Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 03:23
Behavioral task
behavioral1
Sample
ddde504c0583e4d311ee0dced160d840_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ddde504c0583e4d311ee0dced160d840_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
ddde504c0583e4d311ee0dced160d840_NEIKI.exe
-
Size
3.7MB
-
MD5
ddde504c0583e4d311ee0dced160d840
-
SHA1
320a3bd0584acc8fbc54ee1aa25e2346b65063bd
-
SHA256
e6b775bf08aba4cfc47f06eed48eea65937e609820e6ab72d1430567b3804bb9
-
SHA512
4f3becc97c06796613bfba81cb6aad38f88268bd25dea5c4179bac0cbcf93ae0259410a2b56d4fbfd5333715716a6c9e17728d09db70b7895759067ade018ba7
-
SSDEEP
24576:l6X1q5h3q5hkntq5S6X1q5h3q5htaSHFaZRBEYyqmaf2qwiHPKgRC4gvGZl6snA:l6Gnh6HaSHFaZRBEYyqmS2DiHPKQgm
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfbbjdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djiqdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igebkiof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gagmbkik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gagmbkik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ablbjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klhemhpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiljam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pljcllqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmqmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlggjlep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afcdpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbblda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mokilo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkqlgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogaeieoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogaeieoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjbjjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amglgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmpgpond.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfhkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igmbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifbphh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fapgblob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbjpem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfebnmcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpkhoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcleiclo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmcnqama.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmkjgfmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epeekmjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkicbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgqlafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imokehhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lonpma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbabho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adjhicpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baclaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkgopf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhakcfab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohagbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfhkhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plndcmmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnmjpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qncfphff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maefamlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poklngnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdhkfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcckcbgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkoicb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kimjhnnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjaelaok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjgehgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkqlgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blnpddeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgjebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccmblnif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaednh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npkdnnfk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihnjmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbmcibjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Popgboae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcncpfaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjipenda.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x0006000000016d4a-143.dat family_berbew behavioral1/files/0x0006000000016d89-178.dat family_berbew behavioral1/files/0x000600000001704f-183.dat family_berbew behavioral1/files/0x000500000001868c-196.dat family_berbew behavioral1/files/0x00050000000186a0-209.dat family_berbew behavioral1/files/0x0006000000018b42-247.dat family_berbew behavioral1/files/0x0006000000018b6a-259.dat family_berbew behavioral1/files/0x0006000000018b96-266.dat family_berbew behavioral1/files/0x00050000000193b0-319.dat family_berbew behavioral1/files/0x000500000001946b-328.dat family_berbew behavioral1/files/0x00050000000194a4-343.dat family_berbew behavioral1/files/0x00050000000194e8-365.dat family_berbew behavioral1/files/0x0005000000019547-408.dat family_berbew behavioral1/files/0x00050000000195a2-429.dat family_berbew behavioral1/files/0x00050000000195a6-440.dat family_berbew behavioral1/files/0x0005000000019bd6-494.dat family_berbew behavioral1/files/0x000500000001a31e-570.dat family_berbew behavioral1/files/0x000500000001a3cd-593.dat family_berbew behavioral1/files/0x000500000001a432-620.dat family_berbew behavioral1/files/0x000500000001a445-650.dat family_berbew behavioral1/files/0x000500000001a449-663.dat family_berbew behavioral1/files/0x000500000001a44d-679.dat family_berbew behavioral1/files/0x00050000000195ff-470.dat family_berbew behavioral1/files/0x000500000001a455-700.dat family_berbew behavioral1/files/0x00050000000195aa-462.dat family_berbew behavioral1/files/0x000500000001a459-716.dat family_berbew behavioral1/files/0x00050000000195a8-450.dat family_berbew behavioral1/files/0x000500000001950c-398.dat family_berbew behavioral1/files/0x00040000000194d8-356.dat family_berbew behavioral1/files/0x000500000001a465-752.dat family_berbew behavioral1/files/0x000500000001a594-873.dat family_berbew behavioral1/files/0x000500000001c841-997.dat family_berbew behavioral1/files/0x000400000001cccf-1609.dat family_berbew behavioral1/files/0x000400000001ce18-1665.dat family_berbew behavioral1/files/0x000400000001cfa6-1769.dat family_berbew behavioral1/files/0x000400000001d115-1823.dat family_berbew behavioral1/files/0x000400000001d338-1903.dat family_berbew behavioral1/files/0x000400000001d35c-1981.dat family_berbew behavioral1/files/0x000400000001d668-2079.dat family_berbew behavioral1/files/0x000400000001d6b6-2093.dat family_berbew behavioral1/files/0x000400000001d775-2149.dat family_berbew behavioral1/files/0x000400000001d7ca-2157.dat family_berbew behavioral1/files/0x000400000001d92b-2255.dat family_berbew behavioral1/files/0x000400000001d949-2263.dat family_berbew behavioral1/files/0x000400000001d951-2279.dat family_berbew behavioral1/files/0x000400000001d955-2287.dat family_berbew behavioral1/files/0x000400000001d966-2319.dat family_berbew behavioral1/files/0x000400000001d96a-2327.dat family_berbew behavioral1/files/0x000400000001d976-2351.dat family_berbew behavioral1/files/0x000400000001d962-2311.dat family_berbew behavioral1/files/0x000400000001d989-2393.dat family_berbew behavioral1/files/0x000400000001d98c-2399.dat family_berbew behavioral1/files/0x000400000001d998-2425.dat family_berbew behavioral1/files/0x000400000001d99c-2433.dat family_berbew behavioral1/files/0x000400000001d9a4-2449.dat family_berbew behavioral1/files/0x000400000001d9a8-2457.dat family_berbew behavioral1/files/0x000400000001d9ac-2465.dat family_berbew behavioral1/files/0x000400000001d9f5-2528.dat family_berbew behavioral1/files/0x000400000001d9fd-2537.dat family_berbew behavioral1/files/0x000400000001da05-2545.dat family_berbew behavioral1/files/0x000400000001da13-2560.dat family_berbew behavioral1/files/0x000400000001da0b-2553.dat family_berbew behavioral1/files/0x000400000001da20-2575.dat family_berbew behavioral1/files/0x000400000001da3c-2592.