Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 03:01
Behavioral task
behavioral1
Sample
d80de9d11528d52093f79c88b9381000_NEIKI.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
d80de9d11528d52093f79c88b9381000_NEIKI.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
d80de9d11528d52093f79c88b9381000_NEIKI.exe
-
Size
768KB
-
MD5
d80de9d11528d52093f79c88b9381000
-
SHA1
7ed79e8dc5bd50ad0d276eb53252568ce6c6ef3d
-
SHA256
f3665011d7c794088d7a135d48df8f517541ce84e6af9a285abf57c5ccd8cd19
-
SHA512
6f2634956939fecf9f3ca57f6b9892f8ebc018454459e3b10259300fae2e1ef16e277ccfe49435b223235ed8d715d006952834cd7ab8b7e27f482e34e6001007
-
SSDEEP
12288:u4voZsOc5DJvF6IveDVqvQ6IvYvc6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPX:usq5h3q5htaSHFaZRBEYyqmaf2qwiHPX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldidkbpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgnab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdeeqehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnobnmpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejobhppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndbcpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojfaijcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfoocjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebjglbml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooeggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Behnnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlnbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkcofe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdpjlajk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkgbbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enakbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnoomqbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biicik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckafbbph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enakbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlibjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqhpdhcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blgpef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogblbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chnqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlnbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjnfniii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhgmapfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfoocjfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baakhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgjdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehgppi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlqnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egafleqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bifgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlgldibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpiipf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjnfniii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogblbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbjbaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcadac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maoajf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfahhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooeggp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhphncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leonofpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mamddf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blpjegfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" d80de9d11528d52093f79c88b9381000_NEIKI.