Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 20:32
Behavioral task
behavioral1
Sample
2769a462097b1498962013ea66fd6970_NEIKI.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
2769a462097b1498962013ea66fd6970_NEIKI.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
2769a462097b1498962013ea66fd6970_NEIKI.exe
-
Size
276KB
-
MD5
2769a462097b1498962013ea66fd6970
-
SHA1
e44da8ca18ca0aae82e1283007fbd92eb3762d84
-
SHA256
82c8a11b5a901938b462c6760648fde12e1918c387092ba1d9589b5f7bf692a1
-
SHA512
39c394aa68b41b58912cbd6faf936d23770b6d74dac736707813d623d49dd6541c973aa97ec8cf089118a709ab02babce489667a881291dc14cb362ee163a48a
-
SSDEEP
6144:xkrZV2/IuORLSdn7MUZst5qXsunbLwMddjPXmF6EC1LlzxAKN+xTU5AX/KXWZCK9:irZV4ER+pMUQunbpd/mF6ECJlzxAKN2x
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhpao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gndick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cibkohef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbhdkml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kciaqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fajbjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pokanf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgpcohcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaflio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjqfmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hepgkohh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eennefib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmppneal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lndfchdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mopeofjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeffnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agobna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgbhdkml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbjpjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjpld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfbbdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnjqmpgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apgqie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gckjlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glpdjpbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfldgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jopiom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkjig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dedkogqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndinck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npnqcpmc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heegad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mljmhflh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeeomegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbpolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjmpfdhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iibaeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egaejeej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oahnhncc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdflaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hchihhng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlphmafm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eehicoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kifojnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbhhieao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldjkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhjcbljf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lihpdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpenmadn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doaneiop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpenfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgmdec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hioflcbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijiopd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knifging.