Analysis
-
max time kernel
131s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 12:32
Behavioral task
behavioral1
Sample
adf40f843b18cfd7e8cb6a6c32ca9a10_NEIKI.exe
Resource
win7-20240220-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
adf40f843b18cfd7e8cb6a6c32ca9a10_NEIKI.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
adf40f843b18cfd7e8cb6a6c32ca9a10_NEIKI.exe
-
Size
1.3MB
-
MD5
adf40f843b18cfd7e8cb6a6c32ca9a10
-
SHA1
1590c3649a222f91d4dc21155ebf9ac56b28fa74
-
SHA256
969a145e7fa7cd10e2c442589ec66b8703a0700856d12507e3e116e28bdaf02e
-
SHA512
a9dc13674ea73e2045baa22e607dee4ac7a92fd20b5374b897060e15e69afb0dff871b0f41ae8bd7d04195368bb048dddafcd1b32ea8dae9376d3829d6351ce6
-
SSDEEP
24576:0DYvr4B9f01ZmQvrb91v92W9C05wkEPSOdKkrzEoxrC9toC9Dq9onk8:0DYkB9f0VP91v92W805IPSOdKgzEoxrS
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feocelll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkaopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cikglnkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcpebmkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgabkoee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhflnpoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jljbeali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkikkeeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iikhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icifbang.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boklbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Epagkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfjcgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihbdplfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Keimof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fedmqk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfjcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cobkhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpnlpnih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpcfmkff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfcipoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmgjgcgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibmeoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmndpq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knenkbio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpkchqdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nimbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmnaakne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggqoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amddjegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dikpbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjchaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfmojenc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmhja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljobpiql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Felbnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cliaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Acqimo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goedpofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfigpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" adf40f843b18cfd7e8cb6a6c32ca9a10_NEIKI.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pefabkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aqkgpedc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcelmhen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elbhjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpcbhji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edhjqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacjadad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dihlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojdnid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbapjafe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgdbkohf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcelmhen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncqlkemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohhnbhok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plagcbdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Klcekpdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogcnmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpaifalo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faihkbci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neoieenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qobhkjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Coqncejg.