Analysis
-
max time kernel
136s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 03:28
Behavioral task
behavioral1
Sample
df1c39e8748317397e231a252e401bf0_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
df1c39e8748317397e231a252e401bf0_NEIKI.exe
Resource
win10v2004-20240226-en
General
-
Target
df1c39e8748317397e231a252e401bf0_NEIKI.exe
-
Size
256KB
-
MD5
df1c39e8748317397e231a252e401bf0
-
SHA1
6fa60d04336607af2b3180bcc419e0276edfecf7
-
SHA256
26d37b33a7b4470a7b49c4c73b30dd6c1f1cc2a478b67717bf7ceb2871847388
-
SHA512
7b252093662ccefef14f2a3a4d4d36ef583630238fed78c92421007f9ac1c28654aba685e15d548e061f8e05ea6fb184fe44aa64ce8b2e8327e8b85464ee577a
-
SSDEEP
6144:2YgxWGjlpmmxieQbWGRdA6sQc/Yp7TVX3J/1awbWGRdA6sQc/YRU:2AIlpJxifbWGRdA6sQhPbWGRdA6sQxU
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejono32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaodkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bikeni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgaelcgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jffokn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckoifgmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olndnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqinng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koekpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okcccdkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gggfme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiaogfai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmhibi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gggfme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgaelcgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naqqmieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okkalnjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfqjhmhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cklffq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihnmlg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpdjbapj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbfoclai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fochecog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elolco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmlgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeglbeea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emdaee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khbpndnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpllbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eleimp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eipilmgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nibbklke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnboma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcmkjeko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnidcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peaahmcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnqebaog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehnpmkbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Janpnfee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hejono32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nilkkq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obcled32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqfmlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okcccdkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcfmneaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqdmghnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgkjch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkjoqnei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejiiippb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khlinedh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkhbko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnidcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koekpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kafcadej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dehnpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odhppclh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejiiippb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppeipfdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmkfoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Logbigbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhffijdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnbeggmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jondojna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poeahaib.