Analysis
-
max time kernel
142s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 01:21
Behavioral task
behavioral1
Sample
bb181474faf941ff624f6197304d7190_NEIKI.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
bb181474faf941ff624f6197304d7190_NEIKI.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
bb181474faf941ff624f6197304d7190_NEIKI.exe
-
Size
115KB
-
MD5
bb181474faf941ff624f6197304d7190
-
SHA1
60548b671f453df4178a959e14cc3933e8694052
-
SHA256
2848d037c158d951c9f1a9cd99b6464befed7207cf40eade85ee73448b9a4292
-
SHA512
020ecbafcbb865672f7bdc972fb5cbc55f0c293cb79dff111fbaf7715048ccc62f12e716ab5667f8f54d059d2ece054421a3daf07a5fb86ef9c890a34b90bf5e
-
SSDEEP
3072:UQ9tsY01mGbGdbrIR/SoQUP5u30KqTKr4:B9aDLGhrIooQUPoDqTKE
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoifcnid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goiojk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nggqoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmijbcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjoankoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adapgfqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goiojk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldkojb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojopad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odpjcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdlnbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kboljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oflgep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcklgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkaiqf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Helfik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mckemg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeklkchg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdopod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqpego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocegdjij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ildkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqpgdfnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmficqpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nacbfdao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmfddnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbaemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjapmdid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbbkaako.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjlklok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofcmfodb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpocjdld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmdina32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndaggimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djpnohej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpnhekgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnocof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdhdajea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngbpidjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffggkgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofeilobp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjmgfgdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfdhkhjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gameonno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckedalaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcgbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfckahdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meiaib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcoenmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daekdooc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chcddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mibpda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldohebqh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdcoim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcgoilpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fooeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiaephpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpebpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhddjfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgcknmop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpdelajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Himldi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojoign32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000023435-32.dat family_berbew