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000c000000023b4e-6.dat family_berbew behavioral2/files/0x000a000000023bac-15.dat family_berbew behavioral2/files/0x000a000000023bae-23.dat family_berbew behavioral2/files/0x000a000000023bb0-25.dat family_berbew behavioral2/files/0x000a000000023bb3-39.dat family_berbew behavioral2/files/0x000a000000023bb9-64.dat family_berbew behavioral2/files/0x000c000000023ba0-71.dat family_berbew behavioral2/files/0x000a000000023bbc-77.dat family_berbew behavioral2/files/0x0031000000023bbe-85.dat family_berbew behavioral2/files/0x000a000000023bc0-92.dat family_berbew behavioral2/files/0x000a000000023bce-141.dat family_berbew behavioral2/files/0x000a000000023bd2-155.dat family_berbew behavioral2/files/0x000a000000023be0-204.dat family_berbew behavioral2/files/0x0007000000023d3e-809.dat family_berbew behavioral2/files/0x000b000000023be8-232.dat family_berbew behavioral2/files/0x000a000000023be6-225.dat family_berbew behavioral2/files/0x000a000000023be4-218.dat family_berbew behavioral2/files/0x000a000000023be2-211.dat family_berbew behavioral2/files/0x000a000000023bde-197.dat family_berbew behavioral2/files/0x000a000000023bdc-190.dat family_berbew behavioral2/files/0x000a000000023bda-183.dat family_berbew behavioral2/files/0x000a000000023bd8-176.dat family_berbew behavioral2/files/0x000a000000023bd6-169.dat family_berbew behavioral2/files/0x000a000000023bd4-162.dat family_berbew behavioral2/files/0x000a000000023bd0-148.dat family_berbew behavioral2/files/0x000a000000023bcc-134.dat family_berbew behavioral2/files/0x000a000000023bca-127.dat family_berbew behavioral2/files/0x000a000000023bc8-120.dat family_berbew behavioral2/files/0x000a000000023bc6-113.dat family_berbew behavioral2/files/0x000a000000023bc4-106.dat family_berbew behavioral2/files/0x000a000000023bc2-99.dat family_berbew behavioral2/files/0x000a000000023bb7-55.dat family_berbew behavioral2/files/0x000a000000023bb5-47.dat family_berbew behavioral2/files/0x0007000000023d4c-869.dat family_berbew behavioral2/files/0x0007000000023d52-887.dat family_berbew behavioral2/files/0x0007000000023d60-928.dat family_berbew behavioral2/files/0x0007000000023d80-1025.dat family_berbew behavioral2/files/0x000c000000023ab9-1181.dat family_berbew behavioral2/files/0x0007000000023daa-1198.dat family_berbew behavioral2/files/0x0007000000023db0-1218.dat family_berbew behavioral2/files/0x0007000000023dc8-1293.dat family_berbew behavioral2/files/0x0007000000023ddc-1362.dat family_berbew behavioral2/files/0x0007000000023df2-1438.dat family_berbew behavioral2/files/0x0007000000023dfc-1473.dat family_berbew behavioral2/files/0x0007000000023e05-1500.dat family_berbew behavioral2/files/0x0007000000023e0f-1537.dat family_berbew behavioral2/files/0x0007000000023e11-1546.dat family_berbew behavioral2/files/0x0007000000023e15-1562.dat family_berbew behavioral2/files/0x0010000000023a61-1617.dat family_berbew behavioral2/files/0x0007000000023e25-1634.dat family_berbew behavioral2/files/0x0007000000023e2a-1658.dat family_berbew behavioral2/files/0x0007000000023e32-1688.dat family_berbew behavioral2/files/0x0007000000023e3a-1713.dat family_berbew behavioral2/files/0x0007000000023e3e-1726.dat family_berbew behavioral2/files/0x0007000000023e50-1786.dat family_berbew behavioral2/files/0x0007000000023e57-1807.dat family_berbew behavioral2/files/0x0007000000023e5f-1833.dat family_berbew behavioral2/files/0x0007000000023e65-1852.dat family_berbew behavioral2/files/0x0007000000023e6b-1871.dat family_berbew behavioral2/files/0x0007000000023e73-1898.dat family_berbew behavioral2/files/0x0007000000023e7d-1932.dat family_berbew behavioral2/files/0x0007000000023e81-1945.dat family_berbew behavioral2/files/0x0007000000023eac-2084.dat family_berbew behavioral2/files/0x0007000000023ebc-2138.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 336 Gcidfi32.exe 1164 Gjclbc32.exe 3188 Gmaioo32.exe 2696 Hmklen32.exe 5096 Haidklda.exe 3456 Iffmccbi.exe 2920 Ibmmhdhm.exe 2620 Iiffen32.exe 4496 Iiibkn32.exe 1424 Idofhfmm.exe 2024 Ifmcdblq.exe 3056 Iikopmkd.exe 2476 Ipegmg32.exe 4628 Ibccic32.exe 1408 Ijkljp32.exe 4404 Iinlemia.exe 2100 Jaedgjjd.exe 3904 Jdcpcf32.exe 1236 Jfaloa32.exe 1028 Jiphkm32.exe 4428 Jmkdlkph.exe 2404 Jpjqhgol.exe 5064 Jbhmdbnp.exe 1996 Jibeql32.exe 5068 Jmnaakne.exe 2612 Jplmmfmi.exe 2176 Jbkjjblm.exe 4892 Jjbako32.exe 4564 Jmpngk32.exe 4716 Jpojcf32.exe 2132 Jbmfoa32.exe 4440 Jfhbppbc.exe 3624 Jigollag.exe 2172 Jpaghf32.exe 1488 Jiikak32.exe 3928 Kpccnefa.exe 2440 Kbapjafe.exe 4464 Kkihknfg.exe 4304 Kmgdgjek.exe 2552 Kdaldd32.exe 1944 Kgphpo32.exe 4860 Kinemkko.exe 2000 Kphmie32.exe 1820 Kbfiep32.exe 3020 Kknafn32.exe 4068 Kagichjo.exe 2856 Kdffocib.exe 2576 Kgdbkohf.exe 4056 Kibnhjgj.exe 4720 Kajfig32.exe 3428 Kckbqpnj.exe 4192 Kkbkamnl.exe 4472 Lmqgnhmp.exe 2448 Lpocjdld.exe 5028 Lgikfn32.exe 756 Liggbi32.exe 2720 Laopdgcg.exe 1428 Ldmlpbbj.exe 3144 Lgkhlnbn.exe 524 Lijdhiaa.exe 928 Lpcmec32.exe 4376 Lcbiao32.exe 4772 Lilanioo.exe 2744 Laciofpa.