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iodjcnca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfodmdni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkqhpmkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpccmhdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcpika32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgdgijhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffnglc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdogjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijlkfg32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0008000000023245-6.dat family_berbew behavioral2/files/0x0008000000023249-14.dat family_berbew behavioral2/files/0x000800000002324c-22.dat family_berbew behavioral2/files/0x000700000002324e-30.dat family_berbew behavioral2/files/0x0007000000023250-38.dat family_berbew behavioral2/files/0x0007000000023252-46.dat family_berbew behavioral2/files/0x0007000000023254-54.dat family_berbew behavioral2/files/0x0007000000023256-58.dat family_berbew behavioral2/files/0x0007000000023258-70.dat family_berbew behavioral2/files/0x000700000002325a-78.dat family_berbew behavioral2/files/0x000700000002325c-86.dat family_berbew behavioral2/files/0x000700000002325e-89.dat family_berbew behavioral2/files/0x0007000000023260-102.dat family_berbew behavioral2/files/0x0007000000023262-110.dat family_berbew behavioral2/files/0x0007000000023264-118.dat family_berbew behavioral2/files/0x0007000000023266-126.dat family_berbew behavioral2/files/0x0007000000023268-134.dat family_berbew behavioral2/files/0x000700000002326a-142.dat family_berbew behavioral2/files/0x000700000002326c-145.dat family_berbew behavioral2/files/0x000700000002326f-158.dat family_berbew behavioral2/files/0x0007000000023271-166.dat family_berbew behavioral2/files/0x0007000000023273-174.dat family_berbew behavioral2/files/0x0007000000023275-182.dat family_berbew behavioral2/files/0x0007000000023277-190.dat family_berbew behavioral2/files/0x0007000000023279-198.dat family_berbew behavioral2/files/0x000700000002327b-206.dat family_berbew behavioral2/files/0x000700000002327d-214.dat family_berbew behavioral2/files/0x000700000002327f-222.dat family_berbew behavioral2/files/0x0007000000023281-229.dat family_berbew behavioral2/files/0x0007000000023283-234.dat family_berbew behavioral2/files/0x0007000000023285-246.dat family_berbew behavioral2/files/0x0007000000023287-254.dat family_berbew behavioral2/files/0x0007000000023291-281.dat family_berbew behavioral2/files/0x0007000000023298-299.dat family_berbew behavioral2/files/0x00070000000232a2-329.dat family_berbew behavioral2/files/0x00070000000232a8-347.dat family_berbew behavioral2/files/0x00070000000232ae-365.dat family_berbew behavioral2/files/0x00070000000232b6-389.dat family_berbew behavioral2/files/0x00070000000232ca-449.dat family_berbew behavioral2/files/0x00070000000232e2-521.dat family_berbew behavioral2/files/0x00070000000232e8-540.dat family_berbew behavioral2/files/0x00070000000232ec-553.dat family_berbew behavioral2/files/0x000200000001e32b-588.dat family_berbew behavioral2/files/0x00070000000232fa-602.dat family_berbew behavioral2/files/0x0007000000023307-644.dat family_berbew behavioral2/files/0x0007000000023326-743.dat family_berbew behavioral2/files/0x000700000002332f-770.dat family_berbew behavioral2/files/0x0007000000023333-784.dat family_berbew behavioral2/files/0x000700000002333d-819.dat family_berbew behavioral2/files/0x000700000002337d-1020.dat family_berbew behavioral2/files/0x000700000002337f-1027.dat family_berbew behavioral2/files/0x0007000000023389-1061.dat family_berbew behavioral2/files/0x000700000002338d-1075.dat family_berbew behavioral2/files/0x0007000000023398-1110.dat family_berbew behavioral2/files/0x000700000002339a-1118.dat family_berbew behavioral2/files/0x00070000000233a4-1152.dat family_berbew behavioral2/files/0x00070000000233ac-1179.dat family_berbew behavioral2/files/0x00070000000233c2-1255.dat family_berbew behavioral2/files/0x00070000000233c4-1263.dat family_berbew behavioral2/files/0x00070000000233c8-1276.dat family_berbew behavioral2/files/0x00070000000233e9-1379.dat family_berbew behavioral2/files/0x00070000000233ef-1400.dat family_berbew behavioral2/files/0x00070000000233f5-1421.dat family_berbew behavioral2/files/0x00070000000233f7-1429.