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkgbbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chnqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceodnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdpjlajk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nolhan32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000d00000001226c-5.dat family_berbew behavioral1/files/0x0008000000016d1a-26.dat family_berbew behavioral1/files/0x0007000000016d33-41.dat family_berbew behavioral1/files/0x0009000000016d44-49.dat family_berbew behavioral1/files/0x0006000000017568-70.dat family_berbew behavioral1/files/0x00060000000175f4-77.dat family_berbew behavioral1/files/0x00050000000186ff-91.dat family_berbew behavioral1/files/0x000500000001870d-104.dat family_berbew behavioral1/files/0x000400000001da0d-1661.dat family_berbew behavioral1/files/0x000400000001da09-1653.dat family_berbew behavioral1/files/0x000400000001da05-1645.dat family_berbew behavioral1/files/0x000400000001da01-1637.dat family_berbew behavioral1/files/0x000400000001d9fd-1629.dat family_berbew behavioral1/files/0x000400000001d9f8-1621.dat family_berbew behavioral1/files/0x000400000001d9f4-1613.dat family_berbew behavioral1/files/0x000400000001d9f0-1605.dat family_berbew behavioral1/files/0x000400000001d9ec-1597.dat family_berbew behavioral1/files/0x000400000001d9e8-1589.dat family_berbew behavioral1/files/0x000400000001d9e4-1581.dat family_berbew behavioral1/files/0x000400000001d9d5-1573.dat family_berbew behavioral1/files/0x000400000001d9c3-1565.dat family_berbew behavioral1/files/0x000400000001d976-1557.dat family_berbew behavioral1/files/0x000400000001d950-1549.dat family_berbew behavioral1/files/0x000400000001d912-1541.dat family_berbew behavioral1/files/0x000400000001d90e-1533.dat family_berbew behavioral1/files/0x000400000001d90a-1525.dat family_berbew behavioral1/files/0x000400000001d906-1517.dat family_berbew behavioral1/files/0x000400000001d902-1509.dat family_berbew behavioral1/files/0x000400000001d8d3-1501.dat family_berbew behavioral1/files/0x000400000001d8c8-1493.dat family_berbew behavioral1/files/0x000400000001d8c0-1485.dat family_berbew behavioral1/files/0x000400000001d87f-1477.dat family_berbew behavioral1/files/0x000400000001d810-1469.dat family_berbew behavioral1/files/0x000400000001d7de-1461.dat family_berbew behavioral1/files/0x000400000001d79c-1453.dat family_berbew behavioral1/files/0x000400000001d763-1445.dat family_berbew behavioral1/files/0x000400000001d761-1437.dat family_berbew behavioral1/files/0x000400000001d75b-1429.dat family_berbew behavioral1/files/0x000400000001d757-1421.dat family_berbew behavioral1/files/0x000400000001d753-1413.dat family_berbew behavioral1/files/0x000400000001d740-1405.dat family_berbew behavioral1/files/0x000400000001d70f-1397.dat family_berbew behavioral1/files/0x000400000001d6fe-1389.dat family_berbew behavioral1/files/0x000400000001d6aa-1381.dat family_berbew behavioral1/files/0x000400000001d5bc-1373.dat family_berbew behavioral1/files/0x000400000001d509-1365.dat family_berbew behavioral1/files/0x000400000001d49d-1357.dat family_berbew behavioral1/files/0x000400000001d42f-1349.dat family_berbew behavioral1/files/0x000400000001d428-1341.dat family_berbew behavioral1/files/0x000400000001d423-1333.dat family_berbew behavioral1/files/0x000400000001d41d-1325.dat family_berbew behavioral1/files/0x000400000001d415-1317.dat family_berbew behavioral1/files/0x000400000001d40d-1309.dat family_berbew behavioral1/files/0x000400000001d405-1301.dat family_berbew behavioral1/files/0x000400000001d3fe-1293.dat family_berbew behavioral1/files/0x000400000001d3f2-1285.dat family_berbew behavioral1/files/0x000400000001d3ed-1277.dat family_berbew behavioral1/files/0x000400000001d3e9-1269.dat family_berbew behavioral1/files/0x000400000001d3e5-1261.dat family_berbew behavioral1/files/0x000400000001d3e1-1253.dat family_berbew behavioral1/files/0x000400000001d3c9-1245.dat family_berbew behavioral1/files/0x000400000001d3b4-1237.dat family_berbew behavioral1/files/0x000400000001d33c-1229.dat family_berbew behavioral1/files/0x000400000001d2e9-1221.