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2700 Iamabm32.exe 2556 Iaonhm32.exe 2540 Jpdkii32.exe 2704 Jlmicj32.exe 2424 Jdkjnl32.exe 3012 Kkgopf32.exe 2388 Kgnpeg32.exe 1616 Kceqjhiq.exe 2164 Kjaelaok.exe 1008 Lclgjg32.exe 1032 Lcncpfaf.exe 1048 Mjhhld32.exe 1812 Mmhamoho.exe 1528 Ajmfad32.exe 1920 Afdgfelo.exe 1820 Bmnlbcfg.exe 2984 Chcloo32.exe 1272 Cheido32.exe 2152 Dpqnhadq.exe 1524 Dakmfh32.exe 1792 Egmojnlf.exe 1628 Ggcaiqhj.exe 1752 Gbaken32.exe 1420 Hfpdkl32.exe 2760 Hlafnbal.exe 1744 Hjipenda.exe 1976 Ifoqjo32.exe 2536 Jkkija32.exe 2692 Jjdofm32.exe 2404 Knbhlkkc.exe 532 Klhemhpk.exe 892 Kfpifm32.exe 320 Kdefgj32.exe 2384 Kbigpn32.exe 1948 Lblcfnhj.exe 916 Lghlndfa.exe 1672 Lqqpgj32.exe 2140 Lcaiiejc.exe 2772 Lqejbiim.exe 2300 Lqhfhigj.exe 1336 Micklk32.exe 948 Mkddnf32.exe 1612 Mgjebg32.exe 2268 Meoell32.exe 2628 Maefamlh.exe 2236 Mjnjjbbh.exe 3064 Nhakcfab.exe 1648 Npmphinm.exe 2132 Ndkhngdd.exe 2756 Nfkapb32.exe 1688 Oiljam32.exe 1360 Ohagbj32.exe 2584 Ohcdhi32.exe 1656 Ohfqmi32.exe 1472 Pljcllqe.exe 2952 Poklngnf.exe 1784 Phcpgm32.exe 2444 Pkdihhag.exe 2228 Pldebkhj.exe 1508 Agbpnh32.exe 1592 Agdmdg32.exe 1096 Amcbankf.exe 1028 Bmcnqama.exe 2308 Eknmhk32.exe -
Loads dropped DLL 64 IoCs
pid Process 2492 ddde504c0583e4d311ee0dced160d840_NEIKI.exe 2492 ddde504c0583e4d311ee0dced160d840_NEIKI.exe 2700 Iamabm32.exe 2700 Iamabm32.exe 2556 Iaonhm32.exe 2556 Iaonhm32.exe 2540 Jpdkii32.exe 2540 Jpdkii32.exe 2704 Jlmicj32.exe 2704 Jlmicj32.exe 2424 Jdkjnl32.exe 2424 Jdkjnl32.exe 3012 Kkgopf32.exe 3012 Kkgopf32.exe 2388 Kgnpeg32.exe 2388 Kgnpeg32.exe 1616 Kceqjhiq.exe 1616 Kceqjhiq.exe 2164 Kjaelaok.exe 2164 Kjaelaok.exe 1008 Lclgjg32.exe 1008 Lclgjg32.exe 1032 Lcncpfaf.exe 1032 Lcncpfaf.exe 1048 Mjhhld32.exe 1048 Mjhhld32.exe 1812 Mmhamoho.exe 1812 Mmhamoho.exe 1528 Ajmfad32.exe 1528 Ajmfad32.exe 1920 Afdgfelo.exe 1920 Afdgfelo.exe 1820 Bmnlbcfg.exe 1820 Bmnlbcfg.exe 2984 Chcloo32.exe 2984 Chcloo32.exe 1272 Cheido32.exe 1272 Cheido32.exe 2152 Dpqnhadq.exe 2152 Dpqnhadq.exe 1524 Dakmfh32.exe 1524 Dakmfh32.exe 1792 Egmojnlf.exe 1792 Egmojnlf.exe 1628 Ggcaiqhj.exe 1628 Ggcaiqhj.exe 1752 Gbaken32.exe 1752 Gbaken32.exe 1420 Hfpdkl32.exe 1420 Hfpdkl32.exe 2760 Hlafnbal.exe 2760 Hlafnbal.exe 1744 Hjipenda.exe 1744 Hjipenda.exe 1564 Ioakoq32.exe 1564 Ioakoq32.exe 2536 Jkkija32.exe 2536 Jkkija32.exe 2692 Jjdofm32.exe 2692 Jjdofm32.exe 2404 Knbhlkkc.exe 2404 Knbhlkkc.exe 532 Klhemhpk.exe 532 Klhemhpk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jdkjnl32.exe Jlmicj32.exe File created C:\Windows\SysWOW64\Lcaiiejc.exe Lqqpgj32.exe File opened for modification C:\Windows\SysWOW64\Lcaiiejc.exe Lqqpgj32.exe File created C:\Windows\SysWOW64\Nhkhml32.dll Lkifkdjm.exe File created C:\Windows\SysWOW64\Fmddgg32.exe Fdlpnamm.exe File created C:\Windows\SysWOW64\Djiqdb32.exe Cfhkhd32.exe File created C:\Windows\SysWOW64\Fggmldfp.exe Fkqlgc32.exe File created C:\Windows\SysWOW64\Aqodfpah.dll Jcleiclo.exe File created C:\Windows\SysWOW64\Peblpbgn.dll Pghfnc32.exe File opened for modification C:\Windows\SysWOW64\Cmpgpond.exe Caifjn32.exe File created C:\Windows\SysWOW64\Knqcng32.dll Ejfbfo32.exe File opened for modification C:\Windows\SysWOW64\Kjpceebh.exe Kaholp32.exe File opened for modification C:\Windows\SysWOW64\Ndkhngdd.exe Npmphinm.exe File opened for modification C:\Windows\SysWOW64\Hpbdmo32.exe Hifpke32.exe File opened for modification C:\Windows\SysWOW64\Ompefj32.exe