Analysis
-
max time kernel
92s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 00:55
Behavioral task
behavioral1
Sample
b41cce388ab412baf8d9e29c1236a300_NEIKI.exe
Resource
win7-20231129-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
b41cce388ab412baf8d9e29c1236a300_NEIKI.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
b41cce388ab412baf8d9e29c1236a300_NEIKI.exe
-
Size
130KB
-
MD5
b41cce388ab412baf8d9e29c1236a300
-
SHA1
d1843088541731d46865667629db88634c38300b
-
SHA256
7f98eee0677ecbc4b2a1c30a67ef43495542be5968123ec2db42d1ae3394d99a
-
SHA512
192d04d6fd7768517a2ead8d65cd37b5228c5f076491093cece8b1a8987c29668f1ec718be0bd430d0dc4f677274a714913e546ca87b12dab3a7b7affd1f48a8
-
SSDEEP
3072:16PgvjnwOxylllllloqWF/R4G02/BhHmiImXJ2fYdV46nfPyxWhj8NCM/4:qgbnwOxylllllloqWF/R4v4BhHmNEcYT
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poomegpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfkbde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmenca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnipbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cenahpha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjjnifbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgbchj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deagdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhpgofm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfnjpfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eehicoel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncchae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogpepl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohcegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdmkhgho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfcabp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfhad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfjpfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdlfhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkpqkcpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkgpbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qaalblgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paeelgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aonhghjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coiaiakf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbfklei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knalji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albpkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmdgikhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npmagine.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdjibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlfnaicd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phonha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elbhjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdoihpbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iahlcaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdbfab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geaepk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ondljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpgodhkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgejpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afjeceml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fggfnc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifihif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mplafeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fggocmhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggkiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hefnkkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfnfjehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhbimf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjlhgaqp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afkknogn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohibc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocefm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Banllbdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fggocmhf.