Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 19:40
Behavioral task
behavioral1
Sample
137bfa54b104ff2fe224bc608433c850_NEIKI.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
137bfa54b104ff2fe224bc608433c850_NEIKI.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
137bfa54b104ff2fe224bc608433c850_NEIKI.exe
-
Size
176KB
-
MD5
137bfa54b104ff2fe224bc608433c850
-
SHA1
9a16a22767f1f35f442db80c4df1db04adfde72c
-
SHA256
905462673256d0232f6855b843f81b19f63cf0f83d28d8e3043115aeb20febe5
-
SHA512
602f1edd100d4cff6999b65ac032c368d60e8324e1b49d8c81c35297343d7a05a4fa1dfc2576dbadf910afd5a9b15526426aa7dfe3873c1a6057173e9a3982cf
-
SSDEEP
3072:w3gwtrT36ripvRO1cjENRZ9wmAOIayGsOOJF4EISi/i4gG4npAjmA39QQIckJI:w39rb6ripvRO1nTZ9EaUn4yjK99QQd
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejjqeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efpajh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kipabjil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdhbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojopad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aldomc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cknnpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eckonn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbllbibl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eadopc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcpclbfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chjaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdiooblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjpiha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajdbcano.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abngjnmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dofpgqji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpaifalo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aabmqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcbnejem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnmopdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifjodl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jibeql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlaml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lalcng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkgmcjld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpjqhgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndkahnhh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkceffcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fohoigfh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iakaql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Majopeii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pengdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abkjdnoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adcmmeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhidjpqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpnhekgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmioonpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocqnij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmemac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eodlho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpemacql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dchbhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcpapkgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjbke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceaehfjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccjfgphj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obidhaog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fokbim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhlocipo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmkdlkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncgkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beeflhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffddka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hflcbngh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klljnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemcgmak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgcbgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imbaemhc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkbebbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aanjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caimgncj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bobcpmfc.