Ofcqcp32.exe File created C:\Windows\SysWOW64\Lhhkapeh.exe Lopfhk32.exe File opened for modification C:\Windows\SysWOW64\Popgboae.exe Pfebnmcj.exe File opened for modification C:\Windows\SysWOW64\Blnpddeo.exe Bkkgfm32.exe File created C:\Windows\SysWOW64\Dipjkn32.exe Dmijfmfi.exe File created C:\Windows\SysWOW64\Ejgicl32.dll Ckhfpp32.exe File created C:\Windows\SysWOW64\Meemgk32.exe Lljkif32.exe File opened for modification C:\Windows\SysWOW64\Mpkhoj32.exe Mcggef32.exe File opened for modification C:\Windows\SysWOW64\Ogdhik32.exe Oiokholk.exe File opened for modification C:\Windows\SysWOW64\Lqqpgj32.exe Lghlndfa.exe File created C:\Windows\SysWOW64\Ohiffh32.exe Ompefj32.exe File created C:\Windows\SysWOW64\Mmichb32.dll Hgqlafap.exe File created C:\Windows\SysWOW64\Phmogdkh.dll Anbmbi32.exe File opened for modification C:\Windows\SysWOW64\Pfnoegaf.exe Pmfjmake.exe File opened for modification C:\Windows\SysWOW64\Pbjifgcd.exe Plndcmmj.exe File created C:\Windows\SysWOW64\Pecelm32.exe Ogaeieoj.exe File created C:\Windows\SysWOW64\Aaaphj32.dll Bmnlbcfg.exe File opened for modification C:\Windows\SysWOW64\Cfhkhd32.exe Cmpgpond.exe File opened for modification C:\Windows\SysWOW64\Ablbjj32.exe Ajamfh32.exe File created C:\Windows\SysWOW64\Fdlpnamm.exe Fnmjpk32.exe File created C:\Windows\SysWOW64\Hkjnenbp.exe Hmfmkjdf.exe File created C:\Windows\SysWOW64\Poklngnf.exe Pljcllqe.exe File created C:\Windows\SysWOW64\Ghfcobil.dll Ompefj32.exe File opened for modification C:\Windows\SysWOW64\Mhhgpc32.exe Momfan32.exe File created C:\Windows\SysWOW64\Dakmfh32.exe Dpqnhadq.exe File opened for modification C:\Windows\SysWOW64\Kfpifm32.exe Klhemhpk.exe File created C:\Windows\SysWOW64\Bbmcibjp.exe Bmpkqklh.exe File created C:\Windows\SysWOW64\Gllnnc32.exe Gbcien32.exe File created C:\Windows\SysWOW64\Mcckcbgp.exe Mqklqhpg.exe File created C:\Windows\SysWOW64\Gaojnq32.exe Gonale32.exe File opened for modification C:\Windows\SysWOW64\Bkkgfm32.exe Bikjmj32.exe File created C:\Windows\SysWOW64\Npkdnnfk.exe Mnhnfckm.exe File opened for modification C:\Windows\SysWOW64\Lblcfnhj.exe Kbigpn32.exe File created C:\Windows\SysWOW64\Ofcqcp32.exe Nbjeinje.exe File opened for modification C:\Windows\SysWOW64\Qjklenpa.exe Qcogbdkg.exe File opened for modification C:\Windows\SysWOW64\Pkoicb32.exe Pohhna32.exe File created C:\Windows\SysWOW64\Phklaacg.exe Opialpld.exe File created C:\Windows\SysWOW64\Jcfoeb32.dll Phklaacg.exe File created C:\Windows\SysWOW64\Ebepdj32.dll Eimcjl32.exe File opened for modification C:\Windows\SysWOW64\Jqpebg32.exe Jcleiclo.exe File created C:\Windows\SysWOW64\Hmecge32.dll Afbnec32.exe File opened for modification C:\Windows\SysWOW64\Kbigpn32.exe Kdefgj32.exe File created C:\Windows\SysWOW64\Ndkhngdd.exe Npmphinm.exe File opened for modification C:\Windows\SysWOW64\Facdgl32.exe Fapgblob.exe File opened for modification C:\Windows\SysWOW64\Baclaf32.exe Bhkghqpb.exe File created C:\Windows\SysWOW64\Hhdkmd32.dll Klngkfge.exe File created C:\Windows\SysWOW64\Hjgehgnh.exe Hiqoeplo.exe File created C:\Windows\SysWOW64\Jmflbo32.dll Oiokholk.exe File created C:\Windows\SysWOW64\Inngpj32.dll Afpapcnc.exe File created C:\Windows\SysWOW64\Hjipenda.exe Hlafnbal.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afdgfelo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neajod32.dll" Lpfnckhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opialpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njmfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jagmhnkn.dll" Lljkif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnhnfckm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plndcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikapdqoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkcbpni.dll" Pjbjjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbafdlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgadja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfjfql32.dll" Fpjaodmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohcdhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll" Cenljmgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjleclph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbpiog32.dll" Hlafnbal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhmdfm32.dll" Gefolhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpnghhmn.dll" Igebkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gefolhja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhhgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdoime32.dll" Fggmldfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iikkon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfaddpc.dll" Mpkhoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhkghqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdkjnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcohnaep.dll" Ohfqmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klfmijae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpihdl32.dll" Ljfapjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kokmmkcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Admgglep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blnpddeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enoopc32.dll" Flocfmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebqngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afbnec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnbjpqoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjcbk32.dll" Lghlndfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiljam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhkopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcogbdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfkimhhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll" Cggcofkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jojkco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll" Boljgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dipjkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpqnhadq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaholp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pohhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjhhd.dll" Pdecoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfhjgmd.dll" Bikjmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkjnenbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geqlnjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaholp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjkoop32.dll" Baclaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peapkpkj.dll" Beggec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gljmpigg.dll" Momfan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npkdnnfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmiolk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjhcegll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agflga32.dll" Pbepkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodohnaa.dll" Afcdpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieaiebmn.dll" Dpqnhadq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edlhqlfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Momfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmock32.dll" Momapqgn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2492 wrote to memory of 2700 2492 ddde504c0583e4d311ee0dced160d840_NEIKI.exe 191 PID 2492 wrote to memory of 2700 2492 ddde504c0583e4d311ee0dced160d840_NEIKI.exe 191 PID 2492 wrote to memory of 2700 2492 ddde504c0583e4d311ee0dced160d840_NEIKI.exe 191 PID 2492 wrote to memory of 2700 2492 ddde504c0583e4d311ee0dced160d840_NEIKI.exe 191 PID 2700 wrote to memory of 2556 2700 Iamabm32.exe 270 PID 2700 wrote to memory of 2556 2700 Iamabm32.exe 270 PID 2700 wrote to memory of 2556 2700 Iamabm32.exe 270 