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 5096 Mgobel32.exe 4852 Mjahlgpf.exe 3472 Pdfehh32.exe 4316 Bojomm32.exe 868 Bffcpg32.exe 2716 Ckeimm32.exe 3220 Ddjmba32.exe 1004 Doaneiop.exe 648 Ekkkoj32.exe 5028 Eehicoel.exe 1432 Enbjad32.exe 2848 Feoodn32.exe 3372 Ffqhcq32.exe 2660 Gfhndpol.exe 2016 Gihgfk32.exe 1588 Gpelhd32.exe 3156 Hbjoeojc.exe 2516 Ibaeen32.exe 2976 Iipfmggc.exe 504 Iidphgcn.exe 460 Jleijb32.exe 1132 Jpenfp32.exe 4000 Jlolpq32.exe 1476 Keimof32.exe 3588 Kncaec32.exe 1020 Kgnbdh32.exe 2064 Lqhdbm32.exe 1456 Lgdidgjg.exe 2996 Lqojclne.exe 1464 Mgloefco.exe 4788 Mnjqmpgg.exe 216 Mnmmboed.exe 2852 Nggnadib.exe 4088 Nglhld32.exe 4712 Njmqnobn.exe 1580 Onkidm32.exe 4484 Opqofe32.exe 1868 Adhdjpjf.exe 2932 Dqpfmlce.exe 4736 Dglkoeio.exe 1324 Egohdegl.exe 2032 Enhpao32.exe 4804 Egaejeej.exe 4772 Fbplml32.exe 3016 Fgmdec32.exe 4132 Fajbjh32.exe 2940 Gndick32.exe 2628 Hioflcbj.exe 948 Hnlodjpa.exe 3852 Heegad32.exe 5000 Hnbeeiji.exe 1156 Hihibbjo.exe 4856 Inebjihf.exe 4184 Ipkdek32.exe 1796 Iehmmb32.exe 1852 Jemfhacc.exe 4784 Jeocna32.exe 1564 Johggfha.exe 4800 Kcmfnd32.exe 3780 Kifojnol.exe 4084 Kcoccc32.exe 3664 Kpccmhdg.exe 3152 Lepleocn.exe 1340 Lcclncbh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nibaepqb.dll Oogdfc32.exe File opened for modification C:\Windows\SysWOW64\Paaidf32.exe Pdmikb32.exe File created C:\Windows\SysWOW64\Clijablo.exe Clgmkbna.exe File created C:\Windows\SysWOW64\Qcbegphl.dll Oahnhncc.exe File created C:\Windows\SysWOW64\Hcpnhpba.dll Jjefao32.exe File opened for modification C:\Windows\SysWOW64\Gnlenp32.exe Gphddlfp.exe File created C:\Windows\SysWOW64\Hlhbih32.dll Fgmdec32.exe File created C:\Windows\SysWOW64\Didqkeeq.exe Dgdgijhp.exe File created C:\Windows\SysWOW64\Qemgmmip.dll Lndfchdj.exe File created C:\Windows\SysWOW64\Iodjcnca.exe Icminm32.exe File created C:\Windows\SysWOW64\Mgloefco.exe Lqojclne.exe File created C:\Windows\SysWOW64\Bjmpfdhb.exe Bbbkbbkg.exe File created C:\Windows\SysWOW64\Eeddfe32.exe Emioab32.exe File opened for modification C:\Windows\SysWOW64\Bdlfjh32.exe Ajaelc32.exe File created C:\Windows\SysWOW64\Pimdleea.dll Aeffgkkp.exe File created C:\Windows\SysWOW64\Hmpfjpko.dll Pbfjjlgc.exe File created C:\Windows\SysWOW64\Npcaie32.exe Ngipjp32.exe File created C:\Windows\SysWOW64\Kgiamm32.dll Ohmepbki.exe File created C:\Windows\SysWOW64\Cqmldgdc.dll Kmjinjnj.exe File created C:\Windows\SysWOW64\Lkiiee32.exe Lihpdj32.exe File created C:\Windows\SysWOW64\Edhjghdk.dll Bffcpg32.exe File opened for modification C:\Windows\SysWOW64\Ngemjg32.exe Mhppik32.exe File opened for modification C:\Windows\SysWOW64\Agnkck32.exe Aglnnkid.exe File opened for modification C:\Windows\SysWOW64\Fjgfgbek.exe Flcfnn32.exe File opened for modification C:\Windows\SysWOW64\Cildom32.exe Bfmolc32.exe File created C:\Windows\SysWOW64\Qidimpef.dll Agnkck32.exe File created C:\Windows\SysWOW64\Aaeidf32.dll Lepleocn.exe File created C:\Windows\SysWOW64\Hepgkohh.exe Gnfooe32.exe File created C:\Windows\SysWOW64\Okahhpqj.dll Lhpnlclc.exe File created C:\Windows\SysWOW64\Akaaggld.dll Dgdgijhp.exe File created C:\Windows\SysWOW64\Fkklfgll.dll Icakofel.exe File created C:\Windows\SysWOW64\Hpceplkl.dll Hnbeeiji.exe File created C:\Windows\SysWOW64\Emioab32.exe Egmjpi32.exe File opened for modification C:\Windows\SysWOW64\Gmdoel32.exe Gckjlf32.exe File opened for modification C:\Windows\SysWOW64\Phbolflm.exe Pnmjomlg.exe File created C:\Windows\SysWOW64\Ifmgpfog.dll Ncecioib.exe File opened for modification C:\Windows\SysWOW64\Mnmmboed.exe Mnjqmpgg.exe File created C:\Windows\SysWOW64\Kaflio32.exe Kpgoolbl.exe File created C:\Windows\SysWOW64\Cefked32.dll Qnpgdmjd.exe File created C:\Windows\SysWOW64\Gbkdod32.exe Gbhhieao.exe File created C:\Windows\SysWOW64\Ohdlpa32.exe Oickbjmb.exe File created C:\Windows\SysWOW64\Accimdgp.dll Iidphgcn.exe File created C:\Windows\SysWOW64\Ohcigb32.dll Emioab32.exe File opened for modification C:\Windows\SysWOW64\Jikjmbmb.exe Jobfdl32.exe File created C:\Windows\SysWOW64\Kcplkl32.dll Epaemojk.exe