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/4136-0-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000001e2e1-7.dat family_berbew behavioral2/memory/5020-8-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000800000002325e-15.dat family_berbew behavioral2/memory/2096-16-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023261-23.dat family_berbew behavioral2/memory/3648-24-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023263-31.dat family_berbew behavioral2/memory/4620-33-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023265-39.dat family_berbew behavioral2/memory/2472-40-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023267-47.dat family_berbew behavioral2/memory/3496-48-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023269-55.dat family_berbew behavioral2/memory/1376-56-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000800000002325b-63.dat family_berbew behavioral2/memory/5044-64-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002326e-71.dat family_berbew behavioral2/memory/2448-72-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023271-74.dat family_berbew behavioral2/memory/4312-80-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023273-87.dat family_berbew behavioral2/memory/1008-89-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023275-95.dat family_berbew behavioral2/memory/3044-97-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023279-103.dat family_berbew behavioral2/memory/3952-104-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0008000000023278-111.dat family_berbew behavioral2/memory/4108-112-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002327c-119.dat family_berbew behavioral2/memory/4536-121-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002327e-127.dat family_berbew behavioral2/memory/4960-128-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023280-134.dat family_berbew behavioral2/memory/392-136-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023283-143.dat family_berbew behavioral2/memory/4660-144-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023285-151.dat family_berbew behavioral2/memory/2748-152-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023289-159.dat family_berbew behavioral2/memory/3456-160-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002328e-167.dat family_berbew behavioral2/memory/4104-168-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023294-175.dat family_berbew behavioral2/memory/5080-176-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023296-183.dat family_berbew behavioral2/memory/4324-184-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023298-191.dat family_berbew behavioral2/memory/2060-192-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002329a-199.dat family_berbew behavioral2/memory/4380-200-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002329c-207.dat family_berbew behavioral2/memory/2112-208-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002329e-215.dat family_berbew behavioral2/memory/4548-216-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000800000002328b-223.dat family_berbew behavioral2/memory/4376-227-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000800000002328d-231.dat family_berbew behavioral2/memory/3452-233-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0008000000023291-239.dat family_berbew behavioral2/memory/1964-241-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000232a1-247.dat family_berbew behavioral2/memory/404-248-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000232a3-255.