File created C:\Windows\SysWOW64\Khoebi32.exe Kjihalag.exe File opened for modification C:\Windows\SysWOW64\Kaajei32.exe Khielcfh.exe File created C:\Windows\SysWOW64\Pgdekc32.dll Pblcbn32.exe File created C:\Windows\SysWOW64\Nmdeem32.dll Lghgmg32.exe File created C:\Windows\SysWOW64\Bniajoic.exe Bccmmf32.exe File opened for modification C:\Windows\SysWOW64\Gdjqamme.exe Gjdldd32.exe File created C:\Windows\SysWOW64\Ogknoe32.exe Ohfqmi32.exe File created C:\Windows\SysWOW64\Gnkoid32.exe Gkmbmh32.exe File opened for modification C:\Windows\SysWOW64\Koaclfgl.exe Keioca32.exe File opened for modification C:\Windows\SysWOW64\Iipiljgf.exe Ipehmebh.exe File opened for modification C:\Windows\SysWOW64\Lgmeid32.exe Lneaqn32.exe File created C:\Windows\SysWOW64\Nbpghl32.exe Nqokpd32.exe File opened for modification C:\Windows\SysWOW64\Bhonjg32.exe Bcbfbp32.exe File opened for modification C:\Windows\SysWOW64\Fkhbgbkc.exe Fpbnjjkm.exe File created C:\Windows\SysWOW64\Olfcfe32.dll Jdnmma32.exe File opened for modification C:\Windows\SysWOW64\Jampjian.exe Jlphbbbg.exe File created C:\Windows\SysWOW64\Fijjok32.dll Hgflflqg.exe File created C:\Windows\SysWOW64\Ncinap32.exe Njpihk32.exe -
Program crash 1 IoCs
pid pid_target Process 4440 4952 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfopbgif.dll" Llpfjomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll" Lkjmfjmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpgjgboe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egajnfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kejjjbbm.dll" Plmbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldaomc32.dll" Emoldlmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agpeaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgghac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpggei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obgkpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppfomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggnmbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ippdgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaimopli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgdkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koddccaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgabdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlkhpje.dll" Lcjlnpmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eldhjg32.dll" Hbkqdepm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Objjnkie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohdfqbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohdfqbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpeeijod.dll" Bcbfbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lneaqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khielcfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll" Cileqlmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emifeqid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnbejb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdphjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfaalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggfnopfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkkapd32.dll" Jhbold32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmedlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eikfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbofmcij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlofgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkdjglfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciokijfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plmpblnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pegqpacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cebeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpmhc32.dll" Danpemej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjjnhnbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmoofdea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gefmcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcdnhoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhgdb32.dll" Legaoehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jefbnacn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odmckcmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbgjgomc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daeclf32.dll" Aclpaali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbbcale.dll" Goldfelp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imggplgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpehnpj.dll" Foahmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odecjfnl.dll" Anogijnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdiqpigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmfpmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcphnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Andgop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejgei32.dll" Djiqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jalcdhla.dll" Anljck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqbpk32.dll" Jllqplnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdbnfqia.dll" Ppfomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pohbak32.dll" Mpebmc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2876 wrote to memory of 3016 2876 