File created C:\Windows\SysWOW64\Elihef32.dll Nehjmnei.exe File created C:\Windows\SysWOW64\Paaidf32.exe Pdmikb32.exe File opened for modification C:\Windows\SysWOW64\Nbjpjl32.exe Nlphmafm.exe File opened for modification C:\Windows\SysWOW64\Icgbob32.exe Inkjfk32.exe File created C:\Windows\SysWOW64\Dolinf32.exe Diopep32.exe File created C:\Windows\SysWOW64\Cbiabq32.exe Ceeaim32.exe File created C:\Windows\SysWOW64\Eehicoel.exe Ekkkoj32.exe File opened for modification C:\Windows\SysWOW64\Ofgdcipq.exe Oqklkbbi.exe File opened for modification C:\Windows\SysWOW64\Gphddlfp.exe Gjnlha32.exe File created C:\Windows\SysWOW64\Hcofbifb.exe Hhiaepfl.exe File created C:\Windows\SysWOW64\Bcbbjj32.dll Doaneiop.exe File opened for modification C:\Windows\SysWOW64\Nehjmnei.exe Ndinck32.exe File created C:\Windows\SysWOW64\Jobfdl32.exe Jfjakgpa.exe File created C:\Windows\SysWOW64\Jabiie32.exe Jmdqbg32.exe File created C:\Windows\SysWOW64\Hcefei32.dll Ioffhn32.exe File created C:\Windows\SysWOW64\Npjnbg32.exe Lpghfi32.exe File opened for modification C:\Windows\SysWOW64\Oiehhjjp.exe Ohdlpa32.exe File created C:\Windows\SysWOW64\Gpelhd32.exe Gihgfk32.exe File created C:\Windows\SysWOW64\Omgabj32.exe Npcaie32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5196 5572 WerFault.exe 452 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bijncb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kidmcqeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnaffdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbplml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Headnoed.dll" Belemd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icogcjde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdghhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncieicai.dll" Pnmjomlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hchihhng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjefao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffiipfmi.dll" Eehicoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heegad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epanfaei.dll" Mehafq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oickbjmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 2769a462097b1498962013ea66fd6970_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feoodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgiamm32.dll" Ohmepbki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnaffdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmhaae32.dll" Gammbfqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljmgigk.dll" Jaefne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oahnhncc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nibaepqb.dll" Oogdfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfhndpol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgmdec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfjjbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hadcce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jchaoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipkdek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdmjdkda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcofbifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ganbkp32.dll" Ileflmpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmpcdfll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqhali32.dll" Logbigbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlafhkfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffqhcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajhndgjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jabiie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jleijb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Painhneh.dll" Gckjlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdlgkm32.dll" Pgbkgmao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hafpiehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncpeaoih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpfholhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhhpb32.dll" Ofgdcipq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcpika32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkjfpp32.dll" Cdgolq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmpcdfll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanpok32.dll" Akmjdpac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkpbpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 