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iffmccbi.exe Haidklda.exe File created C:\Windows\SysWOW64\Bpcbnd32.dll Kgdbkohf.exe File opened for modification C:\Windows\SysWOW64\Dfhjkabi.exe Cjaifp32.exe File opened for modification C:\Windows\SysWOW64\Mkjnfkma.exe Madjhb32.exe File created C:\Windows\SysWOW64\Ifmqfm32.exe Hpchib32.exe File opened for modification C:\Windows\SysWOW64\Ckbemgcp.exe Cdimqm32.exe File created C:\Windows\SysWOW64\Madjhb32.exe Mkhapk32.exe File created C:\Windows\SysWOW64\Nacbfdao.exe Mgnnhk32.exe File created C:\Windows\SysWOW64\Mpbbmhgf.dll Bdkcmdhp.exe File opened for modification C:\Windows\SysWOW64\Jmknaell.exe Jfaedkdp.exe File created C:\Windows\SysWOW64\Kpgfooop.exe Kfoafi32.exe File created C:\Windows\SysWOW64\Npcoakfp.exe Mgkjhe32.exe File opened for modification C:\Windows\SysWOW64\Acqimo32.exe Amgapeea.exe File created C:\Windows\SysWOW64\Meebmkdh.dll Liqihglg.exe File opened for modification C:\Windows\SysWOW64\Ahpmjejp.exe Aogiap32.exe File created C:\Windows\SysWOW64\Oaifpi32.exe Ojomcopk.exe File opened for modification C:\Windows\SysWOW64\Ckedalaj.exe Chghdqbf.exe File created C:\Windows\SysWOW64\Enqjamin.dll Jgadgf32.exe File created C:\Windows\SysWOW64\Kqnbkl32.exe Jjdjoane.exe File opened for modification C:\Windows\SysWOW64\Aleckinj.exe Aoabad32.exe File created C:\Windows\SysWOW64\Copdgb32.dll Pefabkej.exe File created C:\Windows\SysWOW64\Cjgjmg32.dll Hibjli32.exe File opened for modification C:\Windows\SysWOW64\Mnhdgpii.exe Mcbpjg32.exe File opened for modification C:\Windows\SysWOW64\Pnkbkk32.exe Pfdjinjo.exe File opened for modification C:\Windows\SysWOW64\Jjbako32.exe Jbkjjblm.exe File opened for modification C:\Windows\SysWOW64\Jidklf32.exe Jbjcolha.exe File opened for modification C:\Windows\SysWOW64\Jeklag32.exe Jblpek32.exe File opened for modification C:\Windows\SysWOW64\Pflplnlg.exe Pdkcde32.exe File created C:\Windows\SysWOW64\Plgkkjnn.dll Hglaej32.exe File created C:\Windows\SysWOW64\Cjibekmc.dll Meiioonj.exe File created C:\Windows\SysWOW64\Palbgl32.exe Pkbjjbda.exe File opened for modification C:\Windows\SysWOW64\Phcgcqab.exe Pplobcpp.exe File created C:\Windows\SysWOW64\Kibnhjgj.exe Kgdbkohf.exe File opened for modification C:\Windows\SysWOW64\Dlgmpogj.exe Ddpeoafg.exe File opened for modification C:\Windows\SysWOW64\Igjeanmj.exe Ifihif32.exe File created C:\Windows\SysWOW64\Legjmh32.exe Lnnbqnjn.exe File opened for modification C:\Windows\SysWOW64\Nimbkc32.exe Nafjjf32.exe File created C:\Windows\SysWOW64\Pkadoiip.exe Phbhcmjl.exe File created C:\Windows\SysWOW64\Djfoankj.dll Dkbocbog.exe File created C:\Windows\SysWOW64\Doeiljfn.exe Dlgmpogj.exe File opened for modification C:\Windows\SysWOW64\Gkhbdg32.exe Fdnjgmle.exe File opened for modification C:\Windows\SysWOW64\Jfnbdecg.exe Igmagnkg.exe File created C:\Windows\SysWOW64\Bjdbkbbn.dll Kcmmhj32.exe File opened for modification C:\Windows\SysWOW64\Ogcnmc32.exe Oaifpi32.exe File opened for modification C:\Windows\SysWOW64\Mpoefk32.exe Mgfqmfde.exe File created C:\Windows\SysWOW64\Ikejgf32.exe Idkbkl32.exe File created C:\Windows\SysWOW64\Bapolp32.dll Dafbne32.exe File created C:\Windows\SysWOW64\Fkalchij.exe Fhcpgmjf.exe File created C:\Windows\SysWOW64\Ngknngal.dll Gkhbdg32.exe File created C:\Windows\SysWOW64\Aihaoqlp.exe Ackigjmh.exe File created C:\Windows\SysWOW64\Oeedjegm.dll Mkmkkjko.exe File created C:\Windows\SysWOW64\Akcaoeoo.dll Eoideh32.exe File created C:\Windows\SysWOW64\Njmqnobn.exe Ngndaccj.exe File created C:\Windows\SysWOW64\Clkooklb.dll Gdqgmmjb.exe File created C:\Windows\SysWOW64\Oflgep32.exe Njefqo32.exe File created C:\Windows\SysWOW64\Ifihif32.exe Ioopml32.exe File created C:\Windows\SysWOW64\Onklabip.exe Okloegjl.exe File created C:\Windows\SysWOW64\Mnepdqjg.dll Elppfmoo.exe File created C:\Windows\SysWOW64\Bffkij32.exe Baicac32.exe File created C:\Windows\SysWOW64\Ocdjpmac.exe Oofaiokl.exe File created C:\Windows\SysWOW64\Phfjcf32.exe Palbgl32.exe File created C:\Windows\SysWOW64\Ibimpp32.dll Jplmmfmi.exe File created C:\Windows\SysWOW64\Dhhnpjmh.exe Djdmffnn.exe File created C:\Windows\SysWOW64\Kppici32.exe Jpmlnjco.