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/4896-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x000600000002326f-7.dat family_berbew behavioral2/memory/2284-9-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00080000000233b1-16.dat family_berbew behavioral2/memory/3120-21-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233b3-24.dat family_berbew behavioral2/memory/3564-25-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233b5-31.dat family_berbew behavioral2/memory/376-33-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233b7-39.dat family_berbew behavioral2/memory/4564-42-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233b9-47.dat family_berbew behavioral2/memory/4684-53-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233bb-55.dat family_berbew behavioral2/memory/2940-57-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233bd-63.dat family_berbew behavioral2/memory/2764-65-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233bf-71.dat family_berbew behavioral2/memory/1084-73-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233c1-79.dat family_berbew behavioral2/memory/4824-80-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233c3-82.dat family_berbew behavioral2/memory/2156-89-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233c5-95.dat family_berbew behavioral2/memory/1524-97-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233c7-103.dat family_berbew behavioral2/memory/2364-105-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233c9-111.dat family_berbew behavioral2/memory/4484-113-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233cb-119.dat family_berbew behavioral2/memory/1540-121-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233cd-127.dat family_berbew behavioral2/files/0x00070000000233cf-135.dat family_berbew behavioral2/memory/4408-134-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233d1-143.dat family_berbew behavioral2/memory/2720-136-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/4308-145-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233d3-151.dat family_berbew behavioral2/memory/704-153-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233d4-159.dat family_berbew behavioral2/memory/2620-161-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233d6-167.dat family_berbew behavioral2/memory/2144-169-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233d8-175.dat family_berbew behavioral2/memory/1812-177-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233da-183.dat family_berbew behavioral2/memory/3016-185-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233dc-191.dat family_berbew behavioral2/memory/2408-192-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233de-199.dat family_berbew behavioral2/memory/3940-201-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233e0-207.dat family_berbew behavioral2/memory/3464-209-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233e2-215.dat family_berbew behavioral2/memory/4576-216-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233e4-223.dat family_berbew behavioral2/memory/4128-225-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233e6-231.dat family_berbew behavioral2/memory/2388-233-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233e8-240.dat family_berbew behavioral2/memory/4440-241-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/3360-257-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/180-263-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233ee-258.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2284 Mibpda32.exe 3120 Mlampmdo.exe 3564 Mplhql32.exe 376 Meiaib32.exe 4564 Mcmabg32.exe 4684 Migjoaaf.exe 2940 Mpablkhc.exe 2764 Mgkjhe32.exe 1084 Miifeq32.exe 4824 Ndokbi32.exe 2156 Nilcjp32.exe 1524 Nljofl32.exe 2364 Nlmllkja.exe 4484 Ndcdmikd.exe 1540 Nnlhfn32.exe 4408 Npjebj32.exe 2720 Ngdmod32.exe 4308 Npmagine.exe 704 Nfjjppmm.exe 2620 Olcbmj32.exe 2144 Ogifjcdp.exe 1812 Oncofm32.exe 3016 Ogkcpbam.exe 2408 Olhlhjpd.exe 3940 Ognpebpj.exe 3464 Ojllan32.exe 4576 Odapnf32.exe 4128 Ofcmfodb.exe 2388 Oqhacgdh.exe 4440 Ocgmpccl.exe 4404 Ogbipa32.exe 3360 Ojaelm32.exe 180 Pnlaml32.exe 1016 Pgefeajb.exe 4572 Pfhfan32.exe 3596 Pnonbk32.exe 3412 Pmannhhj.exe 2304 Pdifoehl.exe 4968 Pclgkb32.exe 2008 Pggbkagp.exe 2160 Pjeoglgc.exe 2092 Pnakhkol.exe 4524 Pqpgdfnp.exe 3660 Pcncpbmd.exe 3876 Pjhlml32.exe 1888 Pncgmkmj.exe 1904 Pqbdjfln.exe 3128 Pdmpje32.exe 1516 Pgllfp32.exe 3716 Pnfdcjkg.exe 4292 Pqdqof32.exe 1708 