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/4052-0-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000c000000023b34-6.dat family_berbew behavioral2/memory/2568-8-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000a000000023b92-14.dat family_berbew behavioral2/memory/1104-15-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000a000000023b94-22.dat family_berbew behavioral2/memory/4016-24-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000a000000023b96-30.dat family_berbew behavioral2/memory/3212-32-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000a000000023b98-38.dat family_berbew behavioral2/memory/4436-39-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000a000000023b9a-46.dat family_berbew behavioral2/memory/2144-47-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/memory/1200-56-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000a000000023b9c-55.dat family_berbew behavioral2/files/0x000a000000023b9e-62.dat family_berbew behavioral2/memory/3236-64-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000a000000023ba0-70.dat family_berbew behavioral2/memory/1672-72-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000a000000023ba2-79.dat family_berbew behavioral2/files/0x000a000000023ba4-86.dat family_berbew behavioral2/memory/3000-85-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/memory/2964-87-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000a000000023ba6-94.dat family_berbew behavioral2/memory/1356-96-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000a000000023ba8-102.dat family_berbew behavioral2/memory/4820-103-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000a000000023baa-110.dat family_berbew behavioral2/memory/2724-112-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000a000000023bad-118.dat family_berbew behavioral2/memory/3232-120-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000a000000023baf-126.dat family_berbew behavioral2/memory/2496-127-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000a000000023bb1-134.dat family_berbew behavioral2/memory/1628-136-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000a000000023bb3-142.dat family_berbew behavioral2/memory/4432-144-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000a000000023bb5-151.dat family_berbew behavioral2/files/0x0031000000023bb7-158.dat family_berbew behavioral2/files/0x000a000000023bb9-165.dat family_berbew behavioral2/memory/2372-176-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000a000000023bbd-182.dat family_berbew behavioral2/memory/532-188-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000a000000023bbf-190.dat family_berbew behavioral2/files/0x000a000000023bbb-175.dat family_berbew behavioral2/memory/4956-173-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/memory/856-172-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/memory/1820-157-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/memory/1520-192-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000b000000023b8e-199.dat family_berbew behavioral2/files/0x000a000000023bc2-206.dat family_berbew behavioral2/memory/3448-205-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/memory/5068-213-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000a000000023bc4-214.dat family_berbew behavioral2/memory/3640-216-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000a000000023bc6-223.dat family_berbew behavioral2/memory/1636-224-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000a000000023bc8-231.dat family_berbew behavioral2/memory/4324-237-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000a000000023bca-238.dat family_berbew behavioral2/memory/1196-239-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/memory/64-252-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000a000000023bcc-247.dat family_berbew behavioral2/files/0x000a000000023bce-255.