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 5020 Khfkfedn.exe 2096 Ndlacapp.exe 3648 Odedipge.exe 4620 Pilpfm32.exe 2472 Pcfmneaa.exe 3496 Aijlgkjq.exe 1376 Afceko32.exe 5044 Bikeni32.exe 2448 Cpifeb32.exe 4312 Cemeoh32.exe 1008 Dbfoclai.exe 3044 Dpllbp32.exe 3952 Eleimp32.exe 4108 Elolco32.exe 4536 Fnqebaog.exe 4960 Gggfme32.exe 392 Hcifmdeo.exe 4660 Iqdmghnp.exe 2748 Jffokn32.exe 3456 Janpnfee.exe 4104 Jcaeea32.exe 5080 Kmlgcf32.exe 4324 Kffhakjp.exe 2060 Knbinhfl.exe 4380 Logbigbg.exe 2112 Ldfhgn32.exe 4548 Lmqiec32.exe 4376 Mgkjch32.exe 3452 Meoggpmd.exe 1964 Nhffijdm.exe 404 Nockkcjg.exe 2252 Ohgopgfj.exe 2324 Poeahaib.exe 1620 Pgaelcgm.exe 3228 Pnknim32.exe 3476 Pdeffgff.exe 812 Qfilkj32.exe 3676 Aeglbeea.exe 5040 Belemd32.exe 3572 Bfpkbfdi.exe 3224 Cnpibh32.exe 4700 Cfljnejl.exe 2412 Diopep32.exe 5072 Dfcqod32.exe 4560 Dehnpp32.exe 1016 Ehnpmkbg.exe 1300 Ellicihn.exe 3092 Eipilmgh.exe 4816 Fochecog.exe 3396 Miklkm32.exe 3328 Nibbklke.exe 1096 Nalgbi32.exe 4568 Niglfl32.exe 1516 Naqqmieo.exe 3232 Oacmchcl.exe 4048 Okkalnjm.exe 1436 Odhppclh.exe 2088 Ajjjjghg.exe 2504 Bjhgke32.exe 4612 Ckoifgmb.exe 548 Cnboma32.exe 2980 Cgjcfgoa.exe 840 Ejiiippb.exe 440 Fiaogfai.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dejhkj32.dll Dpllbp32.exe File created C:\Windows\SysWOW64\Pjegen32.dll Jffokn32.exe File opened for modification C:\Windows\SysWOW64\Nhffijdm.exe Meoggpmd.exe File opened for modification C:\Windows\SysWOW64\Cklffq32.exe Ckiipa32.exe File opened for modification C:\Windows\SysWOW64\Cnpibh32.exe Bfpkbfdi.exe File created C:\Windows\SysWOW64\Nalgbi32.exe Nibbklke.exe File opened for modification C:\Windows\SysWOW64\Bpgnmcdh.exe Qolbgbgb.exe File created C:\Windows\SysWOW64\Kojdkhdd.exe Kafcadej.exe File opened for modification C:\Windows\SysWOW64\Aeglbeea.exe Qfilkj32.exe File opened for modification C:\Windows\SysWOW64\Diopep32.exe Cfljnejl.exe File opened for modification C:\Windows\SysWOW64\Djhiglji.exe Cgbfka32.exe File created C:\Windows\SysWOW64\Gfifen32.dll Hanlcjgh.exe File created C:\Windows\SysWOW64\Ohgopgfj.exe Nockkcjg.exe File created C:\Windows\SysWOW64\Aidjgo32.dll Nalgbi32.exe File created C:\Windows\SysWOW64\Oegicjdd.dll Hcifmdeo.exe File created C:\Windows\SysWOW64\Qemgmmip.dll Knbinhfl.exe File created C:\Windows\SysWOW64\Bijfpm32.dll Naqqmieo.exe File created C:\Windows\SysWOW64\Lfdnhb32.dll Peaahmcd.exe File created C:\Windows\SysWOW64\Dgplai32.exe Djlkhe32.exe File opened for modification C:\Windows\SysWOW64\Odedipge.exe Ndlacapp.exe File created C:\Windows\SysWOW64\Hgqded32.dll Kffhakjp.exe File opened for modification C:\Windows\SysWOW64\Ohgopgfj.exe Nockkcjg.exe File created C:\Windows\SysWOW64\Cemeoh32.exe Cpifeb32.exe File opened for modification C:\Windows\SysWOW64\Hcifmdeo.exe Gggfme32.exe File created C:\Windows\SysWOW64\Dcbckk32.exe Cnndbecl.exe File opened for modification C:\Windows\SysWOW64\Fgcang32.exe Fnjmea32.exe File opened for modification C:\Windows\SysWOW64\Pfmdgq32.exe Pihdnloc.exe File created C:\Windows\SysWOW64\Cfljnejl.exe Cnpibh32.exe File created C:\Windows\SysWOW64\Ellicihn.exe Ehnpmkbg.exe File opened for modification C:\Windows\SysWOW64\Kfndlphp.exe Jcmkjeko.exe File opened for modification C:\Windows\SysWOW64\Jaodkk32.exe Jahnkl32.exe File created C:\Windows\SysWOW64\Lcpkmo32.dll Khbpndnp.exe File created C:\Windows\SysWOW64\Lfqjhmhk.exe Lbcabo32.exe File created C:\Windows\SysWOW64\Njjnnm32.dll Qolbgbgb.exe File created C:\Windows\SysWOW64\Naoplkpo.dll Lkldlgok.exe File opened for modification C:\Windows\SysWOW64\Koekpi32.exe Kpdjbapj.exe File created C:\Windows\SysWOW64\Mobpnd32.dll df1c39e8748317397e231a252e401bf0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\Ndlacapp.exe Khfkfedn.exe File opened for modification C:\Windows\SysWOW64\Dmiaig32.exe Ddnmeejo.exe File created C:\Windows\SysWOW64\Boagkmab.dll Fmndkd32.exe File created C:\Windows\SysWOW64\Jkeedk32.exe Jondojna.exe File created C:\Windows\SysWOW64\Fiaogfai.exe Ejiiippb.exe File created C:\Windows\SysWOW64\Ddnmeejo.exe Djhiglji.exe File opened for modification C:\Windows\SysWOW64\Fcepbooa.exe Emdaee32.exe File opened for modification C:\Windows\SysWOW64\Dgplai32.exe Djlkhe32.exe File opened for modification C:\Windows\SysWOW64\Meoggpmd.exe Mgkjch32.exe File created C:\Windows\SysWOW64\Dfdofh32.dll Pgaelcgm.exe File created C:\Windows\SysWOW64\Kijicm32.dll Kkhidaeo.exe File created C:\Windows\SysWOW64\Ljkffm32.dll Jondojna.exe File created C:\Windows\SysWOW64\Kkqepi32.exe Kojdkhdd.exe File created C:\Windows\SysWOW64\Iqdmghnp.exe Hcifmdeo.exe