Pdpmpdbd.exe 5108 Pfaigm32.exe 3572 Pjmehkqk.exe 3472 Qnhahj32.exe 2184 Qqfmde32.exe 2176 Qfcfml32.exe 3276 Qnjnnj32.exe 5112 Qqijje32.exe 220 Qffbbldm.exe 3684 Aqkgpedc.exe 4112 Ageolo32.exe 3816 Anogiicl.exe 2332 Afjlnk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ibclmgdb.dll Ccmgiaig.exe File created C:\Windows\SysWOW64\Onnmdcjm.exe Ohcegi32.exe File opened for modification C:\Windows\SysWOW64\Blgifbil.exe Bdpaeehj.exe File created C:\Windows\SysWOW64\Jenmcggo.exe Jocefm32.exe File created C:\Windows\SysWOW64\Pgpecj32.dll Kflide32.exe File created C:\Windows\SysWOW64\Bbekbm32.dll Lgcjdd32.exe File opened for modification C:\Windows\SysWOW64\Oblmdhdo.exe Okedcjcm.exe File created C:\Windows\SysWOW64\Hllbndih.dll Hkpqkcpd.exe File created C:\Windows\SysWOW64\Neimdg32.dll b41cce388ab412baf8d9e29c1236a300_NEIKI.exe File created C:\Windows\SysWOW64\Oheihn32.dll Ejdocm32.exe File opened for modification C:\Windows\SysWOW64\Hkjjlhle.exe Hhknpmma.exe File opened for modification C:\Windows\SysWOW64\Oeaoab32.exe Obcceg32.exe File created C:\Windows\SysWOW64\Mhckcgpj.exe Process not Found File created C:\Windows\SysWOW64\Oocmii32.exe Ohiemobf.exe File created C:\Windows\SysWOW64\Illddp32.dll Lggldm32.exe File created C:\Windows\SysWOW64\Fngjep32.dll Mnfnlf32.exe File opened for modification C:\Windows\SysWOW64\Qjfmkk32.exe Pdmdnadc.exe File created C:\Windows\SysWOW64\Ekppjn32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pfiddm32.exe Ppolhcnm.exe File created C:\Windows\SysWOW64\Fajbjh32.exe Process not Found File created C:\Windows\SysWOW64\Ichelm32.dll Process not Found File created C:\Windows\SysWOW64\Gaadfkgc.exe Gnfhfl32.exe File created C:\Windows\SysWOW64\Jedohked.dll Hjedffig.exe File opened for modification C:\Windows\SysWOW64\Edemkd32.exe Eagaoh32.exe File created C:\Windows\SysWOW64\Ehfcfb32.exe Epokedmj.exe File created C:\Windows\SysWOW64\Jeggngeb.dll Ehfcfb32.exe File created C:\Windows\SysWOW64\Ghbjikdh.dll Omegjomb.exe File created C:\Windows\SysWOW64\Flkkjnjg.dll Bdgged32.exe File created C:\Windows\SysWOW64\Eejeiocj.exe Enpmld32.exe File opened for modification C:\Windows\SysWOW64\Mhldbh32.exe Process not Found File created C:\Windows\SysWOW64\Qmbekjjm.dll Gaadfkgc.exe File created C:\Windows\SysWOW64\Fngdja32.dll Ohnebd32.exe File created C:\Windows\SysWOW64\Kbddfmgl.exe Kkjlic32.exe File created C:\Windows\SysWOW64\Ofcmimpk.dll Elgaeolp.exe File opened for modification C:\Windows\SysWOW64\Jpenfp32.exe Jepjhg32.exe File created C:\Windows\SysWOW64\Fbgdmb32.dll Process not Found File created C:\Windows\SysWOW64\Ekiapmnp.dll Process not Found File opened for modification C:\Windows\SysWOW64\Haaaaeim.exe Process not Found File created C:\Windows\SysWOW64\Nimmifgo.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jqlefl32.exe Jnmijq32.exe File created C:\Windows\SysWOW64\Hnnhejgh.dll Pmoiqneg.exe File opened for modification C:\Windows\SysWOW64\Eofgpikj.exe Eiloco32.exe File created C:\Windows\SysWOW64\Cocopa32.dll Ekdnei32.exe File created C:\Windows\SysWOW64\Egohdegl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pmkofa32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mekgdl32.exe Moaogand.exe File opened for modification C:\Windows\SysWOW64\Npchgdcd.exe Nhlpfgbb.exe File opened for modification C:\Windows\SysWOW64\Hiipmhmk.exe Hemdlj32.exe File opened for modification C:\Windows\SysWOW64\Illfdc32.exe Iinjhh32.exe File created C:\Windows\SysWOW64\Imgicgca.exe Ifmqfm32.exe File created C:\Windows\SysWOW64\Bkafmd32.exe Bfendmoc.exe File created C:\Windows\SysWOW64\Dpphjp32.exe Dmalne32.exe File created C:\Windows\SysWOW64\Jkodhk32.exe Jeekkafl.exe File created C:\Windows\SysWOW64\Ijadbdoj.exe Igchfiof.exe File created C:\Windows\SysWOW64\Oeaoab32.exe Obcceg32.exe File created C:\Windows\SysWOW64\Knhebpni.dll Pcepkfld.exe File created C:\Windows\SysWOW64\Eofgpikj.exe Eiloco32.exe File opened for modification C:\Windows\SysWOW64\Nchjdo32.exe Nlnbgddc.exe File created C:\Windows\SysWOW64\Egneae32.dll Cqpbglno.exe File created C:\Windows\SysWOW64\Egjgdg32.dll Akepfpcl.exe File opened for modification C:\Windows\SysWOW64\Licfngjd.exe Lalnmiia.exe File created C:\Windows\SysWOW64\Qjpnpd32.dll Jjoiil32.exe File opened for modification C:\Windows\SysWOW64\Dnmhpg32.exe Chqogq32.exe File created