2769a462097b1498962013ea66fd6970_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdfehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmjinjnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocclj32.dll" Nbefolao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqhfoebo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqfojblo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbbkbbkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lehhqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egaejeej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbkdod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Homcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djkjkdck.dll" Jfjakgpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmjinjnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcoccc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbhiiol.dll" Bdlfjh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2148 wrote to memory of 5096 2148 2769a462097b1498962013ea66fd6970_NEIKI.exe 90 PID 2148 wrote to memory of 5096 2148 2769a462097b1498962013ea66fd6970_NEIKI.exe 90 PID 2148 wrote to memory of 5096 2148 2769a462097b1498962013ea66fd6970_NEIKI.exe 90 PID 5096 wrote to memory of 4852 5096 Mgobel32.exe 91 PID 5096 wrote to memory of 4852 5096 Mgobel32.exe 91 PID 5096 wrote to memory of 4852 5096 Mgobel32.exe 91 PID 4852 wrote to memory of 3472 4852 Mjahlgpf.exe 92 PID 4852 wrote to memory of 3472 4852 Mjahlgpf.exe 92 PID 4852 wrote to memory of 3472 4852 Mjahlgpf.exe 92 PID 3472 wrote to memory of 4316 3472 Pdfehh32.exe 93 PID 3472 wrote to memory of 4316 3472 Pdfehh32.exe 93 PID 3472 wrote to memory of 4316 3472 Pdfehh32.exe 93 PID 4316 wrote to memory of 868 4316 Bojomm32.exe 94 PID 4316 wrote to memory of 868 4316 Bojomm32.exe 94 PID 4316 wrote to memory of 868 4316 Bojomm32.exe 94 PID 868 wrote to memory of 2716 868 Bffcpg32.exe 95 PID 868 wrote to memory of 2716 868 Bffcpg32.exe 95 PID 868 wrote to memory of 2716 868 Bffcpg32.exe 95 PID 2716 wrote to memory of 3220 2716 Ckeimm32.exe 96 PID 2716 wrote to memory of 3220 2716 Ckeimm32.exe 96 PID 2716 wrote to memory of 3220 2716 Ckeimm32.exe 96 PID 3220 wrote to memory of 1004 3220 Ddjmba32.exe 97 PID 3220 wrote to memory of 1004 3220 Ddjmba32.exe 97 PID 3220 wrote to memory of 1004 3220 Ddjmba32.exe 97 PID 1004 wrote to memory of 648 1004 Doaneiop.exe 98 PID 1004 wrote to memory of 648 1004 Doaneiop.exe 98 PID 1004 wrote to memory of 648 1004 Doaneiop.exe 98 PID 648 wrote to memory of 5028 648 Ekkkoj32.exe 99 PID 648 wrote to memory of 5028 648 Ekkkoj32.exe 99 PID 648 wrote to memory of 5028 648 Ekkkoj32.exe 99 PID 5028 wrote to memory of 1432 5028 Eehicoel.exe 100 PID 5028 wrote to memory of 1432 5028 Eehicoel.exe 100 PID 5028 wrote to memory of 1432 5028 Eehicoel.exe 100 PID 1432 wrote to memory of 2848 1432 Enbjad32.exe 101 PID 1432 wrote to memory of 2848 1432 Enbjad32.exe 101 PID 1432 wrote to memory of 2848 1432 Enbjad32.exe 101 PID 2848 wrote to memory of 3372 2848 Feoodn32.exe 102 PID 2848 wrote to memory of 3372 2848 Feoodn32.exe 102 PID 2848 wrote to memory of 3372 2848 Feoodn32.exe 102 PID 3372 wrote to memory of 2660 3372 Ffqhcq32.exe 103 PID 3372 wrote to memory of 2660 3372 Ffqhcq32.exe 103 PID 3372 wrote to memory of 2660 3372 Ffqhcq32.exe 103 PID 2660 wrote to memory of 2016 2660 Gfhndpol.exe 104 PID 2660 wrote to memory of 2016 2660 Gfhndpol.exe 104 PID 2660 wrote to memory of 2016 2660 Gfhndpol.exe 104 PID 2016 wrote to memory of 1588 2016 Gihgfk32.exe 105 PID 2016 wrote to memory of 1588 2016 Gihgfk32.exe 105 PID 2016 wrote to memory of 1588 2016 Gihgfk32.exe 105 PID 1588 wrote to memory of 3156 1588 Gpelhd32.exe 106 PID 1588 wrote to memory of 3156 1588 Gpelhd32.exe 106 PID 1588 wrote to memory of 