PID 2700 wrote to memory of 2556 2700 Iamabm32.exe 270 PID 2556 wrote to memory of 2540 2556 Iaonhm32.exe 30 PID 2556 wrote to memory of 2540 2556 Iaonhm32.exe 30 PID 2556 wrote to memory of 2540 2556 Iaonhm32.exe 30 PID 2556 wrote to memory of 2540 2556 Iaonhm32.exe 30 PID 2540 wrote to memory of 2704 2540 Jpdkii32.exe 31 PID 2540 wrote to memory of 2704 2540 Jpdkii32.exe 31 PID 2540 wrote to memory of 2704 2540 Jpdkii32.exe 31 PID 2540 wrote to memory of 2704 2540 Jpdkii32.exe 31 PID 2704 wrote to memory of 2424 2704 Jlmicj32.exe 32 PID 2704 wrote to memory of 2424 2704 Jlmicj32.exe 32 PID 2704 wrote to memory of 2424 2704 Jlmicj32.exe 32 PID 2704 wrote to memory of 2424 2704 Jlmicj32.exe 32 PID 2424 wrote to memory of 3012 2424 Jdkjnl32.exe 33 PID 2424 wrote to memory of 3012 2424 Jdkjnl32.exe 33 PID 2424 wrote to memory of 3012 2424 Jdkjnl32.exe 33 PID 2424 wrote to memory of 3012 2424 Jdkjnl32.exe 33 PID 3012 wrote to memory of 2388 3012 Kkgopf32.exe 176 PID 3012 wrote to memory of 2388 3012 Kkgopf32.exe 176 PID 3012 wrote to memory of 2388 3012 Kkgopf32.exe 176 PID 3012 wrote to memory of 2388 3012 Kkgopf32.exe 176 PID 2388 wrote to memory of 1616 2388 Kgnpeg32.exe 35 PID 2388 wrote to memory of 1616 2388 Kgnpeg32.exe 35 PID 2388 wrote to memory of 1616 2388 Kgnpeg32.exe 35 PID 2388 wrote to memory of 1616 2388 Kgnpeg32.exe 35 PID 1616 wrote to memory of 2164 1616 Kceqjhiq.exe 177 PID 1616 wrote to memory of 2164 1616 Kceqjhiq.exe 177 PID 1616 wrote to memory of 2164 1616 Kceqjhiq.exe 177 PID 1616 wrote to memory of 2164 1616 Kceqjhiq.exe 177 PID 2164 wrote to memory of 1008 2164 Kjaelaok.exe 306 PID 2164 wrote to memory of 1008 2164 Kjaelaok.exe 306 PID 2164 wrote to memory of 1008 2164 Kjaelaok.exe 306 PID 2164 wrote to memory of 1008 2164 Kjaelaok.exe 306 PID 1008 wrote to memory of 1032 1008 Lclgjg32.exe 188 PID 1008 wrote to memory of 1032 1008 Lclgjg32.exe 188 PID 1008 wrote to memory of 1032 1008 Lclgjg32.exe 188 PID 1008 wrote to memory of 1032 1008 Lclgjg32.exe 188 PID 1032 wrote to memory of 1048 1032 Lcncpfaf.exe 39 PID 1032 wrote to memory of 1048 1032 Lcncpfaf.exe 39 PID 1032 wrote to memory of 1048 1032 Lcncpfaf.exe 39 PID 1032 wrote to memory of 1048 1032 Lcncpfaf.exe 39 PID 1048 wrote to memory of 1812 1048 Mjhhld32.exe 40 PID 1048 wrote to memory of 1812 1048 Mjhhld32.exe 40 PID 1048 wrote to memory of 1812 1048 Mjhhld32.exe 40 PID 1048 wrote to memory of 1812 1048 Mjhhld32.exe 40 PID 1812 wrote to memory of 1528 1812 Mmhamoho.exe 190 PID 1812 wrote to memory of 1528 1812 Mmhamoho.exe 190 PID 1812 wrote to memory of 1528 1812 Mmhamoho.exe 190 PID 1812 wrote to memory of 1528 1812 Mmhamoho.exe 190 PID 1528 wrote to memory of 1920 1528 Ajmfad32.exe 199 PID 1528 wrote to memory of 1920 1528 Ajmfad32.exe 199 PID 1528 wrote to memory of 1920 1528 Ajmfad32.exe 199 PID 1528 wrote to memory of 1920 1528 Ajmfad32.exe 199 PID 1920 wrote to memory of 1820 1920 Afdgfelo.exe 43 PID 1920 wrote to memory of 1820 1920 Afdgfelo.exe 43 PID 1920 wrote to memory of 1820 1920 Afdgfelo.exe 43 PID 1920 wrote to memory of 1820 1920 Afdgfelo.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddde504c0583e4d311ee0dced160d840_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\ddde504c0583e4d311ee0dced160d840_NEIKI.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Iamabm32.exeC:\Windows\system32\Iamabm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Iaonhm32.exeC:\Windows\system32\Iaonhm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Jpdkii32.exeC:\Windows\system32\Jpdkii32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Jlmicj32.exeC:\Windows\system32\Jlmicj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Kgnpeg32.exeC:\Windows\system32\Kgnpeg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Kceqjhiq.exeC:\Windows\system32\Kceqjhiq.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Kjaelaok.exeC:\Windows\system32\Kjaelaok.