C:\Windows\SysWOW64\Kncaec32.exe Kflide32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15684 11176 Process not Found 1351 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djdflp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Domdjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogpepl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afinioip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afkknogn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aleckinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afnqfkij.dll" Chqogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edbnqkga.dll" Lehaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilqoobdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onapdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadafn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbchba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhhpnaf.dll" Gdlfhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phhhhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgeihcme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncfmno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mngegmbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fedbbjgh.dll" Mgobel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlampmdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjpnpd32.dll" Jjoiil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Addaif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnnkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iofeei32.dll" Jnelok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} b41cce388ab412baf8d9e29c1236a300_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binlfp32.dll" Nqbpojnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gddinf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npjebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbileede.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hblkjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nljofl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lijlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll" Qnhahj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpglbfpm.dll" Mkohaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nclikl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcaaddl.dll" Nimbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhnoefl.dll" Oeaoab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aodogdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plbhknkl.dll" Hmpjmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eejeiocj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdedak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkjlic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodlnfco.dll" Nhokljge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flmqlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khbdikip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mimpolee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmigoagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfhllkp.dll" Holfoqcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdmpje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdfmlhna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfepj32.dll" Ackigjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgefeajb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekodjiol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aknhkd32.dll" Gfeaopqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjbfklei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpkmil32.dll" Cabomkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqdcnl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4896 wrote to memory of 2284 4896 b41cce388ab412baf8d9e29c1236a300_NEIKI.exe 80 PID 4896 wrote to memory of 2284 4896 b41cce388ab412baf8d9e29c1236a300_NEIKI.exe 80 PID 4896 wrote to memory of 2284 4896 b41cce388ab412baf8d9e29c1236a300_NEIKI.exe 80 PID 2284 wrote to memory of 3120 2284 Mibpda32.exe 81 PID 2284 wrote to memory of 3120 2284 Mibpda32.exe 81 PID 2284 wrote to memory of 3120 2284 Mibpda32.exe 81 PID 3120 wrote to memory of 3564 3120 Mlampmdo.exe 82 PID 3120 wrote to memory of 3564 3120 Mlampmdo.exe 82 PID 3120 wrote to memory of 3564 3120 Mlampmdo.exe 