behavioral2/files/0x0007000000023439-48.dat family_berbew behavioral2/files/0x0007000000023446-95.dat family_berbew behavioral2/files/0x000700000002344a-106.dat family_berbew behavioral2/files/0x000700000002344c-120.dat family_berbew behavioral2/files/0x0007000000023450-135.dat family_berbew behavioral2/files/0x0007000000023458-162.dat family_berbew behavioral2/files/0x000700000002345a-176.dat family_berbew behavioral2/files/0x000700000002345c-184.dat family_berbew behavioral2/files/0x0007000000023460-200.dat family_berbew behavioral2/files/0x0007000000023462-208.dat family_berbew behavioral2/files/0x0007000000023464-216.dat family_berbew behavioral2/files/0x0007000000023468-233.dat family_berbew behavioral2/files/0x000700000002346c-247.dat family_berbew behavioral2/files/0x000700000002346f-256.dat family_berbew behavioral2/files/0x00070000000234a2-414.dat family_berbew behavioral2/files/0x00070000000234bd-492.dat family_berbew behavioral2/files/0x00070000000234c5-515.dat family_berbew behavioral2/files/0x0007000000023515-787.dat family_berbew behavioral2/files/0x000700000002351d-813.dat family_berbew behavioral2/files/0x0007000000023581-1170.dat family_berbew behavioral2/files/0x00070000000235c4-1382.dat family_berbew behavioral2/files/0x000700000002360c-1636.dat family_berbew behavioral2/files/0x000700000002361c-1688.dat family_berbew behavioral2/files/0x0007000000023648-1836.dat family_berbew behavioral2/files/0x000700000002366b-1950.dat family_berbew behavioral2/files/0x000700000002369b-2105.dat family_berbew behavioral2/files/0x00070000000236a5-2138.dat family_berbew behavioral2/files/0x00070000000236db-2314.dat family_berbew behavioral2/files/0x0007000000023713-2497.dat family_berbew behavioral2/files/0x000700000002371f-2537.dat family_berbew behavioral2/files/0x000700000002372f-2590.dat family_berbew behavioral2/files/0x0007000000023741-2650.dat family_berbew behavioral2/files/0x0007000000023747-2670.dat family_berbew behavioral2/files/0x0007000000023759-2729.dat family_berbew behavioral2/files/0x0007000000023780-2856.dat family_berbew behavioral2/files/0x0007000000023769-2783.dat family_berbew behavioral2/files/0x0007000000023761-2756.dat family_berbew behavioral2/files/0x0007000000023794-2925.dat family_berbew behavioral2/files/0x0007000000023798-2938.dat family_berbew behavioral2/files/0x00070000000237d8-3111.dat family_berbew behavioral2/files/0x0007000000023806-3226.dat family_berbew behavioral2/files/0x0007000000023ad3-5007.dat family_berbew behavioral2/files/0x0007000000023b5d-5353.dat family_berbew behavioral2/files/0x0007000000023b49-5304.dat family_berbew behavioral2/files/0x0007000000023b3f-5278.dat family_berbew behavioral2/files/0x0007000000023b37-5259.dat family_berbew behavioral2/files/0x0007000000023b2f-5239.dat family_berbew behavioral2/files/0x0007000000023b1f-5199.dat family_berbew behavioral2/files/0x0007000000023b17-5179.dat family_berbew behavioral2/files/0x0007000000023afd-5114.dat family_berbew behavioral2/files/0x0007000000023aed-5073.dat family_berbew behavioral2/files/0x0007000000023abd-4951.dat family_berbew behavioral2/files/0x0007000000023aa7-4896.dat family_berbew behavioral2/files/0x0007000000023a9d-4871.dat family_berbew behavioral2/files/0x0007000000023a99-4860.dat family_berbew behavioral2/files/0x0007000000023a7f-4795.dat family_berbew behavioral2/files/0x0007000000023a75-4770.dat family_berbew behavioral2/files/0x0007000000023a5d-4710.dat family_berbew behavioral2/files/0x0007000000023a56-4690.dat family_berbew behavioral2/files/0x0007000000023a3f-4635.dat family_berbew behavioral2/files/0x0007000000023a39-4620.dat family_berbew behavioral2/files/0x0007000000023a03-4486.dat family_berbew behavioral2/files/0x00070000000239fd-4469.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2264 Cefemliq.exe 1880 Cibank32.exe 1300 Clqnjf32.exe 4564 Cpljkdig.exe 3648 Ccjfgphj.exe 4120 Camfbm32.exe 1052 Cidncj32.exe 4212 Clckpf32.exe 1324 Cpofpdgd.exe 3460 Ccmclp32.exe 3588 Cekohk32.exe 4272 Dlegeemh.exe 4688 Dpacfd32.exe 1732 Dcopbp32.exe 1656 Denlnk32.exe 1592 Dhlhjf32.exe 4608 Dpcpkc32.exe 4904 Dephckaf.exe 1600 Dhnepfpj.exe 2500 Dljqpd32.exe 3208 Dcdimopp.exe 1960 Dagiil32.exe 3064 Djnaji32.exe 544 Dllmfd32.exe 808 Dokjbp32.exe 688 Daifnk32.exe 1400 Djpnohej.exe 2996 Dlojkddn.exe 2868 Dchbhn32.exe 788 Ejbkehcg.exe 4364 Elagacbk.exe 4960 Eoocmoao.exe 864 Ebnoikqb.exe 3868 Efikji32.exe 4696 Ehhgfdho.exe 2652 Eoapbo32.exe 2140 Ebploj32.exe 4468 Eflhoigi.exe 4884 Eleplc32.exe 4528 Eqalmafo.exe 2332 Ecphimfb.exe 4508 Efneehef.exe 852 Ejjqeg32.exe 1348 Elhmablc.exe 3092 Eofinnkf.exe 3268 Ebeejijj.exe 3332 Ejlmkgkl.exe 1672 Eoifcnid.exe 3788 Fbgbpihg.exe 736 Ffbnph32.exe 2420 Fhajlc32.exe 3652 Fqhbmqqg.exe 4908 Fokbim32.exe 1200 Fcgoilpj.exe 3260 Ffekegon.exe 4300 Fjqgff32.exe 2352 Fmocba32.exe 940 Fcikolnh.exe 4808 Ffggkgmk.exe 3912 Fifdgblo.exe 4432 Fopldmcl.exe 1772 Fbnhphbp.exe 3724 Ffjdqg32.exe 856 Fmclmabe.