File created C:\Windows\SysWOW64\Qfcccj32.dll Cklffq32.exe File created C:\Windows\SysWOW64\Oiepphim.dll Dmiaig32.exe File created C:\Windows\SysWOW64\Bdidde32.dll Gehbio32.exe File created C:\Windows\SysWOW64\Pjapelnf.dll Jahnkl32.exe File opened for modification C:\Windows\SysWOW64\Afceko32.exe Aijlgkjq.exe File created C:\Windows\SysWOW64\Jcifjf32.dll Belemd32.exe File created C:\Windows\SysWOW64\Ckiipa32.exe Bmhibi32.exe File created C:\Windows\SysWOW64\Hejono32.exe Hopfadlp.exe File opened for modification C:\Windows\SysWOW64\Nilkkq32.exe Mfiedfmd.exe File created C:\Windows\SysWOW64\Hmmppdij.dll Pcfmneaa.exe File created C:\Windows\SysWOW64\Dpllbp32.exe Dbfoclai.exe File opened for modification C:\Windows\SysWOW64\Belemd32.exe Aeglbeea.exe File created C:\Windows\SysWOW64\Oacmchcl.exe Naqqmieo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6132 2412 WerFault.exe 240 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnjmea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kafcadej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obnlpnbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 df1c39e8748317397e231a252e401bf0_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbada32.dll" Poeahaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hobcgdjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfilkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbcabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmndkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqdmghnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehnpmkbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppeipfdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkhidaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnfbpbof.dll" Lkjoqnei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmkfoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhgbomfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ellbmedl.dll" Cnpibh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nalgbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkgnalep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gggfme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohgopgfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgpodk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgpodk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnpibh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbpdggme.dll" Fcepbooa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldnjndpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cklffq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjapelnf.dll" Jahnkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kojdkhdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iakllgni.dll" Eipilmgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omhpcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qojeabie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncloojfj.dll" Odedipge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakpih32.dll" Ajjjjghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olndnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niglfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hopfadlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclpgc32.dll" Elolco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diopep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fochecog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkhbko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmppdij.dll" Pcfmneaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dehnpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmpcock.dll" Bmhibi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgaelcgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niglfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nilkkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Debfpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emdaee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obcled32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gggfme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jldpnbmh.dll" Ohgopgfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cqinng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmqiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahlohg32.dll" Ckiipa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkgnalep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnbeggmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpjhlche.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Negoaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aijlgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afceko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knbinhfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmlgcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peaahmcd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4136 wrote to memory of 5020 4136 df1c39e8748317397e231a252e401bf0_NEIKI.exe 91 PID 4136 wrote to memory of 5020 4136 df1c39e8748317397e231a252e401bf0_NEIKI.exe 91 PID 4136 wrote to memory of 5020 4136 df1c39e8748317397e231a252e401bf0_NEIKI.exe 91 PID 5020 wrote to memory of 2096 5020 Khfkfedn.exe 92 PID 5020 wrote to memory of 2096 5020 Khfkfedn.exe 92 PID 5020 wrote to memory of 2096 5020 Khfkfedn.exe 92 PID 2096 wrote to memory of 3648 2096 Ndlacapp.exe 93 PID 2096 wrote to memory of 3648 2096 Ndlacapp.exe 93 PID 2096 wrote to memory of 3648 2096 Ndlacapp.exe 93 PID 3648 wrote to memory of 4620 3648 Odedipge.exe 94 PID 3648 wrote to memory of 4620 3648 Odedipge.exe 94 PID 3648 wrote to memory of 4620 3648 Odedipge.exe 94 PID 4620 wrote to memory of 2472 4620 Pilpfm32.exe 95 PID 4620 wrote to memory of 2472 4620 Pilpfm32.exe 95 PID 4620 wrote to memory of 2472 4620 Pilpfm32.exe 95 PID 2472 wrote to memory of 3496 2472 Pcfmneaa.exe 96 PID 2472 wrote to memory of 3496 2472 Pcfmneaa.exe 96 PID 2472 wrote to memory of 3496 2472 Pcfmneaa.exe 96 PID 3496 wrote to memory of 1376 3496 Aijlgkjq.exe 97 PID 3496 wrote to memory of 1376 3496 Aijlgkjq.exe 97 PID 3496 wrote to memory of 1376 3496 Aijlgkjq.exe 97 PID 1376 wrote to memory of 5044 1376 Afceko32.exe 99 PID 1376 wrote to memory of 5044 1376 Afceko32.exe 99 PID 1376 wrote to memory of 5044 1376 Afceko32.exe 99 PID 5044 wrote to memory of 2448 5044 Bikeni32.exe 101 PID 5044 wrote to memory of 2448 5044 Bikeni32.exe 101 PID 5044 wrote to memory of 2448 5044 Bikeni32.exe 101 PID 2448 wrote to memory of 4312 2448 Cpifeb32.exe 102 PID 2448 wrote to memory of 4312 2448 Cpifeb32.exe 102 PID 2448 wrote to memory of 4312 2448 Cpifeb32.exe 102 PID 4312 wrote to memory of 1008 4312 Cemeoh32.exe 103 PID 4312 wrote to memory of 1008 4312 Cemeoh32.exe 103 PID 4312 wrote to memory of 1008 4312 Cemeoh32.exe 103 PID 1008 wrote to memory of 3044 1008 Dbfoclai.exe 104 PID 1008 wrote to memory of 3044 1008 Dbfoclai.exe 104 PID 1008 wrote to memory of 3044 1008 Dbfoclai.exe 104 PID 3044 wrote to memory of 3952 3044 Dpllbp32.exe 105 PID 3044 wrote to memory of 3952 3044 Dpllbp32.exe 105 PID 3044 wrote to memory of 3952 3044 Dpllbp32.exe 105 PID 3952 wrote to memory of 4108 3952 Eleimp32.exe 106 PID 3952 wrote to memory of 4108 3952 Eleimp32.exe 106 PID 3952 wrote to memory of 4108 3952 Eleimp32.exe 106 PID 4108 wrote to memory of 4536 4108 Elolco32.exe 107 PID 4108 wrote to memory of 4536 4108 Elolco32.exe 107 PID 4108 wrote to memory of 4536 4108 Elolco32.exe 107 PID 4536 wrote to memory of 4960 4536 Fnqebaog.exe 108 PID 4536 wrote to memory of 4960 4536 Fnqebaog.exe 108 PID 4536 wrote to memory of 4960 4536 Fnqebaog.exe 108 PID 4960 wrote to memory of 392 4960 Gggfme32.exe 109 PID 4960 wrote to memory of 392 4960 Gggfme32.exe 109 PID 4960 wrote to memory of 392 4960 Gggfme32.exe 109 PID 392 wrote to memory of 4660 392 Hcifmdeo.exe 110 PID 392 wrote to memory of 4660 392 Hcifmdeo.exe 110 PID 392 wrote to memory of 4660 392 Hcifmdeo.exe 110 PID 4660 wrote to memory of 2748 4660 Iqdmghnp.exe 111 PID 4660 wrote to memory of 2748 4660 Iqdmghnp.exe 111 PID 4660 wrote to memory of 2748 4660 Iqdmghnp.exe 111 PID 2748 wrote to memory of 3456 2748 Jffokn32.exe 112 PID 2748 wrote to memory of 3456 2748 Jffokn32.exe 112 PID 2748 wrote to memory of 3456 2748 Jffokn32.exe 112 PID 3456 wrote to memory of 4104 3456 Janpnfee.exe 113 PID 3456 wrote to memory of 4104 3456 Janpnfee.exe 113 PID 3456 wrote to memory of 4104 3456 Janpnfee.exe 113 PID 4104 wrote to memory of 5080 4104 Jcaeea32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\df1c39e8748317397e231a252e401bf0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\df1c39e8748317397e231a252e401bf0_NEIKI.