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2568 Bifbbllg.exe 1104 Bockjc32.exe 4016 Bemcgmak.exe 3212 Bhlocipo.exe 4436 Boegpc32.exe 2144 Bikkml32.exe 1200 Cohdebfi.exe 3236 Cccpfa32.exe 1672 Cpgqpe32.exe 3000 Cojqkbdf.exe 2964 Caimgncj.exe 1356 Clnadfbp.exe 4820 Commqb32.exe 2724 Cakjmm32.exe 3232 Clqnjf32.exe 2496 Ccjfgphj.exe 1628 Cidncj32.exe 4432 Coagla32.exe 1820 Capchmmb.exe 856 Digkijmd.exe 4956 Dhjkdg32.exe 2372 Dlegeemh.exe 532 Dcopbp32.exe 1520 Dabpnlkp.exe 3448 Dhlhjf32.exe 5068 Dofpgqji.exe 3640 Djlddi32.exe 1636 Dpemacql.exe 4324 Dcdimopp.exe 1196 Dagiil32.exe 64 Dokjbp32.exe 3408 Dcfebonm.exe 1284 Dlojkddn.exe 4292 Dpjflb32.exe 2040 Dchbhn32.exe 3432 Efgodj32.exe 4460 Ehekqe32.exe 1804 Epmcab32.exe 2388 Eckonn32.exe 976 Ebnoikqb.exe 4692 Ejegjh32.exe 3340 Elccfc32.exe 536 Ecmlcmhe.exe 1484 Eflhoigi.exe 868 Ehjdldfl.exe 4624 Eleplc32.exe 4364 Eodlho32.exe 1232 Ebbidj32.exe 2280 Ejjqeg32.exe 2104 Ehlaaddj.exe 3520 Eqciba32.exe 4264 Ecbenm32.exe 3224 Efpajh32.exe 3880 Ehonfc32.exe 1464 Emjjgbjp.exe 4668 Eoifcnid.exe 4084 Fbgbpihg.exe 4652 Fjnjqfij.exe 3128 Fhajlc32.exe 1480 Fokbim32.exe 2348 Fcgoilpj.exe 3388 Ficgacna.exe 3528 Fqkocpod.exe 4880 Fbllkh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fkalchij.exe Fhcpgmjf.exe File created C:\Windows\SysWOW64\Fgnjkdco.dll Balfaiil.exe File opened for modification C:\Windows\SysWOW64\Camphf32.exe Cbjoljdo.exe File created C:\Windows\SysWOW64\Aabmqd32.exe Acnlgp32.exe File created C:\Windows\SysWOW64\Dakipgan.dll Kbhoqj32.exe File opened for modification C:\Windows\SysWOW64\Dpjflb32.exe Dlojkddn.exe File opened for modification C:\Windows\SysWOW64\Jpnchp32.exe Jcgbco32.exe File opened for modification C:\Windows\SysWOW64\Bemcgmak.exe Bockjc32.exe File opened for modification C:\Windows\SysWOW64\Eabbjc32.exe Eocenh32.exe File created C:\Windows\SysWOW64\Aogmoeik.dll Ffddka32.exe File created C:\Windows\SysWOW64\Hfnphn32.exe Hcpclbfa.exe File created C:\Windows\SysWOW64\Acocaf32.exe Aaqgek32.exe File created C:\Windows\SysWOW64\Hmcojh32.exe Hfifmnij.exe File created C:\Windows\SysWOW64\Hioiji32.exe Hfqlnm32.exe File created C:\Windows\SysWOW64\Hmioonpn.exe Hfofbd32.exe File created C:\Windows\SysWOW64\Ldkojb32.exe Lalcng32.exe File created C:\Windows\SysWOW64\Aahamf32.dll Acocaf32.exe File created C:\Windows\SysWOW64\Jmbdbd32.exe Jpnchp32.exe File opened for modification C:\Windows\SysWOW64\Fbqefhpm.exe Fqohnp32.exe File created C:\Windows\SysWOW64\Eekaebcm.exe Eapedd32.exe File opened for modification C:\Windows\SysWOW64\Ffddka32.exe Fcfhof32.exe File created C:\Windows\SysWOW64\Njohbh32.dll Ibjjhn32.exe File created C:\Windows\SysWOW64\Hapaemll.exe Hihicplj.exe File opened for modification C:\Windows\SysWOW64\Gpnhekgl.exe Gfedle32.exe File created C:\Windows\SysWOW64\Jpgdbg32.exe Imihfl32.exe File opened for modification C:\Windows\SysWOW64\Lcmofolg.exe Ldkojb32.exe File created C:\Windows\SysWOW64\Nbmelbid.exe Njfmke32.exe File created C:\Windows\SysWOW64\Ceipnc32.dll Qjpiha32.exe File created C:\Windows\SysWOW64\Kfankifm.exe Klljnp32.exe File created C:\Windows\SysWOW64\Cgfgaq32.dll Nkncdifl.exe File created C:\Windows\SysWOW64\Hodgkc32.exe Hmfkoh32.exe File created C:\Windows\SysWOW64\Ebinhj32.dll Mpjlklok.exe File created C:\Windows\SysWOW64\Cqncfneo.dll Kgmlkp32.exe File opened for modification C:\Windows\SysWOW64\Nqklmpdd.exe Nnmopdep.exe File created C:\Windows\SysWOW64\Chpada32.exe Ceaehfjj.exe File created C:\Windows\SysWOW64\Bkomqm32.dll Gbgdlq32.exe File created C:\Windows\SysWOW64\Lifenaok.dll Mpkbebbf.exe File created C:\Windows\SysWOW64\Lpkman32.dll Peljol32.exe File created C:\Windows\SysWOW64\Abkjdnoa.exe Ajdbcano.exe File opened for modification C:\Windows\SysWOW64\Iefioj32.exe Hcdmga32.exe File opened for modification C:\Windows\SysWOW64\Gppekj32.exe Gifmnpnl.exe File created C:\Windows\SysWOW64\Oahicipe.dll Aabmqd32.exe File created C:\Windows\SysWOW64\Ojgbfocc.exe Oponmilc.exe File opened for modification C:\Windows\SysWOW64\Qgcbgo32.exe Qmmnjfnl.exe File opened for modification C:\Windows\SysWOW64\Dhocqigp.exe Dogogcpo.exe File created C:\Windows\SysWOW64\Kflflhfg.dll Imgkql32.exe File created C:\Windows\SysWOW64\Oijgnaaa.dll Fbnafb32.exe File opened for modification C:\Windows\SysWOW64\Lphoelqn.exe Lgokmgjm.exe File created C:\Windows\SysWOW64\Nnneknob.exe Nfgmjqop.exe File opened for modification C:\Windows\SysWOW64\Febgea32.exe Fohoigfh.exe File opened for modification C:\Windows\SysWOW64\Cidncj32.exe Ccjfgphj.exe File created C:\Windows\SysWOW64\Bbgkjl32.dll Lcdegnep.exe File created C:\Windows\SysWOW64\Colffknh.exe Clnjjpod.exe File created C:\Windows\SysWOW64\Ecaobgnf.dll Mgagbf32.exe File created C:\Windows\SysWOW64\Ojhiqefo.exe Okeieh32.exe File created C:\Windows\SysWOW64\Imbaemhc.exe Ijdeiaio.exe File opened for modification C:\Windows\SysWOW64\Emjjgbjp.exe Ehonfc32.exe File opened for modification C:\Windows\SysWOW64\Jigollag.exe Jfhbppbc.exe File opened for modification C:\Windows\SysWOW64\Nacbfdao.exe Njljefql.exe File opened for modification C:\Windows\SysWOW64\Mkgmcjld.exe Mcpebmkb.exe File opened for modification