df1c39e8748317397e231a252e401bf0_NEIKI.exe 28 PID 2876 wrote to memory of 3016 2876 df1c39e8748317397e231a252e401bf0_NEIKI.exe 28 PID 2876 wrote to memory of 3016 2876 df1c39e8748317397e231a252e401bf0_NEIKI.exe 28 PID 2876 wrote to memory of 3016 2876 df1c39e8748317397e231a252e401bf0_NEIKI.exe 28 PID 3016 wrote to memory of 3064 3016 Ckahkk32.exe 29 PID 3016 wrote to memory of 3064 3016 Ckahkk32.exe 29 PID 3016 wrote to memory of 3064 3016 Ckahkk32.exe 29 PID 3016 wrote to memory of 3064 3016 Ckahkk32.exe 29 PID 3064 wrote to memory of 2532 3064 Ehjona32.exe 30 PID 3064 wrote to memory of 2532 3064 Ehjona32.exe 30 PID 3064 wrote to memory of 2532 3064 Ehjona32.exe 30 PID 3064 wrote to memory of 2532 3064 Ehjona32.exe 30 PID 2532 wrote to memory of 2592 2532 Eniclh32.exe 31 PID 2532 wrote to memory of 2592 2532 Eniclh32.exe 31 PID 2532 wrote to memory of 2592 2532 Eniclh32.exe 31 PID 2532 wrote to memory of 2592 2532 Eniclh32.exe 31 PID 2592 wrote to memory of 1776 2592 Enkpahon.exe 32 PID 2592 wrote to memory of 1776 2592 Enkpahon.exe 32 PID 2592 wrote to memory of 1776 2592 Enkpahon.exe 32 PID 2592 wrote to memory of 1776 2592 Enkpahon.exe 32 PID 1776 wrote to memory of 2436 1776 Fffefjmi.exe 33 PID 1776 wrote to memory of 2436 1776 Fffefjmi.exe 33 PID 1776 wrote to memory of 2436 1776 Fffefjmi.exe 33 PID 1776 wrote to memory of 2436 1776 Fffefjmi.exe 33 PID 2436 wrote to memory of 1468 2436 Fofpoo32.exe 34 PID 2436 wrote to memory of 1468 2436 Fofpoo32.exe 34 PID 2436 wrote to memory of 1468 2436 Fofpoo32.exe 34 PID 2436 wrote to memory of 1468 2436 Fofpoo32.exe 34 PID 1468 wrote to memory of 1364 1468 Gcheib32.exe 35 PID 1468 wrote to memory of 1364 1468 Gcheib32.exe 35 PID 1468 wrote to memory of 1364 1468 Gcheib32.exe 35 PID 1468 wrote to memory of 1364 1468 Gcheib32.exe 35 PID 1364 wrote to memory of 2676 1364 Ggfnopfg.exe 36 PID 1364 wrote to memory of 2676 1364 Ggfnopfg.exe 36 PID 1364 wrote to memory of 2676 1364 Ggfnopfg.exe 36 PID 1364 wrote to memory of 2676 1364 Ggfnopfg.exe 36 PID 2676 wrote to memory of 3044 2676 Gcokiaji.exe 37 PID 2676 wrote to memory of 3044 2676 Gcokiaji.exe 37 PID 2676 wrote to memory of 3044 2676 Gcokiaji.exe 37 PID 2676 wrote to memory of 3044 2676 Gcokiaji.exe 37 PID 3044 wrote to memory of 752 3044 Hhcmhdke.exe 38 PID 3044 wrote to memory of 752 3044 Hhcmhdke.exe 38 PID 3044 wrote to memory of 752 3044 Hhcmhdke.exe 38 PID 3044 wrote to memory of 752 3044 Hhcmhdke.exe 38 PID 752 wrote to memory of 1664 752 Hhhgcc32.exe 39 PID 752 wrote to memory of 1664 752 Hhhgcc32.exe 39 PID 752 wrote to memory of 1664 752 Hhhgcc32.exe 39 PID 752 wrote to memory of 1664 752 Hhhgcc32.exe 39 PID 1664 wrote to memory of 2120 1664 Ipehmebh.exe 40 PID 1664 wrote to memory of 2120 1664 Ipehmebh.exe 40 PID 1664 wrote to memory of 2120 1664 Ipehmebh.exe 40 PID 1664 wrote to memory of 2120 1664 Ipehmebh.exe 40 PID 2120 wrote to memory of 1860 2120 Iipiljgf.exe 41 PID 2120 wrote to memory of 1860 2120 Iipiljgf.exe 41 PID 2120 wrote to memory of 1860 2120 Iipiljgf.exe 41 PID 2120 wrote to memory of 1860 2120 Iipiljgf.exe 41 PID 1860 wrote to memory of 2552 1860 Jabdql32.exe 42 PID 1860 wrote to memory of 2552 1860 Jabdql32.exe 42 PID 1860 wrote to memory of 2552 1860 Jabdql32.exe 42 PID 1860 wrote to memory of 2552 1860 Jabdql32.exe 42 PID 2552 wrote to memory of 2156 2552 Joiappkp.exe 43 PID 2552 wrote to memory of 2156 2552 Joiappkp.exe 43 PID 2552 wrote to memory of 2156 2552 Joiappkp.exe 43 PID 2552 wrote to memory of 2156 2552 Joiappkp.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\df1c39e8748317397e231a252e401bf0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\df1c39e8748317397e231a252e401bf0_NEIKI.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Eniclh32.exeC:\Windows\system32\Eniclh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Joiappkp.exeC:\Windows\system32\Joiappkp.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Jkpbdq32.exeC:\Windows\system32\Jkpbdq32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1344 -
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1208 -
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Mpamde32.exeC:\Windows\system32\Mpamde32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Njdqka32.exeC:\Windows\system32\Njdqka32.exe33⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe34⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe35⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe36⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Obgkpb32.exeC:\Windows\system32\Obgkpb32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe38⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe41⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:608 -