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cmiflbel.exe Cnffqf32.exe File opened for modification C:\Windows\SysWOW64\Dopigd32.exe Djdmffnn.exe File opened for modification C:\Windows\SysWOW64\Fohoigfh.exe Fljcmlfd.exe File opened for modification C:\Windows\SysWOW64\Fojlngce.exe Fkopnh32.exe File opened for modification C:\Windows\SysWOW64\Jlpkba32.exe Jmmjgejj.exe File created C:\Windows\SysWOW64\Beglgani.exe Balpgb32.exe File opened for modification C:\Windows\SysWOW64\Hkdbpe32.exe Hmabdibj.exe File created C:\Windows\SysWOW64\Cbeedbdm.dll Lmppcbjd.exe File opened for modification C:\Windows\SysWOW64\Ocgmpccl.exe Oddmdf32.exe File opened for modification C:\Windows\SysWOW64\Pqdqof32.exe Pnfdcjkg.exe File opened for modification C:\Windows\SysWOW64\Jfdida32.exe Jdemhe32.exe File opened for modification C:\Windows\SysWOW64\Kkbkamnl.exe Kckbqpnj.exe File opened for modification C:\Windows\SysWOW64\Eleiam32.exe Ehimanbq.exe File created C:\Windows\SysWOW64\Ehljfnpn.exe Edpnfo32.exe File created C:\Windows\SysWOW64\Keblci32.dll Ipknlb32.exe File created C:\Windows\SysWOW64\Ecaobgnf.dll Mlopkm32.exe File opened for modification C:\Windows\SysWOW64\Mibpda32.exe Mgddhf32.exe File created C:\Windows\SysWOW64\Fibbmq32.dll Neeqea32.exe File opened for modification C:\Windows\SysWOW64\Ebeejijj.exe Eofinnkf.exe File created C:\Windows\SysWOW64\Kpjjod32.exe Kagichjo.exe File created C:\Windows\SysWOW64\Dnkdikig.dll Ldkojb32.exe File created C:\Windows\SysWOW64\Pclneicb.exe Peimil32.exe File created C:\Windows\SysWOW64\Gfghpl32.dll Dhocqigp.exe File created C:\Windows\SysWOW64\Agffge32.exe Aegikj32.exe File created C:\Windows\SysWOW64\Bhgejlhj.dll Bhfonc32.exe File opened for modification C:\Windows\SysWOW64\Kiidgeki.exe Kemhff32.exe File created C:\Windows\SysWOW64\Hfanhp32.dll Cegdnopg.exe File created C:\Windows\SysWOW64\Bahmfj32.exe Abemjmgg.exe File created C:\Windows\SysWOW64\Facagg32.dll Bopgjmhe.exe File created C:\Windows\SysWOW64\Fcfhof32.exe Fojlngce.exe File created C:\Windows\SysWOW64\Docjlc32.dll Ikpaldog.exe File created C:\Windows\SysWOW64\Pellipfm.dll Lmccchkn.exe File created C:\Windows\SysWOW64\Geegicjl.dll Mglack32.exe File opened for modification C:\Windows\SysWOW64\Occkojkm.exe Odpjcm32.exe File opened for modification C:\Windows\SysWOW64\Qgallfcq.exe Qcepkg32.exe File created C:\Windows\SysWOW64\Akmfnc32.dll Bnhjohkb.exe File opened for modification C:\Windows\SysWOW64\Cegdnopg.exe Calhnpgn.exe File created C:\Windows\SysWOW64\Ageolo32.exe Adgbpc32.exe File opened for modification C:\Windows\SysWOW64\Akichh32.dll Bgcknmop.exe File created C:\Windows\SysWOW64\Cfbkeh32.exe Chokikeb.exe File opened for modification C:\Windows\SysWOW64\Balfaiil.exe Bnnjen32.exe File opened for modification C:\Windows\SysWOW64\Baocghgi.exe Bopgjmhe.exe File created C:\Windows\SysWOW64\Lmgfda32.exe Likjcbkc.exe File created C:\Windows\SysWOW64\Nepgjaeg.exe Ngmgne32.exe File created C:\Windows\SysWOW64\Ndokbi32.exe Npcoakfp.exe File opened for modification C:\Windows\SysWOW64\Dmefhako.exe Dobfld32.exe File created C:\Windows\SysWOW64\Denlnk32.exe Dcopbp32.exe File created C:\Windows\SysWOW64\Pjoheljj.dll Pjkombfj.exe File created C:\Windows\SysWOW64\Pkjlge32.exe Pgopffec.exe File created C:\Windows\SysWOW64\Hbgmcnhf.exe Hcdmga32.exe File created C:\Windows\SysWOW64\Eoocmoao.exe Elagacbk.exe File created C:\Windows\SysWOW64\Lmccchkn.exe Liggbi32.exe File created C:\Windows\SysWOW64\Bnecbhin.dll Mipcob32.exe File opened for modification C:\Windows\SysWOW64\Dhmgki32.exe Ddakjkqi.exe File created C:\Windows\SysWOW64\Pnfkma32.exe Pjkombfj.exe File created C:\Windows\SysWOW64\Eghpcp32.dll Mcmabg32.exe File opened for modification C:\Windows\SysWOW64\Cfpnph32.exe Chmndlge.exe File created C:\Windows\SysWOW64\Dgbdlf32.exe Dhocqigp.exe File created C:\Windows\SysWOW64\Qonnknli.dll Ccmclp32.exe File opened for modification C:\Windows\SysWOW64\Ehhgfdho.exe Efikji32.exe File created C:\Windows\SysWOW64\Iedonm32.dll Ehhgfdho.exe File created C:\Windows\SysWOW64\Jjmhppqd.exe Jbfpobpb.exe File created C:\Windows\SysWOW64\Mpaifalo.exe Mncmjfmk.exe File created C:\Windows\SysWOW64\Obdkma32.exe Onholckc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 