C:\Windows\SysWOW64\Ceaehfjj.exe Cbcilkjg.exe File opened for modification C:\Windows\SysWOW64\Bchomn32.exe Bnkgeg32.exe File created C:\Windows\SysWOW64\Fhajlc32.exe Fjnjqfij.exe File created C:\Windows\SysWOW64\Eckonn32.exe Epmcab32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12512 12432 WerFault.exe 613 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfkoeppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdcekmm.dll" Fbgbpihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgjfkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnbbbabh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbjoljdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beihma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbllkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll" Jfhbppbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpojcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndidbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baaplhef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clpgpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkooklb.dll" Gfngap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll" Liekmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doeiljfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klljnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mngoghpn.dll" Gifmnpnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpenfjad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obangb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmogab32.dll" Dlgmpogj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agglboim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjhmgeao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehjdldfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcbahlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmidh32.dll" Obangb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eflhoigi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll" Dopigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoqfnpl.dll" Jpnchp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfogkh32.dll" Haggelfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejegjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcbnejem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpnfbohh.dll" Pbpjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahkobekf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkffk32.dll" Fchddejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll" Nnmopdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqklmpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Likjcbkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aabmqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdiklqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccjfgphj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmgdgjek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbimoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdkldb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acnlgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfhilofo.dll" Eodlho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll" Kagichjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncbknfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hapaemll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll" Mdiklqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejjqeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghekack.dll" Fqohnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll" Majopeii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojopad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll" Jdmcidam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll" Iffmccbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odgqdlnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckcgkldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gibgla32.dll" Capchmmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcebhoii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cccpfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaelmc32.dll" Ajkhdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckedalaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbkhfc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4052 wrote to memory of 2568 4052 137bfa54b104ff2fe224bc608433c850_NEIKI.exe 85 PID 4052 wrote to memory of 2568 4052 137bfa54b104ff2fe224bc608433c850_NEIKI.exe 85 PID 4052 wrote to memory of 2568 