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\Khfkfedn.exeC:\Windows\system32\Khfkfedn.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\Ndlacapp.exeC:\Windows\system32\Ndlacapp.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Odedipge.exeC:\Windows\system32\Odedipge.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\Pilpfm32.exeC:\Windows\system32\Pilpfm32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Pcfmneaa.exeC:\Windows\system32\Pcfmneaa.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Aijlgkjq.exeC:\Windows\system32\Aijlgkjq.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Afceko32.exeC:\Windows\system32\Afceko32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Bikeni32.exeC:\Windows\system32\Bikeni32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Cpifeb32.exeC:\Windows\system32\Cpifeb32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Cemeoh32.exeC:\Windows\system32\Cemeoh32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\Dbfoclai.exeC:\Windows\system32\Dbfoclai.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Dpllbp32.exeC:\Windows\system32\Dpllbp32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Eleimp32.exeC:\Windows\system32\Eleimp32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\Elolco32.exeC:\Windows\system32\Elolco32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\Fnqebaog.exeC:\Windows\system32\Fnqebaog.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Gggfme32.exeC:\Windows\system32\Gggfme32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\Hcifmdeo.exeC:\Windows\system32\Hcifmdeo.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Iqdmghnp.exeC:\Windows\system32\Iqdmghnp.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Jffokn32.exeC:\Windows\system32\Jffokn32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Janpnfee.exeC:\Windows\system32\Janpnfee.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\Jcaeea32.exeC:\Windows\system32\Jcaeea32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Kmlgcf32.exeC:\Windows\system32\Kmlgcf32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5080 -
C:\Windows\SysWOW64\Kffhakjp.exeC:\Windows\system32\Kffhakjp.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4324 -
C:\Windows\SysWOW64\Knbinhfl.exeC:\Windows\system32\Knbinhfl.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Logbigbg.exeC:\Windows\system32\Logbigbg.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Ldfhgn32.exeC:\Windows\system32\Ldfhgn32.exe27⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Lmqiec32.exeC:\Windows\system32\Lmqiec32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:4548 -
C:\Windows\SysWOW64\Mgkjch32.exeC:\Windows\system32\Mgkjch32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4376 -
C:\Windows\SysWOW64\Meoggpmd.exeC:\Windows\system32\Meoggpmd.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3452 -
C:\Windows\SysWOW64\Nhffijdm.exeC:\Windows\system32\Nhffijdm.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Nockkcjg.exeC:\Windows\system32\Nockkcjg.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:404 -
C:\Windows\SysWOW64\Ohgopgfj.exeC:\Windows\system32\Ohgopgfj.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Poeahaib.exeC:\Windows\system32\Poeahaib.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Pgaelcgm.exeC:\Windows\system32\Pgaelcgm.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Pnknim32.exeC:\Windows\system32\Pnknim32.exe36⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\Pdeffgff.exeC:\Windows\system32\Pdeffgff.exe37⤵
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\Qfilkj32.exeC:\Windows\system32\Qfilkj32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\Aeglbeea.exeC:\Windows\system32\Aeglbeea.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3676 -
C:\Windows\SysWOW64\Belemd32.exeC:\Windows\system32\Belemd32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5040 -
C:\Windows\SysWOW64\Bfpkbfdi.exeC:\Windows\system32\Bfpkbfdi.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3572 -