3156 1588 Gpelhd32.exe 106 PID 3156 wrote to memory of 2516 3156 Hbjoeojc.exe 107 PID 3156 wrote to memory of 2516 3156 Hbjoeojc.exe 107 PID 3156 wrote to memory of 2516 3156 Hbjoeojc.exe 107 PID 2516 wrote to memory of 2976 2516 Ibaeen32.exe 108 PID 2516 wrote to memory of 2976 2516 Ibaeen32.exe 108 PID 2516 wrote to memory of 2976 2516 Ibaeen32.exe 108 PID 2976 wrote to memory of 504 2976 Iipfmggc.exe 109 PID 2976 wrote to memory of 504 2976 Iipfmggc.exe 109 PID 2976 wrote to memory of 504 2976 Iipfmggc.exe 109 PID 504 wrote to memory of 460 504 Iidphgcn.exe 110 PID 504 wrote to memory of 460 504 Iidphgcn.exe 110 PID 504 wrote to memory of 460 504 Iidphgcn.exe 110 PID 460 wrote to memory of 1132 460 Jleijb32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\2769a462097b1498962013ea66fd6970_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\2769a462097b1498962013ea66fd6970_NEIKI.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Mgobel32.exeC:\Windows\system32\Mgobel32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Mjahlgpf.exeC:\Windows\system32\Mjahlgpf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Pdfehh32.exeC:\Windows\system32\Pdfehh32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\Bojomm32.exeC:\Windows\system32\Bojomm32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\Bffcpg32.exeC:\Windows\system32\Bffcpg32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Ckeimm32.exeC:\Windows\system32\Ckeimm32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Ddjmba32.exeC:\Windows\system32\Ddjmba32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Doaneiop.exeC:\Windows\system32\Doaneiop.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Ekkkoj32.exeC:\Windows\system32\Ekkkoj32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\Eehicoel.exeC:\Windows\system32\Eehicoel.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Enbjad32.exeC:\Windows\system32\Enbjad32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Feoodn32.exeC:\Windows\system32\Feoodn32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Ffqhcq32.exeC:\Windows\system32\Ffqhcq32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\Gfhndpol.exeC:\Windows\system32\Gfhndpol.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Gihgfk32.exeC:\Windows\system32\Gihgfk32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Gpelhd32.exeC:\Windows\system32\Gpelhd32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Hbjoeojc.exeC:\Windows\system32\Hbjoeojc.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\Ibaeen32.exeC:\Windows\system32\Ibaeen32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Iipfmggc.exeC:\Windows\system32\Iipfmggc.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Iidphgcn.exeC:\Windows\system32\Iidphgcn.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:504 -
C:\Windows\SysWOW64\Jleijb32.exeC:\Windows\system32\Jleijb32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\Jpenfp32.exeC:\Windows\system32\Jpenfp32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Jlolpq32.exeC:\Windows\system32\Jlolpq32.exe24⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Keimof32.exeC:\Windows\system32\Keimof32.exe25⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Kncaec32.exeC:\Windows\system32\Kncaec32.exe26⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Kgnbdh32.exeC:\Windows\system32\Kgnbdh32.exe27⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Lqhdbm32.exeC:\Windows\system32\Lqhdbm32.exe28⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Lgdidgjg.exeC:\Windows\system32\Lgdidgjg.exe29⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Lqojclne.exeC:\Windows\system32\Lqojclne.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Mgloefco.exeC:\Windows\system32\Mgloefco.exe31⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Mnjqmpgg.exeC:\Windows\system32\Mnjqmpgg.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4788 -