82 PID 3564 wrote to memory of 376 3564 Mplhql32.exe 83 PID 3564 wrote to memory of 376 3564 Mplhql32.exe 83 PID 3564 wrote to memory of 376 3564 Mplhql32.exe 83 PID 376 wrote to memory of 4564 376 Meiaib32.exe 84 PID 376 wrote to memory of 4564 376 Meiaib32.exe 84 PID 376 wrote to memory of 4564 376 Meiaib32.exe 84 PID 4564 wrote to memory of 4684 4564 Mcmabg32.exe 85 PID 4564 wrote to memory of 4684 4564 Mcmabg32.exe 85 PID 4564 wrote to memory of 4684 4564 Mcmabg32.exe 85 PID 4684 wrote to memory of 2940 4684 Migjoaaf.exe 86 PID 4684 wrote to memory of 2940 4684 Migjoaaf.exe 86 PID 4684 wrote to memory of 2940 4684 Migjoaaf.exe 86 PID 2940 wrote to memory of 2764 2940 Mpablkhc.exe 88 PID 2940 wrote to memory of 2764 2940 Mpablkhc.exe 88 PID 2940 wrote to memory of 2764 2940 Mpablkhc.exe 88 PID 2764 wrote to memory of 1084 2764 Mgkjhe32.exe 89 PID 2764 wrote to memory of 1084 2764 Mgkjhe32.exe 89 PID 2764 wrote to memory of 1084 2764 Mgkjhe32.exe 89 PID 1084 wrote to memory of 4824 1084 Miifeq32.exe 90 PID 1084 wrote to memory of 4824 1084 Miifeq32.exe 90 PID 1084 wrote to memory of 4824 1084 Miifeq32.exe 90 PID 4824 wrote to memory of 2156 4824 Ndokbi32.exe 91 PID 4824 wrote to memory of 2156 4824 Ndokbi32.exe 91 PID 4824 wrote to memory of 2156 4824 Ndokbi32.exe 91 PID 2156 wrote to memory of 1524 2156 Nilcjp32.exe 93 PID 2156 wrote to memory of 1524 2156 Nilcjp32.exe 93 PID 2156 wrote to memory of 1524 2156 Nilcjp32.exe 93 PID 1524 wrote to memory of 2364 1524 Nljofl32.exe 94 PID 1524 wrote to memory of 2364 1524 Nljofl32.exe 94 PID 1524 wrote to memory of 2364 1524 Nljofl32.exe 94 PID 2364 wrote to memory of 4484 2364 Nlmllkja.exe 95 PID 2364 wrote to memory of 4484 2364 Nlmllkja.exe 95 PID 2364 wrote to memory of 4484 2364 Nlmllkja.exe 95 PID 4484 wrote to memory of 1540 4484 Ndcdmikd.exe 96 PID 4484 wrote to memory of 1540 4484 Ndcdmikd.exe 96 PID 4484 wrote to memory of 1540 4484 Ndcdmikd.exe 96 PID 1540 wrote to memory of 4408 1540 Nnlhfn32.exe 98 PID 1540 wrote to memory of 4408 1540 Nnlhfn32.exe 98 PID 1540 wrote to memory of 4408 1540 Nnlhfn32.exe 98 PID 4408 wrote to memory of 2720 4408 Npjebj32.exe 99 PID 4408 wrote to memory of 2720 4408 Npjebj32.exe 99 PID 4408 wrote to memory of 2720 4408 Npjebj32.exe 99 PID 2720 wrote to memory of 4308 2720 Ngdmod32.exe 100 PID 2720 wrote to memory of 4308 2720 Ngdmod32.exe 100 PID 2720 wrote to memory of 4308 2720 Ngdmod32.exe 100 PID 4308 wrote to memory of 704 4308 Npmagine.exe 101 PID 4308 wrote to memory of 704 4308 Npmagine.exe 101 PID 4308 wrote to memory of 704 4308 Npmagine.exe 101 PID 704 wrote to memory of 2620 704 Nfjjppmm.exe 102 PID 704 wrote to memory of 2620 704 Nfjjppmm.exe 102 PID 704 wrote to memory of 2620 704 Nfjjppmm.exe 102 PID 2620 wrote to memory of 2144 2620 Olcbmj32.exe 103 PID 2620 wrote to memory of 2144 2620 Olcbmj32.exe 103 PID 2620 wrote to memory of 2144 2620 Olcbmj32.exe 103 PID 2144 wrote to memory of 1812 2144 Ogifjcdp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b41cce388ab412baf8d9e29c1236a300_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\b41cce388ab412baf8d9e29c1236a300_NEIKI.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\Mibpda32.exeC:\Windows\system32\Mibpda32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Mlampmdo.exeC:\Windows\system32\Mlampmdo.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\Mplhql32.exeC:\Windows\system32\Mplhql32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\Meiaib32.exeC:\Windows\system32\Meiaib32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Mcmabg32.exeC:\Windows\system32\Mcmabg32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Migjoaaf.exeC:\Windows\system32\Migjoaaf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\Mpablkhc.exeC:\Windows\system32\Mpablkhc.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Mgkjhe32.exeC:\Windows\system32\Mgkjhe32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Miifeq32.exeC:\Windows\system32\Miifeq32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Ndokbi32.exeC:\Windows\system32\Ndokbi32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\Nilcjp32.exeC:\Windows\system32\Nilcjp32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Nljofl32.exeC:\Windows\system32\Nljofl32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Nlmllkja.exeC:\Windows\system32\Nlmllkja.