C:\Windows\SysWOW64\Cnpibh32.exeC:\Windows\system32\Cnpibh32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3224 -
C:\Windows\SysWOW64\Cfljnejl.exeC:\Windows\system32\Cfljnejl.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4700 -
C:\Windows\SysWOW64\Diopep32.exeC:\Windows\system32\Diopep32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Dfcqod32.exeC:\Windows\system32\Dfcqod32.exe45⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Dehnpp32.exeC:\Windows\system32\Dehnpp32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4560 -
C:\Windows\SysWOW64\Ehnpmkbg.exeC:\Windows\system32\Ehnpmkbg.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Ellicihn.exeC:\Windows\system32\Ellicihn.exe48⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Eipilmgh.exeC:\Windows\system32\Eipilmgh.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3092 -
C:\Windows\SysWOW64\Fochecog.exeC:\Windows\system32\Fochecog.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4816 -
C:\Windows\SysWOW64\Miklkm32.exeC:\Windows\system32\Miklkm32.exe51⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Nibbklke.exeC:\Windows\system32\Nibbklke.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3328 -
C:\Windows\SysWOW64\Nalgbi32.exeC:\Windows\system32\Nalgbi32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Niglfl32.exeC:\Windows\system32\Niglfl32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:4568 -
C:\Windows\SysWOW64\Naqqmieo.exeC:\Windows\system32\Naqqmieo.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Oacmchcl.exeC:\Windows\system32\Oacmchcl.exe56⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Okkalnjm.exeC:\Windows\system32\Okkalnjm.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Odhppclh.exeC:\Windows\system32\Odhppclh.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Ajjjjghg.exeC:\Windows\system32\Ajjjjghg.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Bjhgke32.exeC:\Windows\system32\Bjhgke32.exe60⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Ckoifgmb.exeC:\Windows\system32\Ckoifgmb.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Cnboma32.exeC:\Windows\system32\Cnboma32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Cgjcfgoa.exeC:\Windows\system32\Cgjcfgoa.exe63⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Ejiiippb.exeC:\Windows\system32\Ejiiippb.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:840 -
C:\Windows\SysWOW64\Fiaogfai.exeC:\Windows\system32\Fiaogfai.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Hkgnalep.exeC:\Windows\system32\Hkgnalep.exe66⤵
- Modifies registry class
PID:4408 -
C:\Windows\SysWOW64\Jcmkjeko.exeC:\Windows\system32\Jcmkjeko.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Kfndlphp.exeC:\Windows\system32\Kfndlphp.exe68⤵PID:1412
-
C:\Windows\SysWOW64\Kfejmobh.exeC:\Windows\system32\Kfejmobh.exe69⤵PID:2508
-
C:\Windows\SysWOW64\Lmfhjhdm.exeC:\Windows\system32\Lmfhjhdm.exe70⤵PID:3480
-
C:\Windows\SysWOW64\Lbcabo32.exeC:\Windows\system32\Lbcabo32.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:3392 -
C:\Windows\SysWOW64\Lfqjhmhk.exeC:\Windows\system32\Lfqjhmhk.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3724 -
C:\Windows\SysWOW64\Olndnp32.exeC:\Windows\system32\Olndnp32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3756 -
C:\Windows\SysWOW64\Bgdjicmn.exeC:\Windows\system32\Bgdjicmn.exe74⤵PID:2024
-
C:\Windows\SysWOW64\Bmhibi32.exeC:\Windows\system32\Bmhibi32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Ckiipa32.exeC:\Windows\system32\Ckiipa32.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\Cklffq32.exeC:\Windows\system32\Cklffq32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Cqinng32.exeC:\Windows\system32\Cqinng32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4268 -
C:\Windows\SysWOW64\Cgbfka32.exeC:\Windows\system32\Cgbfka32.exe79⤵
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Djhiglji.exeC:\Windows\system32\Djhiglji.exe80⤵
- Drops file in System32 directory
PID:3264 -
C:\Windows\SysWOW64\Ddnmeejo.exeC:\Windows\system32\Ddnmeejo.exe81⤵
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\Dmiaig32.exeC:\Windows\system32\Dmiaig32.exe82⤵
- Drops file in System32 directory
PID:5084 -