C:\Windows\SysWOW64\Mnmmboed.exeC:\Windows\system32\Mnmmboed.exe33⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Nggnadib.exeC:\Windows\system32\Nggnadib.exe34⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Nglhld32.exeC:\Windows\system32\Nglhld32.exe35⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Njmqnobn.exeC:\Windows\system32\Njmqnobn.exe36⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Onkidm32.exeC:\Windows\system32\Onkidm32.exe37⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Opqofe32.exeC:\Windows\system32\Opqofe32.exe38⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Adhdjpjf.exeC:\Windows\system32\Adhdjpjf.exe39⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Dqpfmlce.exeC:\Windows\system32\Dqpfmlce.exe40⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Dglkoeio.exeC:\Windows\system32\Dglkoeio.exe41⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Egohdegl.exeC:\Windows\system32\Egohdegl.exe42⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Enhpao32.exeC:\Windows\system32\Enhpao32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Egaejeej.exeC:\Windows\system32\Egaejeej.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4804 -
C:\Windows\SysWOW64\Fbplml32.exeC:\Windows\system32\Fbplml32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4772 -
C:\Windows\SysWOW64\Fgmdec32.exeC:\Windows\system32\Fgmdec32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Fajbjh32.exeC:\Windows\system32\Fajbjh32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Gndick32.exeC:\Windows\system32\Gndick32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Hioflcbj.exeC:\Windows\system32\Hioflcbj.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Hnlodjpa.exeC:\Windows\system32\Hnlodjpa.exe50⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Heegad32.exeC:\Windows\system32\Heegad32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3852 -
C:\Windows\SysWOW64\Hnbeeiji.exeC:\Windows\system32\Hnbeeiji.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5000 -
C:\Windows\SysWOW64\Hihibbjo.exeC:\Windows\system32\Hihibbjo.exe53⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Inebjihf.exeC:\Windows\system32\Inebjihf.exe54⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Ipkdek32.exeC:\Windows\system32\Ipkdek32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:4184 -
C:\Windows\SysWOW64\Iehmmb32.exeC:\Windows\system32\Iehmmb32.exe56⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Jemfhacc.exeC:\Windows\system32\Jemfhacc.exe57⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Jeocna32.exeC:\Windows\system32\Jeocna32.exe58⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Johggfha.exeC:\Windows\system32\Johggfha.exe59⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Kcmfnd32.exeC:\Windows\system32\Kcmfnd32.exe60⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Kifojnol.exeC:\Windows\system32\Kifojnol.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Kcoccc32.exeC:\Windows\system32\Kcoccc32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:4084 -
C:\Windows\SysWOW64\Kpccmhdg.exeC:\Windows\system32\Kpccmhdg.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Lepleocn.exeC:\Windows\system32\Lepleocn.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3152 -
C:\Windows\SysWOW64\Lcclncbh.exeC:\Windows\system32\Lcclncbh.exe65⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Lcfidb32.exeC:\Windows\system32\Lcfidb32.exe66⤵PID:2068
-
C:\Windows\SysWOW64\Legben32.exeC:\Windows\system32\Legben32.exe67⤵PID:4604
-
C:\Windows\SysWOW64\Loacdc32.exeC:\Windows\system32\Loacdc32.exe68⤵PID:4044
-
C:\Windows\SysWOW64\Modpib32.exeC:\Windows\system32\Modpib32.exe69⤵PID:3612
-
C:\Windows\SysWOW64\Mcaipa32.exeC:\Windows\system32\Mcaipa32.exe70⤵PID:1948
-
C:\Windows\SysWOW64\Mljmhflh.exeC:\Windows\system32\Mljmhflh.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4004 -
C:\Windows\SysWOW64\Mqhfoebo.exeC:\Windows\system32\Mqhfoebo.exe72⤵
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Mhckcgpj.exeC:\Windows\system32\Mhckcgpj.exe73⤵PID:4876
-
C:\Windows\SysWOW64\Nbnlaldg.exeC:\Windows\system32\Nbnlaldg.exe74⤵PID:688
-
C:\Windows\SysWOW64\Noblkqca.exeC:\Windows\system32\Noblkqca.exe75⤵PID:864
-
C:\Windows\SysWOW64\Nfldgk32.exeC:\Windows\system32\Nfldgk32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3192 -