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Ndcdmikd.exeC:\Windows\system32\Ndcdmikd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Nnlhfn32.exeC:\Windows\system32\Nnlhfn32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Npjebj32.exeC:\Windows\system32\Npjebj32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Ngdmod32.exeC:\Windows\system32\Ngdmod32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Npmagine.exeC:\Windows\system32\Npmagine.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\Olcbmj32.exeC:\Windows\system32\Olcbmj32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Ogifjcdp.exeC:\Windows\system32\Ogifjcdp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe23⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Ogkcpbam.exeC:\Windows\system32\Ogkcpbam.exe24⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe25⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Ognpebpj.exeC:\Windows\system32\Ognpebpj.exe26⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Ojllan32.exeC:\Windows\system32\Ojllan32.exe27⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Odapnf32.exeC:\Windows\system32\Odapnf32.exe28⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Ofcmfodb.exeC:\Windows\system32\Ofcmfodb.exe29⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Oqhacgdh.exeC:\Windows\system32\Oqhacgdh.exe30⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Ocgmpccl.exeC:\Windows\system32\Ocgmpccl.exe31⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Ogbipa32.exeC:\Windows\system32\Ogbipa32.exe32⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Ojaelm32.exeC:\Windows\system32\Ojaelm32.exe33⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Pnlaml32.exeC:\Windows\system32\Pnlaml32.exe34⤵
- Executes dropped EXE
PID:180 -
C:\Windows\SysWOW64\Pmoahijl.exeC:\Windows\system32\Pmoahijl.exe35⤵PID:1724
-
C:\Windows\SysWOW64\Pgefeajb.exeC:\Windows\system32\Pgefeajb.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Pfhfan32.exeC:\Windows\system32\Pfhfan32.exe37⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Pnonbk32.exeC:\Windows\system32\Pnonbk32.exe38⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe39⤵
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Pdifoehl.exeC:\Windows\system32\Pdifoehl.exe40⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe41⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Pggbkagp.exeC:\Windows\system32\Pggbkagp.exe42⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe43⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Pnakhkol.exeC:\Windows\system32\Pnakhkol.exe44⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Pqpgdfnp.exeC:\Windows\system32\Pqpgdfnp.exe45⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Pcncpbmd.exeC:\Windows\system32\Pcncpbmd.exe46⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe47⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Pncgmkmj.exeC:\Windows\system32\Pncgmkmj.exe48⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe49⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Pdmpje32.exeC:\Windows\system32\Pdmpje32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3128 -
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe51⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Pnfdcjkg.exeC:\Windows\system32\Pnfdcjkg.exe52⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe53⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Pdpmpdbd.exeC:\Windows\system32\Pdpmpdbd.exe54⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Pfaigm32.exeC:\Windows\system32\Pfaigm32.exe55⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Pjmehkqk.exeC:\Windows\system32\Pjmehkqk.exe56⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:3472 -
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe58⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Qfcfml32.exeC:\Windows\system32\Qfcfml32.exe59⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Qnjnnj32.exeC:\Windows\system32\Qnjnnj32.exe60⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Qqijje32.exeC:\Windows\system32\Qqijje32.exe61⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Qffbbldm.exeC:\Windows\system32\Qffbbldm.exe62⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe63⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe64⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe65⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe66⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe67⤵PID:2812