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9548 12836 WerFault.exe 1091 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mioodgbj.dll" Bqdblmhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckmonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll" Lgkhlnbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdmpcdfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eggmge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpbiip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Neoieenp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odalmibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Adkgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fefedmil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Laciofpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocqnij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mkjnfkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Baadiiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll" Ddgibkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjeddggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ipbdmaah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbfgkffn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jljbeali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfjnfknb.dll" Mcbpjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jlpkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eecdjmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qebhhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhoqeibl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebejfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjkfjbc.dll" Ojdnid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pahilmoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knenkbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gbdgfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjaifp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihjahg32.dll" Gdcdbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kidiae32.dll" Acnemi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kaehljpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mamleegg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcbgk32.dll" Eoolbinc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mbbagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll" Kdffocib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkqeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mpkbebbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgbkil.dll" Lboeaifi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hioiji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdobpkmb.dll" Qhkdof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fklfdo32.dll" Ondeac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eapedd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jdodkebj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pkhoae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmipblaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inhdfkln.dll" Dapkni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Knkekn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiikaj32.dll" Nafjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bedgjgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdllgpbm.dll" Lcnfohmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdijbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nagbfo32.dll" Oofaiokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeggngeb.dll" Epokedmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjonng32.dll" Phincl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jdaaaeqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heeeiopa.dll" Cnfaohbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll" Odocigqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobdka32.dll" Gafmaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Anogiicl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Feocelll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqdhfd32.dll" Plagcbdn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1520 wrote to memory of 336 1520 adf40f843b18cfd7e8cb6a6c32ca9a10_NEIKI.exe 85 PID 1520 wrote to memory of 336 1520 adf40f843b18cfd7e8cb6a6c32ca9a10_NEIKI.exe 85 PID 1520 wrote to memory of 336 1520 adf40f843b18cfd7e8cb6a6c32ca9a10_NEIKI.exe 85 PID 336 wrote to memory of 1164 336 Gcidfi32.exe 86 PID 336 wrote to memory of 1164 336 Gcidfi32.exe 86 PID 336 wrote to memory of 1164 336 Gcidfi32.exe 86 PID 1164 wrote to memory of 3188 1164 Gjclbc32.exe 87 PID 1164 wrote to memory of 3188 1164 Gjclbc32.exe 87 PID 1164 wrote to memory of 3188 1164 Gjclbc32.exe 87 PID 3188 wrote to memory of 2696 3188 Gmaioo32.exe 88 PID 3188 wrote to memory of 2696 3188 Gmaioo32.exe 88 PID 3188 wrote to memory of 2696 3188 Gmaioo32.exe 88 PID 2696 wrote to memory of 5096 2696 Hmklen32.exe 89 PID 2696 wrote to memory of 5096 2696 Hmklen32.exe 89 PID 2696 wrote to memory of 5096 2696 Hmklen32.exe 89 PID 5096 wrote to memory of 3456 5096 Haidklda.exe 90 PID 5096 wrote to memory of 3456 5096 Haidklda.exe 90 PID 5096 wrote to memory of 