4052 137bfa54b104ff2fe224bc608433c850_NEIKI.exe 85 PID 2568 wrote to memory of 1104 2568 Bifbbllg.exe 86 PID 2568 wrote to memory of 1104 2568 Bifbbllg.exe 86 PID 2568 wrote to memory of 1104 2568 Bifbbllg.exe 86 PID 1104 wrote to memory of 4016 1104 Bockjc32.exe 87 PID 1104 wrote to memory of 4016 1104 Bockjc32.exe 87 PID 1104 wrote to memory of 4016 1104 Bockjc32.exe 87 PID 4016 wrote to memory of 3212 4016 Bemcgmak.exe 88 PID 4016 wrote to memory of 3212 4016 Bemcgmak.exe 88 PID 4016 wrote to memory of 3212 4016 Bemcgmak.exe 88 PID 3212 wrote to memory of 4436 3212 Bhlocipo.exe 89 PID 3212 wrote to memory of 4436 3212 Bhlocipo.exe 89 PID 3212 wrote to memory of 4436 3212 Bhlocipo.exe 89 PID 4436 wrote to memory of 2144 4436 Boegpc32.exe 90 PID 4436 wrote to memory of 2144 4436 Boegpc32.exe 90 PID 4436 wrote to memory of 2144 4436 Boegpc32.exe 90 PID 2144 wrote to memory of 1200 2144 Bikkml32.exe 91 PID 2144 wrote to memory of 1200 2144 Bikkml32.exe 91 PID 2144 wrote to memory of 1200 2144 Bikkml32.exe 91 PID 1200 wrote to memory of 3236 1200 Cohdebfi.exe 92 PID 1200 wrote to memory of 3236 1200 Cohdebfi.exe 92 PID 1200 wrote to memory of 3236 1200 Cohdebfi.exe 92 PID 3236 wrote to memory of 1672 3236 Cccpfa32.exe 93 PID 3236 wrote to memory of 1672 3236 Cccpfa32.exe 93 PID 3236 wrote to memory of 1672 3236 Cccpfa32.exe 93 PID 1672 wrote to memory of 3000 1672 Cpgqpe32.exe 94 PID 1672 wrote to memory of 3000 1672 Cpgqpe32.exe 94 PID 1672 wrote to memory of 3000 1672 Cpgqpe32.exe 94 PID 3000 wrote to memory of 2964 3000 Cojqkbdf.exe 95 PID 3000 wrote to memory of 2964 3000 Cojqkbdf.exe 95 PID 3000 wrote to memory of 2964 3000 Cojqkbdf.exe 95 PID 2964 wrote to memory of 1356 2964 Caimgncj.exe 97 PID 2964 wrote to memory of 1356 2964 Caimgncj.exe 97 PID 2964 wrote to memory of 1356 2964 Caimgncj.exe 97 PID 1356 wrote to memory of 4820 1356 Clnadfbp.exe 98 PID 1356 wrote to memory of 4820 1356 Clnadfbp.exe 98 PID 1356 wrote to memory of 4820 1356 Clnadfbp.exe 98 PID 4820 wrote to memory of 2724 4820 Commqb32.exe 99 PID 4820 wrote to memory of 2724 4820 Commqb32.exe 99 PID 4820 wrote to memory of 2724 4820 Commqb32.exe 99 PID 2724 wrote to memory of 3232 2724 Cakjmm32.exe 100 PID 2724 wrote to memory of 3232 2724 Cakjmm32.exe 100 PID 2724 wrote to memory of 3232 2724 Cakjmm32.exe 100 PID 3232 wrote to memory of 2496 3232 Clqnjf32.exe 101 PID 3232 wrote to memory of 2496 3232 Clqnjf32.exe 101 PID 3232 wrote to memory of 2496 3232 Clqnjf32.exe 101 PID 2496 wrote to memory of 1628 2496 Ccjfgphj.exe 102 PID 2496 wrote to memory of 1628 2496 Ccjfgphj.exe 102 PID 2496 wrote to memory of 1628 2496 Ccjfgphj.exe 102 PID 1628 wrote to memory of 4432 1628 Cidncj32.exe 103 PID 1628 wrote to memory of 4432 1628 Cidncj32.exe 103 PID 1628 wrote to memory of 4432 1628 Cidncj32.exe 103 PID 4432 wrote to memory of 1820 4432 Coagla32.exe 104 PID 4432 wrote to memory of 1820 4432 Coagla32.exe 104 PID 4432 wrote to memory of 1820 4432 Coagla32.exe 104 PID 1820 wrote to memory of 856 1820 Capchmmb.exe 105 PID 1820 wrote to memory of 856 1820 Capchmmb.exe 105 PID 1820 wrote to memory of 856 1820 Capchmmb.exe 105 PID 856 wrote to memory of 4956 856 Digkijmd.exe 106 PID 856 wrote to memory of 4956 856 Digkijmd.exe 106 PID 856 wrote to memory of 4956 856 Digkijmd.exe 106 PID 4956 wrote to memory of 2372 4956 Dhjkdg32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\137bfa54b104ff2fe224bc608433c850_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\137bfa54b104ff2fe224bc608433c850_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\Bifbbllg.exeC:\Windows\system32\Bifbbllg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Bockjc32.exeC:\Windows\system32\Bockjc32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Bemcgmak.exeC:\Windows\system32\Bemcgmak.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\Bhlocipo.exeC:\Windows\system32\Bhlocipo.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Boegpc32.exeC:\Windows\system32\Boegpc32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Bikkml32.exeC:\Windows\system32\Bikkml32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Cohdebfi.exeC:\Windows\system32\Cohdebfi.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Cccpfa32.exeC:\Windows\system32\Cccpfa32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\Cpgqpe32.exeC:\Windows\system32\Cpgqpe32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Cojqkbdf.exeC:\Windows\system32\Cojqkbdf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Caimgncj.exeC:\Windows\system32\Caimgncj.