-
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe68⤵PID:3644
-
C:\Windows\SysWOW64\Ajhddjfn.exeC:\Windows\system32\Ajhddjfn.exe69⤵PID:1824
-
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe70⤵PID:2936
-
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe71⤵PID:2312
-
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe72⤵PID:2844
-
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe73⤵PID:4820
-
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe74⤵PID:532
-
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe75⤵PID:1456
-
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe76⤵PID:1832
-
C:\Windows\SysWOW64\Bgehcmmm.exeC:\Windows\system32\Bgehcmmm.exe77⤵PID:3912
-
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3848 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe79⤵PID:4180
-
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe80⤵PID:2964
-
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4376 -
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe82⤵PID:824
-
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe83⤵PID:3468
-
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe84⤵PID:2632
-
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe85⤵PID:3436
-
C:\Windows\SysWOW64\Cmnpgb32.exeC:\Windows\system32\Cmnpgb32.exe86⤵PID:2912
-
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe87⤵PID:680
-
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe88⤵PID:956
-
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe89⤵PID:3600
-
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe90⤵PID:4956
-
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe91⤵PID:4164
-
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe92⤵PID:5068
-
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe93⤵PID:3688
-
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe94⤵PID:1836
-
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe95⤵
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe96⤵PID:3936
-
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe97⤵PID:1412
-
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2892 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe99⤵PID:4644
-
C:\Windows\SysWOW64\Dahhio32.exeC:\Windows\system32\Dahhio32.exe100⤵PID:2300
-
C:\Windows\SysWOW64\Ehapfiem.exeC:\Windows\system32\Ehapfiem.exe101⤵PID:2928
-
C:\Windows\SysWOW64\Emoinpcd.exeC:\Windows\system32\Emoinpcd.exe102⤵PID:3896
-
C:\Windows\SysWOW64\Eajeon32.exeC:\Windows\system32\Eajeon32.exe103⤵PID:4848
-
C:\Windows\SysWOW64\Ehdmlhcj.exeC:\Windows\system32\Ehdmlhcj.exe104⤵PID:2652
-
C:\Windows\SysWOW64\Eehnem32.exeC:\Windows\system32\Eehnem32.exe105⤵PID:2404
-
C:\Windows\SysWOW64\Eaonjngh.exeC:\Windows\system32\Eaonjngh.exe106⤵PID:2472
-
C:\Windows\SysWOW64\Ehiffh32.exeC:\Windows\system32\Ehiffh32.exe107⤵PID:2168
-
C:\Windows\SysWOW64\Eaakpm32.exeC:\Windows\system32\Eaakpm32.exe108⤵PID:4892
-
C:\Windows\SysWOW64\Eachem32.exeC:\Windows\system32\Eachem32.exe109⤵PID:1644
-
C:\Windows\SysWOW64\Fkllnbjc.exeC:\Windows\system32\Fkllnbjc.exe110⤵PID:5160
-
C:\Windows\SysWOW64\Fafdkmap.exeC:\Windows\system32\Fafdkmap.exe111⤵PID:5204
-
C:\Windows\SysWOW64\Fgbmccpg.exeC:\Windows\system32\Fgbmccpg.exe112⤵PID:5248
-
C:\Windows\SysWOW64\Fdfmlhna.exeC:\Windows\system32\Fdfmlhna.exe113⤵
- Modifies registry class
PID:5288 -
C:\Windows\SysWOW64\Fhbimf32.exeC:\Windows\system32\Fhbimf32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5332 -
C:\Windows\SysWOW64\Fgeihcme.exeC:\Windows\system32\Fgeihcme.exe115⤵
- Modifies registry class
PID:5372 -
C:\Windows\SysWOW64\Folaiqng.exeC:\Windows\system32\Folaiqng.exe116⤵PID:5424
-
C:\Windows\SysWOW64\Fnobem32.exeC:\Windows\system32\Fnobem32.exe117⤵PID:5468
-
C:\Windows\SysWOW64\Fajnfl32.exeC:\Windows\system32\Fajnfl32.exe118⤵PID:5512
-
C:\Windows\SysWOW64\Fefjfked.exeC:\Windows\system32\Fefjfked.exe119⤵PID:5548
-
C:\Windows\SysWOW64\Fdijbg32.exeC:\Windows\system32\Fdijbg32.exe120⤵PID:5600
-
C:\Windows\SysWOW64\Fggfnc32.exeC:\Windows\system32\Fggfnc32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-