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Lclgjg32.exeC:\Windows\system32\Lclgjg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Lcncpfaf.exeC:\Windows\system32\Lcncpfaf.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Mjhhld32.exeC:\Windows\system32\Mjhhld32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Mmhamoho.exeC:\Windows\system32\Mmhamoho.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Ajmfad32.exeC:\Windows\system32\Ajmfad32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Afdgfelo.exeC:\Windows\system32\Afdgfelo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Bmnlbcfg.exeC:\Windows\system32\Bmnlbcfg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Chcloo32.exeC:\Windows\system32\Chcloo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1272 -
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Dakmfh32.exeC:\Windows\system32\Dakmfh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Gbaken32.exeC:\Windows\system32\Gbaken32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1420 -
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe28⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe29⤵
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:532 -
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe34⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:320 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe37⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe40⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe41⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe42⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe43⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe44⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Meoell32.exeC:\Windows\system32\Meoell32.exe46⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe48⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Nhakcfab.exeC:\Windows\system32\Nhakcfab.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe51⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe52⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1472 -
C:\Windows\SysWOW64\Poklngnf.exeC:\Windows\system32\Poklngnf.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Phcpgm32.exeC:\Windows\system32\Phcpgm32.exe59⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe60⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Pldebkhj.exeC:\Windows\system32\Pldebkhj.exe61⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe62⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Agdmdg32.exeC:\Windows\system32\Agdmdg32.exe63⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe64⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe66⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe67⤵PID:2836
-
C:\Windows\SysWOW64\Fjhcegll.exeC:\Windows\system32\Fjhcegll.exe68⤵
- Modifies registry class
PID:1388 -
C:\Windows\SysWOW64\Fmkilb32.exeC:\Windows\system32\Fmkilb32.exe69⤵PID:2360
-
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2592 -
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe71⤵PID:1144
-
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe72⤵PID:1848
-
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe73⤵
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe74⤵PID:3048
-
C:\Windows\SysWOW64\Imokehhl.exeC:\Windows\system32\Imokehhl.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2168 -
C:\Windows\SysWOW64\Idkpganf.exeC:\Windows\system32\Idkpganf.exe76⤵PID:2436
-
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe77⤵PID:1776
-
C:\Windows\SysWOW64\Jojkco32.exeC:\Windows\system32\Jojkco32.exe78⤵
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Kgnbnpkp.exeC:\Windows\system32\Kgnbnpkp.exe79⤵PID:1620
-
C:\Windows\SysWOW64\Klngkfge.exeC:\Windows\system32\Klngkfge.exe80⤵
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Lonpma32.exeC:\Windows\system32\Lonpma32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1988 -