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1316 Icpigm32.exe 2364 Jmhmpb32.exe 2788 Jcgogk32.exe 2708 Jgidao32.exe 3036 Jbnhng32.exe 2500 Kjnfniii.exe 2556 Kfgdhjmk.exe 2824 Lldlqakb.exe 1956 Leonofpp.exe 2236 Lhmjkaoc.exe 2404 Lpdbloof.exe 748 Lbcnhjnj.exe 756 Leajdfnm.exe 1660 Lhpfqama.exe 2908 Lkncmmle.exe 2884 Lbeknj32.exe 2968 Lecgje32.exe 2192 Lkppbl32.exe 2012 Lollckbk.exe 912 Ldidkbpb.exe 2280 Mggpgmof.exe 1784 Mkclhl32.exe 2848 Mamddf32.exe 944 Mdkqqa32.exe 1796 Mhgmapfi.exe 2152 Mihiih32.exe 1948 Maoajf32.exe 2468 Mbpnanch.exe 2288 Mkgfckcj.exe 356 Mlibjc32.exe 836 Mdpjlajk.exe 1584 Meagci32.exe 1272 Mmhodf32.exe 1312 Moiklogi.exe 2792 Meccii32.exe 2256 Mhbped32.exe 2880 Mpigfa32.exe 2560 Nolhan32.exe 2504 Najdnj32.exe 2536 Nialog32.exe 2548 Nkbhgojk.exe 1964 Nehmdhja.exe 2032 Nlbeqb32.exe 2156 Nncahjgl.exe 896 Ndmjedoi.exe 1140 Nkgbbo32.exe 1680 Nnennj32.exe 2900 Naajoinb.exe 2488 Ngnbgplj.exe 2060 Nnhkcj32.exe 1836 Nacgdhlp.exe 1736 Ndbcpd32.exe 1764 Ngpolo32.exe 1048 Ojolhk32.exe 2408 Onjgiiad.exe 1988 Ogblbo32.exe 2472 Olpdjf32.exe 876 Ocimgp32.exe 1092 Ogeigofa.exe 2340 Ojcecjee.exe 2636 Ombapedi.exe 2748 Oclilp32.exe 2800 Ojfaijcc.exe 2644 Okgnab32.exe -
Loads dropped DLL 64 IoCs
pid Process 1284 d80de9d11528d52093f79c88b9381000_NEIKI.exe 1284 d80de9d11528d52093f79c88b9381000_NEIKI.exe 1316 Icpigm32.exe 1316 Icpigm32.exe 2364 Jmhmpb32.exe 2364 Jmhmpb32.exe 2788 Jcgogk32.exe 2788 Jcgogk32.exe 2708 Jgidao32.exe 2708 Jgidao32.exe 3036 Jbnhng32.exe 3036 Jbnhng32.exe 2500 Kjnfniii.exe 2500 Kjnfniii.exe 2556 Kfgdhjmk.exe 2556 Kfgdhjmk.exe 2824 Lldlqakb.exe 2824 Lldlqakb.exe 1956 Leonofpp.exe 1956 Leonofpp.exe 2236 Lhmjkaoc.exe 2236 Lhmjkaoc.exe 2404 Lpdbloof.exe 2404 Lpdbloof.exe 748 Lbcnhjnj.exe 748 Lbcnhjnj.exe 756 Leajdfnm.exe 756 Leajdfnm.exe 1660 Lhpfqama.exe 1660 Lhpfqama.exe 2908 Lkncmmle.exe 2908 Lkncmmle.exe 2884 Lbeknj32.exe 2884 Lbeknj32.exe 2968 Lecgje32.exe 2968 Lecgje32.exe 2192 Lkppbl32.exe 2192 Lkppbl32.exe 2012 Lollckbk.exe 2012 Lollckbk.exe 912 Ldidkbpb.exe 912 Ldidkbpb.exe 2280 Mggpgmof.exe 2280 Mggpgmof.exe 1784 Mkclhl32.exe 1784 Mkclhl32.exe 2848 Mamddf32.exe 2848 Mamddf32.exe 944 Mdkqqa32.exe 944 Mdkqqa32.exe 1796 Mhgmapfi.exe 1796 Mhgmapfi.exe 2152 Mihiih32.exe 2152 Mihiih32.exe 1948 Maoajf32.exe 1948 Maoajf32.exe 2468 Mbpnanch.exe 2468 Mbpnanch.exe 2288 Mkgfckcj.exe 2288 Mkgfckcj.exe 356 Mlibjc32.exe 356 Mlibjc32.exe 836 Mdpjlajk.exe 836 Mdpjlajk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ebodiofk.exe Ejhlgaeh.exe File created C:\Windows\SysWOW64\Lhpfqama.exe Leajdfnm.exe File opened for modification C:\Windows\SysWOW64\Maoajf32.exe Mihiih32.exe File created C:\Windows\SysWOW64\Aelcmdee.dll Qfahhm32.exe File created C:\Windows\SysWOW64\Bhndldcn.exe Bpgljfbl.exe File created C:\Windows\SysWOW64\Cgllco32.dll Ejmebq32.exe File created C:\Windows\SysWOW64\Eojnkg32.exe Emkaol32.exe File opened for modification C:\Windows\SysWOW64\Leajdfnm.exe Lbcnhjnj.exe File opened for modification C:\Windows\SysWOW64\Pclfkc32.exe Pamiog32.exe File created C:\Windows\SysWOW64\Bocolb32.exe Bldcpf32.exe File opened for modification C:\Windows\SysWOW64\Djklnnaj.exe Dfoqmo32.exe File created C:\Windows\SysWOW64\Eqpgol32.exe Enakbp32.exe File created C:\Windows\SysWOW64\Jgidao32.exe Jcgogk32.exe File created C:\Windows\SysWOW64\Mfnekf32.dll Jcgogk32.exe File opened for modification C:\Windows\SysWOW64\Emkaol32.exe Ejmebq32.exe File created C:\Windows\SysWOW64\Adpkee32.exe Aaaoij32.exe File created C:\Windows\SysWOW64\Cgcmlcja.exe Cddaphkn.exe File created C:\Windows\SysWOW64\Ednpej32.exe Ebodiofk.exe File opened for modification C:\Windows\SysWOW64\Aipddi32.exe Qfahhm32.exe File created C:\Windows\SysWOW64\Aidnohbk.exe Aamfnkai.exe File created C:\Windows\SysWOW64\Enakbp32.exe Dkcofe32.exe File created C:\Windows\SysWOW64\Eqdajkkb.exe Enfenplo.exe File created C:\Windows\SysWOW64\Kfgdhjmk.exe Kjnfniii.exe File created C:\Windows\SysWOW64\Meagci32.exe Mdpjlajk.exe File