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Clnadfbp.exeC:\Windows\system32\Clnadfbp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Commqb32.exeC:\Windows\system32\Commqb32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Cakjmm32.exeC:\Windows\system32\Cakjmm32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Clqnjf32.exeC:\Windows\system32\Clqnjf32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\Ccjfgphj.exeC:\Windows\system32\Ccjfgphj.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Cidncj32.exeC:\Windows\system32\Cidncj32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Coagla32.exeC:\Windows\system32\Coagla32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Capchmmb.exeC:\Windows\system32\Capchmmb.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Digkijmd.exeC:\Windows\system32\Digkijmd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Dhjkdg32.exeC:\Windows\system32\Dhjkdg32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Dlegeemh.exeC:\Windows\system32\Dlegeemh.exe23⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Dcopbp32.exeC:\Windows\system32\Dcopbp32.exe24⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Dabpnlkp.exeC:\Windows\system32\Dabpnlkp.exe25⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Dhlhjf32.exeC:\Windows\system32\Dhlhjf32.exe26⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Dofpgqji.exeC:\Windows\system32\Dofpgqji.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Djlddi32.exeC:\Windows\system32\Djlddi32.exe28⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Dpemacql.exeC:\Windows\system32\Dpemacql.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Dcdimopp.exeC:\Windows\system32\Dcdimopp.exe30⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Dagiil32.exeC:\Windows\system32\Dagiil32.exe31⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Dokjbp32.exeC:\Windows\system32\Dokjbp32.exe32⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Dcfebonm.exeC:\Windows\system32\Dcfebonm.exe33⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Dlojkddn.exeC:\Windows\system32\Dlojkddn.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1284 -
C:\Windows\SysWOW64\Dpjflb32.exeC:\Windows\system32\Dpjflb32.exe35⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Dchbhn32.exeC:\Windows\system32\Dchbhn32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Efgodj32.exeC:\Windows\system32\Efgodj32.exe37⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Ehekqe32.exeC:\Windows\system32\Ehekqe32.exe38⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Epmcab32.exeC:\Windows\system32\Epmcab32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Eckonn32.exeC:\Windows\system32\Eckonn32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe41⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:4692 -
C:\Windows\SysWOW64\Elccfc32.exeC:\Windows\system32\Elccfc32.exe43⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Ecmlcmhe.exeC:\Windows\system32\Ecmlcmhe.exe44⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Eflhoigi.exeC:\Windows\system32\Eflhoigi.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe47⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Eodlho32.exeC:\Windows\system32\Eodlho32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4364 -
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe49⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Ejjqeg32.exeC:\Windows\system32\Ejjqeg32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe51⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe52⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\Ecbenm32.exeC:\Windows\system32\Ecbenm32.exe53⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Ehonfc32.exeC:\Windows\system32\Ehonfc32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3880 -
C:\Windows\SysWOW64\Emjjgbjp.exeC:\Windows\system32\Emjjgbjp.exe56⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Eoifcnid.exeC:\Windows\system32\Eoifcnid.exe57⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:4084 -
C:\Windows\SysWOW64\Fjnjqfij.exeC:\Windows\system32\Fjnjqfij.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4652 -
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe60⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe62⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe63⤵PID:4440
-