C:\Windows\SysWOW64\Ljfapjbi.exeC:\Windows\system32\Ljfapjbi.exe82⤵
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Lbafdlod.exeC:\Windows\system32\Lbafdlod.exe83⤵
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Mqklqhpg.exeC:\Windows\system32\Mqklqhpg.exe84⤵
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Mcckcbgp.exeC:\Windows\system32\Mcckcbgp.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2432 -
C:\Windows\SysWOW64\Nbjeinje.exeC:\Windows\system32\Nbjeinje.exe86⤵
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Ofcqcp32.exeC:\Windows\system32\Ofcqcp32.exe87⤵
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Ompefj32.exeC:\Windows\system32\Ompefj32.exe88⤵
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Ohiffh32.exeC:\Windows\system32\Ohiffh32.exe89⤵PID:1980
-
C:\Windows\SysWOW64\Pohhna32.exeC:\Windows\system32\Pohhna32.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Pkoicb32.exeC:\Windows\system32\Pkoicb32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3040 -
C:\Windows\SysWOW64\Pghfnc32.exeC:\Windows\system32\Pghfnc32.exe92⤵
- Drops file in System32 directory
PID:820 -
C:\Windows\SysWOW64\Qcogbdkg.exeC:\Windows\system32\Qcogbdkg.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Qjklenpa.exeC:\Windows\system32\Qjklenpa.exe94⤵PID:2604
-
C:\Windows\SysWOW64\Accqnc32.exeC:\Windows\system32\Accqnc32.exe95⤵PID:2888
-
C:\Windows\SysWOW64\Apgagg32.exeC:\Windows\system32\Apgagg32.exe96⤵PID:2780
-
C:\Windows\SysWOW64\Ajpepm32.exeC:\Windows\system32\Ajpepm32.exe97⤵PID:2736
-
C:\Windows\SysWOW64\Aomnhd32.exeC:\Windows\system32\Aomnhd32.exe98⤵PID:1468
-
C:\Windows\SysWOW64\Aficjnpm.exeC:\Windows\system32\Aficjnpm.exe99⤵PID:1716
-
C:\Windows\SysWOW64\Aqbdkk32.exeC:\Windows\system32\Aqbdkk32.exe100⤵PID:1768
-
C:\Windows\SysWOW64\Bkhhhd32.exeC:\Windows\system32\Bkhhhd32.exe101⤵PID:2124
-
C:\Windows\SysWOW64\Bccmmf32.exeC:\Windows\system32\Bccmmf32.exe102⤵PID:2256
-
C:\Windows\SysWOW64\Bmlael32.exeC:\Windows\system32\Bmlael32.exe103⤵PID:1548
-
C:\Windows\SysWOW64\Bgaebe32.exeC:\Windows\system32\Bgaebe32.exe104⤵PID:2504
-
C:\Windows\SysWOW64\Boljgg32.exeC:\Windows\system32\Boljgg32.exe105⤵
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Bmpkqklh.exeC:\Windows\system32\Bmpkqklh.exe106⤵
- Drops file in System32 directory
PID:540 -
C:\Windows\SysWOW64\Bbmcibjp.exeC:\Windows\system32\Bbmcibjp.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1924 -
C:\Windows\SysWOW64\Bkegah32.exeC:\Windows\system32\Bkegah32.exe108⤵PID:1832
-
C:\Windows\SysWOW64\Cenljmgq.exeC:\Windows\system32\Cenljmgq.exe109⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Cbblda32.exeC:\Windows\system32\Cbblda32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2272 -
C:\Windows\SysWOW64\Cnimiblo.exeC:\Windows\system32\Cnimiblo.exe111⤵PID:2848
-
C:\Windows\SysWOW64\Caifjn32.exeC:\Windows\system32\Caifjn32.exe112⤵
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Cmpgpond.exeC:\Windows\system32\Cmpgpond.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Cfhkhd32.exeC:\Windows\system32\Cfhkhd32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Djiqdb32.exeC:\Windows\system32\Djiqdb32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:896 -
C:\Windows\SysWOW64\Dbdehdfc.exeC:\Windows\system32\Dbdehdfc.exe116⤵PID:1816
-
C:\Windows\SysWOW64\Dmijfmfi.exeC:\Windows\system32\Dmijfmfi.exe117⤵
- Drops file in System32 directory
PID:680 -
C:\Windows\SysWOW64\Dipjkn32.exeC:\Windows\system32\Dipjkn32.exe118⤵
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Dbiocd32.exeC:\Windows\system32\Dbiocd32.exe119⤵PID:2472
-
C:\Windows\SysWOW64\Eopphehb.exeC:\Windows\system32\Eopphehb.exe120⤵PID:924
-
C:\Windows\SysWOW64\Edlhqlfi.exeC:\Windows\system32\Edlhqlfi.exe121⤵
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Eoblnd32.exeC:\Windows\system32\Eoblnd32.exe122⤵PID:1296
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-