created C:\Windows\SysWOW64\Jbkpmm32.dll Mpigfa32.exe File opened for modification C:\Windows\SysWOW64\Dfffnn32.exe Dnoomqbg.exe File created C:\Windows\SysWOW64\Bpbbfi32.dll Ebodiofk.exe File opened for modification C:\Windows\SysWOW64\Eqdajkkb.exe Enfenplo.exe File created C:\Windows\SysWOW64\Chgdod32.dll Jmhmpb32.exe File created C:\Windows\SysWOW64\Ndbcpd32.exe Nacgdhlp.exe File opened for modification C:\Windows\SysWOW64\Dbfabp32.exe Dogefd32.exe File created C:\Windows\SysWOW64\Knhfdmdo.dll Afohaa32.exe File created C:\Windows\SysWOW64\Hadfjo32.dll Cpnojioo.exe File created C:\Windows\SysWOW64\Ogdafiei.dll Papfegmk.exe File opened for modification C:\Windows\SysWOW64\Aoepcn32.exe Afohaa32.exe File opened for modification C:\Windows\SysWOW64\Nlbeqb32.exe Nehmdhja.exe File created C:\Windows\SysWOW64\Fpebfbaj.dll Naajoinb.exe File opened for modification C:\Windows\SysWOW64\Pnjdhmdo.exe Pogclp32.exe File created C:\Windows\SysWOW64\Ooeggp32.exe Oikojfgk.exe File opened for modification C:\Windows\SysWOW64\Bocolb32.exe Bldcpf32.exe File created C:\Windows\SysWOW64\Dlkepi32.exe Djmicm32.exe File created C:\Windows\SysWOW64\Qffmipmp.dll Enfenplo.exe File created C:\Windows\SysWOW64\Nialog32.exe Najdnj32.exe File created C:\Windows\SysWOW64\Nchnel32.dll Okgnab32.exe File opened for modification C:\Windows\SysWOW64\Qmicohqm.exe Qfokbnip.exe File opened for modification C:\Windows\SysWOW64\Nialog32.exe Najdnj32.exe File opened for modification C:\Windows\SysWOW64\Obafnlpn.exe Okgnab32.exe File opened for modification C:\Windows\SysWOW64\Qcbllb32.exe Qmicohqm.exe File created C:\Windows\SysWOW64\Dpiddoma.dll Cklmgb32.exe File created C:\Windows\SysWOW64\Cnaocmmi.exe Ckccgane.exe File opened for modification C:\Windows\SysWOW64\Lhmjkaoc.exe Leonofpp.exe File opened for modification C:\Windows\SysWOW64\Lbeknj32.exe Lkncmmle.exe File created C:\Windows\SysWOW64\Maoajf32.exe Mihiih32.exe File opened for modification C:\Windows\SysWOW64\Fjaonpnn.exe Ebjglbml.exe File created C:\Windows\SysWOW64\Onqamf32.dll Afcenm32.exe File created C:\Windows\SysWOW64\Hgeegb32.dll Mggpgmof.exe File opened for modification C:\Windows\SysWOW64\Mhbped32.exe Meccii32.exe File created C:\Windows\SysWOW64\Ombapedi.exe Ojcecjee.exe File created C:\Windows\SysWOW64\Cmeidehe.dll Nnennj32.exe File opened for modification C:\Windows\SysWOW64\Qabcjgkh.exe Pikkiijf.exe File created C:\Windows\SysWOW64\Leonofpp.exe Lldlqakb.exe File created C:\Windows\SysWOW64\Lollckbk.exe Lkppbl32.exe File created C:\Windows\SysWOW64\Cfiini32.dll Mhbped32.exe File opened for modification C:\Windows\SysWOW64\Ngnbgplj.exe Naajoinb.exe -
Program crash 1 IoCs
pid pid_target Process 3424 3380 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhdcji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Echfaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfokbnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cafecmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpiipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadfjo32.dll" Cpnojioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cppkph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbeknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amkoie32.dll" Ooeggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmqjgdc.dll" Pclfkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanjadqp.dll" Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amhpnkch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dliijipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgicjg32.dll" Eojnkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekgednng.dll" Egafleqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqmmidel.dll" Mkclhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moiklogi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pamiog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pikkiijf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