C:\Windows\SysWOW64\Ficgacna.exeC:\Windows\system32\Ficgacna.exe64⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Fqkocpod.exeC:\Windows\system32\Fqkocpod.exe65⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:4880 -
C:\Windows\SysWOW64\Fjcclf32.exeC:\Windows\system32\Fjcclf32.exe67⤵PID:916
-
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe68⤵PID:4100
-
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe69⤵PID:4696
-
C:\Windows\SysWOW64\Fckhdk32.exeC:\Windows\system32\Fckhdk32.exe70⤵PID:4664
-
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe71⤵PID:4892
-
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe72⤵PID:4316
-
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Fbqefhpm.exeC:\Windows\system32\Fbqefhpm.exe74⤵PID:4308
-
C:\Windows\SysWOW64\Fjhmgeao.exeC:\Windows\system32\Fjhmgeao.exe75⤵
- Modifies registry class
PID:412 -
C:\Windows\SysWOW64\Fqaeco32.exeC:\Windows\system32\Fqaeco32.exe76⤵PID:2016
-
C:\Windows\SysWOW64\Gcpapkgp.exeC:\Windows\system32\Gcpapkgp.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4412 -
C:\Windows\SysWOW64\Gfnnlffc.exeC:\Windows\system32\Gfnnlffc.exe78⤵PID:4500
-
C:\Windows\SysWOW64\Gimjhafg.exeC:\Windows\system32\Gimjhafg.exe79⤵PID:1940
-
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe80⤵PID:4344
-
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5148 -
C:\Windows\SysWOW64\Gfqjafdq.exeC:\Windows\system32\Gfqjafdq.exe82⤵PID:5180
-
C:\Windows\SysWOW64\Giofnacd.exeC:\Windows\system32\Giofnacd.exe83⤵PID:5236
-
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe84⤵PID:5280
-
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe85⤵PID:5320
-
C:\Windows\SysWOW64\Gmmocpjk.exeC:\Windows\system32\Gmmocpjk.exe86⤵PID:5364
-
C:\Windows\SysWOW64\Gpklpkio.exeC:\Windows\system32\Gpklpkio.exe87⤵PID:5412
-
C:\Windows\SysWOW64\Gfedle32.exeC:\Windows\system32\Gfedle32.exe88⤵
- Drops file in System32 directory
PID:5464 -
C:\Windows\SysWOW64\Gpnhekgl.exeC:\Windows\system32\Gpnhekgl.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5508 -
C:\Windows\SysWOW64\Gifmnpnl.exeC:\Windows\system32\Gifmnpnl.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:5596 -
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe91⤵PID:5804
-
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe92⤵
- Drops file in System32 directory
PID:5880 -
C:\Windows\SysWOW64\Hapaemll.exeC:\Windows\system32\Hapaemll.exe93⤵
- Modifies registry class
PID:5916 -
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe94⤵PID:5964
-
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe95⤵PID:6008
-
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe96⤵PID:6052
-
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe97⤵PID:6092
-
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe98⤵
- Modifies registry class
PID:6136 -
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe99⤵
- Drops file in System32 directory
PID:5176 -
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5200 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe101⤵PID:5260
-
C:\Windows\SysWOW64\Hjmoibog.exeC:\Windows\system32\Hjmoibog.exe102⤵PID:5292
-
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe103⤵PID:3244
-
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe104⤵
- Modifies registry class
PID:5436 -
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe105⤵PID:5524
-
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe106⤵PID:5624
-
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5668 -
C:\Windows\SysWOW64\Icgqggce.exeC:\Windows\system32\Icgqggce.exe108⤵PID:5716
-
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe109⤵
- Modifies registry class
PID:5744 -
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe110⤵PID:5796
-
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5752 -
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe112⤵PID:5912
-
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe113⤵PID:5972
-
C:\Windows\SysWOW64\Ijdeiaio.exeC:\Windows\system32\Ijdeiaio.exe114⤵
- Drops file in System32 directory
PID:6036 -
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6112 -
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe116⤵PID:5172
-
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe117⤵PID:3668
-
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe118⤵PID:5308
-
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe119⤵PID:5484
-
C:\Windows\SysWOW64\Imdnklfp.exeC:\Windows\system32\Imdnklfp.exe120⤵PID:5612
-
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe121⤵PID:5740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-