C:\Windows\SysWOW64\Djmbbk32.exeC:\Windows\system32\Djmbbk32.exe83⤵PID:4620
-
C:\Windows\SysWOW64\Debfpd32.exeC:\Windows\system32\Debfpd32.exe84⤵
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Emdaee32.exeC:\Windows\system32\Emdaee32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1352 -
C:\Windows\SysWOW64\Fcepbooa.exeC:\Windows\system32\Fcepbooa.exe86⤵
- Modifies registry class
PID:436 -
C:\Windows\SysWOW64\Fmndkd32.exeC:\Windows\system32\Fmndkd32.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:228 -
C:\Windows\SysWOW64\Gehbio32.exeC:\Windows\system32\Gehbio32.exe88⤵
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Hopfadlp.exeC:\Windows\system32\Hopfadlp.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Hejono32.exeC:\Windows\system32\Hejono32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3088 -
C:\Windows\SysWOW64\Hobcgdjm.exeC:\Windows\system32\Hobcgdjm.exe91⤵
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Ihnmlg32.exeC:\Windows\system32\Ihnmlg32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4108 -
C:\Windows\SysWOW64\Jahnkl32.exeC:\Windows\system32\Jahnkl32.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:4204 -
C:\Windows\SysWOW64\Jaodkk32.exeC:\Windows\system32\Jaodkk32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4212 -
C:\Windows\SysWOW64\Kkhidaeo.exeC:\Windows\system32\Kkhidaeo.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:3952 -
C:\Windows\SysWOW64\Khlinedh.exeC:\Windows\system32\Khlinedh.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4908 -
C:\Windows\SysWOW64\Khbpndnp.exeC:\Windows\system32\Khbpndnp.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Kffphhmj.exeC:\Windows\system32\Kffphhmj.exe98⤵PID:4996
-
C:\Windows\SysWOW64\Lhgiic32.exeC:\Windows\system32\Lhgiic32.exe99⤵PID:4140
-
C:\Windows\SysWOW64\Ldnjndpo.exeC:\Windows\system32\Ldnjndpo.exe100⤵
- Modifies registry class
PID:3148 -
C:\Windows\SysWOW64\Lkhbko32.exeC:\Windows\system32\Lkhbko32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3496 -
C:\Windows\SysWOW64\Lkjoqnei.exeC:\Windows\system32\Lkjoqnei.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3548 -
C:\Windows\SysWOW64\Mfiedfmd.exeC:\Windows\system32\Mfiedfmd.exe103⤵
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Nilkkq32.exeC:\Windows\system32\Nilkkq32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Nnidcg32.exeC:\Windows\system32\Nnidcg32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4296 -
C:\Windows\SysWOW64\Obcled32.exeC:\Windows\system32\Obcled32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3828 -
C:\Windows\SysWOW64\Omhpcm32.exeC:\Windows\system32\Omhpcm32.exe107⤵
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Pihdnloc.exeC:\Windows\system32\Pihdnloc.exe108⤵
- Drops file in System32 directory
PID:752 -
C:\Windows\SysWOW64\Pfmdgq32.exeC:\Windows\system32\Pfmdgq32.exe109⤵PID:2268
-
C:\Windows\SysWOW64\Ppeipfdm.exeC:\Windows\system32\Ppeipfdm.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:772 -
C:\Windows\SysWOW64\Peaahmcd.exeC:\Windows\system32\Peaahmcd.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:748 -
C:\Windows\SysWOW64\Qojeabie.exeC:\Windows\system32\Qojeabie.exe112⤵
- Modifies registry class
PID:5156 -
C:\Windows\SysWOW64\Qmkfoj32.exeC:\Windows\system32\Qmkfoj32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5196 -
C:\Windows\SysWOW64\Qolbgbgb.exeC:\Windows\system32\Qolbgbgb.exe114⤵
- Drops file in System32 directory
PID:5264 -
C:\Windows\SysWOW64\Bpgnmcdh.exeC:\Windows\system32\Bpgnmcdh.exe115⤵PID:5312
-
C:\Windows\SysWOW64\Bnbeggmi.exeC:\Windows\system32\Bnbeggmi.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5364 -
C:\Windows\SysWOW64\Cnndbecl.exeC:\Windows\system32\Cnndbecl.exe117⤵
- Drops file in System32 directory
PID:5408 -
C:\Windows\SysWOW64\Dcbckk32.exeC:\Windows\system32\Dcbckk32.exe118⤵PID:5448
-
C:\Windows\SysWOW64\Djlkhe32.exeC:\Windows\system32\Djlkhe32.exe119⤵
- Drops file in System32 directory
PID:5496 -
C:\Windows\SysWOW64\Dgplai32.exeC:\Windows\system32\Dgplai32.exe120⤵PID:5540
-
C:\Windows\SysWOW64\Eonmkkmj.exeC:\Windows\system32\Eonmkkmj.exe121⤵PID:5580
-
C:\Windows\SysWOW64\Enomic32.exeC:\Windows\system32\Enomic32.exe122⤵PID:5648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-