inegme32.dll" Ejobhppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlkaflan.dll" Dfoqmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omkepc32.dll" Ndbcpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojfaijcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfoocjfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qabcjgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgcmlcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnnggjm.dll" Jgidao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogblbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpajdp32.dll" Obafnlpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooeggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pogclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amfcikek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bekkcljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joliff32.dll" Dlgldibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejobhppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdpjlajk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojcecjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkdaf32.dll" Pnjdhmdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aibajhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmhccl32.dll" Behnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkgfckcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anojbobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccngld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfiini32.dll" Mhbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdplfmo.dll" Ahikqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngpolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blpjegfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olkbjhpi.dll" Chnqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckccgane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehgppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpnojioo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckccgane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmamfo32.dll" Ldidkbpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mggpgmof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfahhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chboohof.dll" Bfcampgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njabih32.dll" Bpnbkeld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edekcace.dll" Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egoife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mihiih32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1284 wrote to memory of 1316 1284 d80de9d11528d52093f79c88b9381000_NEIKI.exe 28 PID 1284 wrote to memory of 1316 1284 d80de9d11528d52093f79c88b9381000_NEIKI.exe 28 PID 1284 wrote to memory of 1316 1284 d80de9d11528d52093f79c88b9381000_NEIKI.exe 28 PID 1284 wrote to memory of 1316 1284 d80de9d11528d52093f79c88b9381000_NEIKI.exe 28 PID 1316 wrote to memory of 2364 1316 Icpigm32.exe 29 PID 1316 wrote to memory of 2364 1316 Icpigm32.exe 29 PID 1316 wrote to memory of 2364 1316 Icpigm32.exe 29 PID 1316 wrote to memory of 2364 1316 Icpigm32.exe 29 PID 2364 wrote to memory of 2788 2364 Jmhmpb32.exe 30 PID 2364 wrote to memory of 2788 2364 Jmhmpb32.exe 30 PID 2364 wrote to memory of 2788 2364 Jmhmpb32.exe 30 PID 2364 wrote to memory of 2788 2364 Jmhmpb32.exe 30 PID 2788 wrote to memory of 2708 2788 Jcgogk32.exe 31 PID 2788 wrote to memory of 2708 2788 Jcgogk32.exe 31 PID 2788 wrote to memory of 2708 2788 Jcgogk32.exe 31 PID 2788 wrote to memory of 2708 2788 Jcgogk32.exe 31 PID 2708 wrote to memory of 3036 2708 Jgidao32.exe 32 PID 2708 wrote to memory of 3036 2708 Jgidao32.exe 32 PID 2708 wrote to memory of 3036 2708 Jgidao32.exe 32 PID 2708 wrote to memory of 3036 2708 Jgidao32.exe 32 PID 3036 wrote to memory of 2500 3036 Jbnhng32.exe 33 PID 3036 wrote to memory of 2500 