3456 5096 Haidklda.exe 90 PID 3456 wrote to memory of 2920 3456 Iffmccbi.exe 91 PID 3456 wrote to memory of 2920 3456 Iffmccbi.exe 91 PID 3456 wrote to memory of 2920 3456 Iffmccbi.exe 91 PID 2920 wrote to memory of 2620 2920 Ibmmhdhm.exe 92 PID 2920 wrote to memory of 2620 2920 Ibmmhdhm.exe 92 PID 2920 wrote to memory of 2620 2920 Ibmmhdhm.exe 92 PID 2620 wrote to memory of 4496 2620 Iiffen32.exe 94 PID 2620 wrote to memory of 4496 2620 Iiffen32.exe 94 PID 2620 wrote to memory of 4496 2620 Iiffen32.exe 94 PID 4496 wrote to memory of 1424 4496 Iiibkn32.exe 95 PID 4496 wrote to memory of 1424 4496 Iiibkn32.exe 95 PID 4496 wrote to memory of 1424 4496 Iiibkn32.exe 95 PID 1424 wrote to memory of 2024 1424 Idofhfmm.exe 96 PID 1424 wrote to memory of 2024 1424 Idofhfmm.exe 96 PID 1424 wrote to memory of 2024 1424 Idofhfmm.exe 96 PID 2024 wrote to memory of 3056 2024 Ifmcdblq.exe 97 PID 2024 wrote to memory of 3056 2024 Ifmcdblq.exe 97 PID 2024 wrote to memory of 3056 2024 Ifmcdblq.exe 97 PID 3056 wrote to memory of 2476 3056 Iikopmkd.exe 98 PID 3056 wrote to memory of 2476 3056 Iikopmkd.exe 98 PID 3056 wrote to memory of 2476 3056 Iikopmkd.exe 98 PID 2476 wrote to memory of 4628 2476 Ipegmg32.exe 99 PID 2476 wrote to memory of 4628 2476 Ipegmg32.exe 99 PID 2476 wrote to memory of 4628 2476 Ipegmg32.exe 99 PID 4628 wrote to memory of 1408 4628 Ibccic32.exe 100 PID 4628 wrote to memory of 1408 4628 Ibccic32.exe 100 PID 4628 wrote to memory of 1408 4628 Ibccic32.exe 100 PID 1408 wrote to memory of 4404 1408 Ijkljp32.exe 101 PID 1408 wrote to memory of 4404 1408 Ijkljp32.exe 101 PID 1408 wrote to memory of 4404 1408 Ijkljp32.exe 101 PID 4404 wrote to memory of 2100 4404 Iinlemia.exe 102 PID 4404 wrote to memory of 2100 4404 Iinlemia.exe 102 PID 4404 wrote to memory of 2100 4404 Iinlemia.exe 102 PID 2100 wrote to memory of 3904 2100 Jaedgjjd.exe 103 PID 2100 wrote to memory of 3904 2100 Jaedgjjd.exe 103 PID 2100 wrote to memory of 3904 2100 Jaedgjjd.exe 103 PID 3904 wrote to memory of 1236 3904 Jdcpcf32.exe 104 PID 3904 wrote to memory of 1236 3904 Jdcpcf32.exe 104 PID 3904 wrote to memory of 1236 3904 Jdcpcf32.exe 104 PID 1236 wrote to memory of 1028 1236 Jfaloa32.exe 105 PID 1236 wrote to memory of 1028 1236 Jfaloa32.exe 105 PID 1236 wrote to memory of 1028 1236 Jfaloa32.exe 105 PID 1028 wrote to memory of 4428 1028 Jiphkm32.exe 106 PID 1028 wrote to memory of 4428 1028 Jiphkm32.exe 106 PID 1028 wrote to memory of 4428 1028 Jiphkm32.exe 106 PID 4428 wrote to memory of 2404 4428 Jmkdlkph.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\adf40f843b18cfd7e8cb6a6c32ca9a10_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\adf40f843b18cfd7e8cb6a6c32ca9a10_NEIKI.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Gcidfi32.exeC:\Windows\system32\Gcidfi32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Ipegmg32.exeC:\Windows\system32\Ipegmg32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Ibccic32.exeC:\Windows\system32\Ibccic32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Jaedgjjd.exeC:\Windows\system32\Jaedgjjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Jdcpcf32.exeC:\Windows\system32\Jdcpcf32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Jmkdlkph.exeC:\Windows\system32\Jmkdlkph.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe23⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe24⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe25⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe29⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe30⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe31⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe32⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Jfhbppbc.exeC:\Windows\system32\Jfhbppbc.exe33⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe34⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe35⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe36⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe37⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe39⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe40⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe41⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Kgphpo32.exeC:\Windows\system32\Kgphpo32.exe42⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe43⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe44⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe45⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe46⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe47⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe50⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe51⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe52⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe53⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe54⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe55⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe56⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe57⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe58⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe59⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:3144 