C:\Windows\SysWOW64\Ncpeaoih.exeC:\Windows\system32\Ncpeaoih.exe77⤵
- Modifies registry class
PID:4744 -
C:\Windows\SysWOW64\Ncbafoge.exeC:\Windows\system32\Ncbafoge.exe78⤵PID:1648
-
C:\Windows\SysWOW64\Ooibkpmi.exeC:\Windows\system32\Ooibkpmi.exe79⤵PID:1148
-
C:\Windows\SysWOW64\Oqklkbbi.exeC:\Windows\system32\Oqklkbbi.exe80⤵
- Drops file in System32 directory
PID:5128 -
C:\Windows\SysWOW64\Ofgdcipq.exeC:\Windows\system32\Ofgdcipq.exe81⤵
- Modifies registry class
PID:5172 -
C:\Windows\SysWOW64\Ofjqihnn.exeC:\Windows\system32\Ofjqihnn.exe82⤵PID:5212
-
C:\Windows\SysWOW64\Ocnabm32.exeC:\Windows\system32\Ocnabm32.exe83⤵PID:5256
-
C:\Windows\SysWOW64\Padnaq32.exeC:\Windows\system32\Padnaq32.exe84⤵PID:5308
-
C:\Windows\SysWOW64\Pcgdhkem.exeC:\Windows\system32\Pcgdhkem.exe85⤵PID:5352
-
C:\Windows\SysWOW64\Pciqnk32.exeC:\Windows\system32\Pciqnk32.exe86⤵PID:5396
-
C:\Windows\SysWOW64\Qbonoghb.exeC:\Windows\system32\Qbonoghb.exe87⤵PID:5452
-
C:\Windows\SysWOW64\Ajaelc32.exeC:\Windows\system32\Ajaelc32.exe88⤵
- Drops file in System32 directory
PID:5500 -
C:\Windows\SysWOW64\Bdlfjh32.exeC:\Windows\system32\Bdlfjh32.exe89⤵
- Modifies registry class
PID:5544 -
C:\Windows\SysWOW64\Bmdkcnie.exeC:\Windows\system32\Bmdkcnie.exe90⤵PID:5588
-
C:\Windows\SysWOW64\Bfmolc32.exeC:\Windows\system32\Bfmolc32.exe91⤵
- Drops file in System32 directory
PID:5632 -
C:\Windows\SysWOW64\Cildom32.exeC:\Windows\system32\Cildom32.exe92⤵PID:5696
-
C:\Windows\SysWOW64\Fqfojblo.exeC:\Windows\system32\Fqfojblo.exe93⤵
- Modifies registry class
PID:5736 -
C:\Windows\SysWOW64\Fnjocf32.exeC:\Windows\system32\Fnjocf32.exe94⤵PID:5784
-
C:\Windows\SysWOW64\Ggccllai.exeC:\Windows\system32\Ggccllai.exe95⤵PID:5832
-
C:\Windows\SysWOW64\Gbhhieao.exeC:\Windows\system32\Gbhhieao.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5884 -
C:\Windows\SysWOW64\Gbkdod32.exeC:\Windows\system32\Gbkdod32.exe97⤵
- Modifies registry class
PID:5932 -
C:\Windows\SysWOW64\Gggmgk32.exeC:\Windows\system32\Gggmgk32.exe98⤵PID:5988
-
C:\Windows\SysWOW64\Gqpapacd.exeC:\Windows\system32\Gqpapacd.exe99⤵PID:6032
-
C:\Windows\SysWOW64\Gkefmjcj.exeC:\Windows\system32\Gkefmjcj.exe100⤵PID:6076
-
C:\Windows\SysWOW64\Gqbneq32.exeC:\Windows\system32\Gqbneq32.exe101⤵PID:5160
-
C:\Windows\SysWOW64\Gnfooe32.exeC:\Windows\system32\Gnfooe32.exe102⤵
- Drops file in System32 directory
PID:5228 -
C:\Windows\SysWOW64\Hepgkohh.exeC:\Windows\system32\Hepgkohh.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5336 -
C:\Windows\SysWOW64\Hbdgec32.exeC:\Windows\system32\Hbdgec32.exe104⤵PID:5408
-
C:\Windows\SysWOW64\Hkmlnimb.exeC:\Windows\system32\Hkmlnimb.exe105⤵PID:5488
-
C:\Windows\SysWOW64\Heepfn32.exeC:\Windows\system32\Heepfn32.exe106⤵PID:5576
-
C:\Windows\SysWOW64\Icogcjde.exeC:\Windows\system32\Icogcjde.exe107⤵
- Modifies registry class
PID:5496 -
C:\Windows\SysWOW64\Ijiopd32.exeC:\Windows\system32\Ijiopd32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5720 -
C:\Windows\SysWOW64\Iccpniqp.exeC:\Windows\system32\Iccpniqp.exe109⤵PID:5780
-
C:\Windows\SysWOW64\Iagqgn32.exeC:\Windows\system32\Iagqgn32.exe110⤵PID:5872
-
C:\Windows\SysWOW64\Iajmmm32.exeC:\Windows\system32\Iajmmm32.exe111⤵PID:324
-
C:\Windows\SysWOW64\Ijbbfc32.exeC:\Windows\system32\Ijbbfc32.exe112⤵PID:6016
-
C:\Windows\SysWOW64\Kocphojh.exeC:\Windows\system32\Kocphojh.exe113⤵PID:6104
-
C:\Windows\SysWOW64\Loemnnhe.exeC:\Windows\system32\Loemnnhe.exe114⤵PID:1684
-
C:\Windows\SysWOW64\Llimgb32.exeC:\Windows\system32\Llimgb32.exe115⤵PID:5380
-
C:\Windows\SysWOW64\Lhpnlclc.exeC:\Windows\system32\Lhpnlclc.exe116⤵
- Drops file in System32 directory
PID:5464 -
C:\Windows\SysWOW64\Ldfoad32.exeC:\Windows\system32\Ldfoad32.exe117⤵PID:5596
-
C:\Windows\SysWOW64\Lbhool32.exeC:\Windows\system32\Lbhool32.exe118⤵PID:5704
-
C:\Windows\SysWOW64\Llpchaqg.exeC:\Windows\system32\Llpchaqg.exe119⤵PID:5824
-
C:\Windows\SysWOW64\Lehhqg32.exeC:\Windows\system32\Lehhqg32.exe120⤵
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Mkepineo.exeC:\Windows\system32\Mkepineo.exe121⤵PID:6028
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-