3036 Jbnhng32.exe 33 PID 3036 wrote to memory of 2500 3036 Jbnhng32.exe 33 PID 3036 wrote to memory of 2500 3036 Jbnhng32.exe 33 PID 2500 wrote to memory of 2556 2500 Kjnfniii.exe 34 PID 2500 wrote to memory of 2556 2500 Kjnfniii.exe 34 PID 2500 wrote to memory of 2556 2500 Kjnfniii.exe 34 PID 2500 wrote to memory of 2556 2500 Kjnfniii.exe 34 PID 2556 wrote to memory of 2824 2556 Kfgdhjmk.exe 35 PID 2556 wrote to memory of 2824 2556 Kfgdhjmk.exe 35 PID 2556 wrote to memory of 2824 2556 Kfgdhjmk.exe 35 PID 2556 wrote to memory of 2824 2556 Kfgdhjmk.exe 35 PID 2824 wrote to memory of 1956 2824 Lldlqakb.exe 36 PID 2824 wrote to memory of 1956 2824 Lldlqakb.exe 36 PID 2824 wrote to memory of 1956 2824 Lldlqakb.exe 36 PID 2824 wrote to memory of 1956 2824 Lldlqakb.exe 36 PID 1956 wrote to memory of 2236 1956 Leonofpp.exe 37 PID 1956 wrote to memory of 2236 1956 Leonofpp.exe 37 PID 1956 wrote to memory of 2236 1956 Leonofpp.exe 37 PID 1956 wrote to memory of 2236 1956 Leonofpp.exe 37 PID 2236 wrote to memory of 2404 2236 Lhmjkaoc.exe 38 PID 2236 wrote to memory of 2404 2236 Lhmjkaoc.exe 38 PID 2236 wrote to memory of 2404 2236 Lhmjkaoc.exe 38 PID 2236 wrote to memory of 2404 2236 Lhmjkaoc.exe 38 PID 2404 wrote to memory of 748 2404 Lpdbloof.exe 39 PID 2404 wrote to memory of 748 2404 Lpdbloof.exe 39 PID 2404 wrote to memory of 748 2404 Lpdbloof.exe 39 PID 2404 wrote to memory of 748 2404 Lpdbloof.exe 39 PID 748 wrote to memory of 756 748 Lbcnhjnj.exe 40 PID 748 wrote to memory of 756 748 Lbcnhjnj.exe 40 PID 748 wrote to memory of 756 748 Lbcnhjnj.exe 40 PID 748 wrote to memory of 756 748 Lbcnhjnj.exe 40 PID 756 wrote to memory of 1660 756 Leajdfnm.exe 41 PID 756 wrote to memory of 1660 756 Leajdfnm.exe 41 PID 756 wrote to memory of 1660 756 Leajdfnm.exe 41 PID 756 wrote to memory of 1660 756 Leajdfnm.exe 41 PID 1660 wrote to memory of 2908 1660 Lhpfqama.exe 42 PID 1660 wrote to memory of 2908 1660 Lhpfqama.exe 42 PID 1660 wrote to memory of 2908 1660 Lhpfqama.exe 42 PID 1660 wrote to memory of 2908 1660 Lhpfqama.exe 42 PID 2908 wrote to memory of 2884 2908 Lkncmmle.exe 43 PID 2908 wrote to memory of 2884 2908 Lkncmmle.exe 43 PID 2908 wrote to memory of 2884 2908 Lkncmmle.exe 43 PID 2908 wrote to memory of 2884 2908 Lkncmmle.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\d80de9d11528d52093f79c88b9381000_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\d80de9d11528d52093f79c88b9381000_NEIKI.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Lkppbl32.exeC:\Windows\system32\Lkppbl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:912 -
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:944 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:356 -
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe33⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe34⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe41⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe42⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe44⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe45⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe46⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe50⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe51⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe55⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe56⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe59⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe60⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Ojcecjee.exeC:\Windows\system32\Ojcecjee.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe62⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe63⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe66⤵
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe67⤵
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:280 -
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe72⤵
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2888 -