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe43⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe45⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe47⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe48⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Qngopb32.exeC:\Windows\system32\Qngopb32.exe50⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Qhmcmk32.exeC:\Windows\system32\Qhmcmk32.exe51⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe52⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Acfdnihk.exeC:\Windows\system32\Acfdnihk.exe53⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Aqjdgmgd.exeC:\Windows\system32\Aqjdgmgd.exe54⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Anneqafn.exeC:\Windows\system32\Anneqafn.exe56⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Aopahjll.exeC:\Windows\system32\Aopahjll.exe57⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe59⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Amfognic.exeC:\Windows\system32\Amfognic.exe60⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Bfncpcoc.exeC:\Windows\system32\Bfncpcoc.exe61⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe62⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe63⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe64⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe65⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Fnofjfhk.exeC:\Windows\system32\Fnofjfhk.exe66⤵
- Drops file in System32 directory
PID:472 -
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe67⤵PID:2684
-
C:\Windows\SysWOW64\Fjegog32.exeC:\Windows\system32\Fjegog32.exe68⤵PID:1864
-
C:\Windows\SysWOW64\Fncpef32.exeC:\Windows\system32\Fncpef32.exe69⤵
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\Fcphnm32.exeC:\Windows\system32\Fcphnm32.exe70⤵
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Fjjpjgjj.exeC:\Windows\system32\Fjjpjgjj.exe71⤵PID:2996
-
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe72⤵PID:2068
-
C:\Windows\SysWOW64\Goiehm32.exeC:\Windows\system32\Goiehm32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Gmmfaa32.exeC:\Windows\system32\Gmmfaa32.exe74⤵PID:2348
-
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe75⤵PID:2644
-
C:\Windows\SysWOW64\Ghdgfbkl.exeC:\Windows\system32\Ghdgfbkl.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2472 -
C:\Windows\SysWOW64\Gnaooi32.exeC:\Windows\system32\Gnaooi32.exe77⤵PID:2376
-
C:\Windows\SysWOW64\Gkephn32.exeC:\Windows\system32\Gkephn32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:792 -
C:\Windows\SysWOW64\Gncldi32.exeC:\Windows\system32\Gncldi32.exe79⤵PID:1624
-
C:\Windows\SysWOW64\Gkglnm32.exeC:\Windows\system32\Gkglnm32.exe80⤵PID:1552
-
C:\Windows\SysWOW64\Gqdefddb.exeC:\Windows\system32\Gqdefddb.exe81⤵PID:2316
-
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe83⤵
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe84⤵PID:1792
-
C:\Windows\SysWOW64\Hgbfnngi.exeC:\Windows\system32\Hgbfnngi.exe85⤵PID:2932
-
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe87⤵PID:1440
-
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe88⤵PID:1712
-
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:320 -
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe90⤵PID:2004
-
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe91⤵PID:1304
-
C:\Windows\SysWOW64\Inhanl32.exeC:\Windows\system32\Inhanl32.exe92⤵PID:3004
-
C:\Windows\SysWOW64\Iimfld32.exeC:\Windows\system32\Iimfld32.exe93⤵PID:2956
-
C:\Windows\SysWOW64\Idgglb32.exeC:\Windows\system32\Idgglb32.exe94⤵PID:2884
-
C:\Windows\SysWOW64\Imokehhl.exeC:\Windows\system32\Imokehhl.exe95⤵PID:2624
-
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe96⤵PID:800
-
C:\Windows\SysWOW64\Imahkg32.exeC:\Windows\system32\Imahkg32.exe97⤵
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe98⤵
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe99⤵PID:2948
-
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe100⤵PID:2100
-
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe101⤵
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Jikeeh32.exeC:\Windows\system32\Jikeeh32.exe102⤵PID:1396
-
C:\Windows\SysWOW64\Jdpjba32.exeC:\Windows\system32\Jdpjba32.exe103⤵PID:2468
-
C:\Windows\SysWOW64\Jeafjiop.exeC:\Windows\system32\Jeafjiop.exe104⤵PID:3056
-
C:\Windows\SysWOW64\Jpgjgboe.exeC:\Windows\system32\Jpgjgboe.exe105⤵
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Jgabdlfb.exeC:\Windows\system32\Jgabdlfb.exe106⤵
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Jhbold32.exeC:\Windows\system32\Jhbold32.exe107⤵
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Jialfgcc.exeC:\Windows\system32\Jialfgcc.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1916 -
C:\Windows\SysWOW64\Jlphbbbg.exeC:\Windows\system32\Jlphbbbg.exe109⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Jampjian.exeC:\Windows\system32\Jampjian.exe110⤵PID:2400
-
C:\Windows\SysWOW64\Khghgchk.exeC:\Windows\system32\Khghgchk.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1112 -
C:\Windows\SysWOW64\Kncaojfb.exeC:\Windows\system32\Kncaojfb.exe112⤵
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Khielcfh.exeC:\Windows\system32\Khielcfh.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Kaajei32.exeC:\Windows\system32\Kaajei32.exe114⤵PID:2692
-
C:\Windows\SysWOW64\Khkbbc32.exeC:\Windows\system32\Khkbbc32.exe115⤵PID:2144
-
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe116⤵PID:2660
-
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe117⤵PID:1288
-
C:\Windows\SysWOW64\Knkgpi32.exeC:\Windows\system32\Knkgpi32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1092 -
C:\Windows\SysWOW64\Kcgphp32.exeC:\Windows\system32\Kcgphp32.exe119⤵PID:2032
-
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1164 -
C:\Windows\SysWOW64\Lcjlnpmo.exeC:\Windows\system32\Lcjlnpmo.exe121⤵
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Lhfefgkg.exeC:\Windows\system32\Lhfefgkg.exe122⤵PID:1472
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-