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe61⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe62⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe63⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe64⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe66⤵PID:5056
-
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe67⤵PID:1908
-
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe68⤵PID:5152
-
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe69⤵PID:5188
-
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe70⤵PID:5224
-
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe71⤵PID:5260
-
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe72⤵
- Modifies registry class
PID:5296 -
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe73⤵PID:5332
-
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe74⤵PID:5368
-
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe75⤵PID:5404
-
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe76⤵PID:5440
-
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe77⤵PID:5476
-
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe78⤵
- Modifies registry class
PID:5512 -
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe79⤵
- Modifies registry class
PID:5548 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe80⤵PID:5588
-
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe81⤵PID:5620
-
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe82⤵PID:5656
-
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5692 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5728 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe85⤵PID:5764
-
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe86⤵PID:5800
-
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe87⤵PID:5836
-
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe88⤵
- Drops file in System32 directory
PID:5872 -
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe89⤵PID:5908
-
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe90⤵PID:5944
-
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe91⤵PID:5980
-
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe92⤵PID:6016
-
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe93⤵PID:6052
-
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe94⤵PID:6088
-
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe95⤵PID:6124
-
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe96⤵PID:916
-
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe97⤵PID:3140
-
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe98⤵PID:2284
-
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe99⤵PID:3380
-
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe100⤵PID:1712
-
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe101⤵PID:5124
-
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5196 -
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe103⤵PID:5248
-
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe104⤵PID:5320
-
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe105⤵PID:5388
-
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe106⤵PID:5436
-
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe107⤵
- Modifies registry class
PID:5496 -
C:\Windows\SysWOW64\Oqbamo32.exeC:\Windows\system32\Oqbamo32.exe108⤵PID:5572
-
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe109⤵
- Modifies registry class
PID:5628 -
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe110⤵PID:5684
-
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe111⤵PID:5752
-
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe112⤵PID:5832
-
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe113⤵PID:2788
-
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe114⤵PID:5936
-
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe115⤵PID:6000
-
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe116⤵PID:6060
-
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe117⤵PID:6120
-
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe118⤵
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe119⤵PID:2276
-
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe120⤵PID:3772
-
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe121⤵PID:5160
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-