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe74⤵PID:2688
-
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe75⤵PID:628
-
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1556 -
C:\Windows\SysWOW64\Pqkmjh32.exeC:\Windows\system32\Pqkmjh32.exe77⤵PID:1524
-
C:\Windows\SysWOW64\Pciifc32.exeC:\Windows\system32\Pciifc32.exe78⤵PID:1776
-
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe79⤵PID:1924
-
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe80⤵PID:2228
-
C:\Windows\SysWOW64\Pamiog32.exeC:\Windows\system32\Pamiog32.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Pclfkc32.exeC:\Windows\system32\Pclfkc32.exe82⤵
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Pfjbgnme.exeC:\Windows\system32\Pfjbgnme.exe83⤵PID:1448
-
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe84⤵PID:2084
-
C:\Windows\SysWOW64\Papfegmk.exeC:\Windows\system32\Papfegmk.exe85⤵
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe86⤵PID:568
-
C:\Windows\SysWOW64\Pikkiijf.exeC:\Windows\system32\Pikkiijf.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Qabcjgkh.exeC:\Windows\system32\Qabcjgkh.exe88⤵
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Qfokbnip.exeC:\Windows\system32\Qfokbnip.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe91⤵PID:1124
-
C:\Windows\SysWOW64\Qfahhm32.exeC:\Windows\system32\Qfahhm32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe93⤵PID:844
-
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe94⤵PID:2992
-
C:\Windows\SysWOW64\Anlmmp32.exeC:\Windows\system32\Anlmmp32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe96⤵
- Drops file in System32 directory
PID:1120 -
C:\Windows\SysWOW64\Aibajhdn.exeC:\Windows\system32\Aibajhdn.exe97⤵
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Alpmfdcb.exeC:\Windows\system32\Alpmfdcb.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1472 -
C:\Windows\SysWOW64\Anojbobe.exeC:\Windows\system32\Anojbobe.exe99⤵
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Aamfnkai.exeC:\Windows\system32\Aamfnkai.exe100⤵
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe101⤵PID:1716
-
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe102⤵PID:2640
-
C:\Windows\SysWOW64\Aaobdjof.exeC:\Windows\system32\Aaobdjof.exe103⤵PID:2128
-
C:\Windows\SysWOW64\Ahikqd32.exeC:\Windows\system32\Ahikqd32.exe104⤵
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe105⤵PID:2508
-
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe106⤵
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Aaaoij32.exeC:\Windows\system32\Aaaoij32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1200 -
C:\Windows\SysWOW64\Adpkee32.exeC:\Windows\system32\Adpkee32.exe108⤵PID:536
-
C:\Windows\SysWOW64\Afohaa32.exeC:\Windows\system32\Afohaa32.exe109⤵
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Aoepcn32.exeC:\Windows\system32\Aoepcn32.exe110⤵PID:2952
-
C:\Windows\SysWOW64\Amhpnkch.exeC:\Windows\system32\Amhpnkch.exe111⤵
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Bpgljfbl.exeC:\Windows\system32\Bpgljfbl.exe112⤵
- Drops file in System32 directory
PID:1228 -
C:\Windows\SysWOW64\Bhndldcn.exeC:\Windows\system32\Bhndldcn.exe113⤵PID:1908
-
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe114⤵PID:1512
-
C:\Windows\SysWOW64\Bmkmdk32.exeC:\Windows\system32\Bmkmdk32.exe115⤵PID:3024
-
C:\Windows\SysWOW64\Bpiipf32.exeC:\Windows\system32\Bpiipf32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Bdeeqehb.exeC:\Windows\system32\Bdeeqehb.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2652 -
C:\Windows\SysWOW64\Bfcampgf.exeC:\Windows\system32\Bfcampgf.exe118⤵
- Modifies registry class
PID:692 -
C:\Windows\SysWOW64\Bkommo32.exeC:\Windows\system32\Bkommo32.exe119⤵PID:1508
-
C:\Windows\SysWOW64\Bmmiij32.exeC:\Windows\system32\Bmmiij32.exe120⤵PID:2056
-
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2220
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-