19384 19132 WerFault.exe 1049 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqiogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckcgkldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmamoe32.dll" Jianff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbhoqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbdolh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbmfoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpaifalo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cklaknjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgoikdb.dll" Ipbdmaah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnebeogl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll" Ogifjcdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onholckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihjahg32.dll" Gmjlcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcimkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ildkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dljqpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qalnjkgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll" Hibljoco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mipcob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll" Ocdqjceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilaidmmo.dll" Gogbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll" Ngedij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiagblgj.dll" Dchbhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobgoedj.dll" Ejbkehcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldaeka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbgmcnhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miifeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nepgjaeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll" Pjmehkqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjmoibog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lphfpbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pllfhkno.dll" Bhdbhcck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkidenlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibcmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll" Bgcknmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibccic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll" Mgghhlhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaiapmca.dll" Njfmke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eocqqdjh.dll" Daaicfgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmoliohh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odpjcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceipnc32.dll" Qnkdhpjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iakaql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgmgehp.dll" Mlefklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcgffqei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll" Bnbmefbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofeilobp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bffkij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obfhba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npibja32.dll" Ilidbbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcbihpel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmgfda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nngokoej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngpccdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnfeqknj.dll" Gkoiefmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojoign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpgkkioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaqcbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmgdgjek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjgia32.dll" Agffge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceaehfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geplnioe.dll" Fomhdg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2444 wrote to memory of 2264 2444 bb181474faf941ff624f6197304d7190_NEIKI.exe 82 PID 2444 wrote to memory of 2264 2444 bb181474faf941ff624f6197304d7190_NEIKI.exe 82 PID 2444 wrote to memory of 2264 2444 bb181474faf941ff624f6197304d7190_NEIKI.exe 82 PID 2264 wrote to memory of 1880 2264 Cefemliq.exe 83 PID 2264 wrote to memory of 1880 2264 Cefemliq.exe 83 PID 2264 wrote to memory of 1880 2264 Cefemliq.exe 83 PID 1880 wrote to memory of 1300 1880 Cibank32.exe 84 PID 1880 wrote to memory of 1300 1880 Cibank32.exe 84 PID 1880 wrote to memory of 1300 1880 Cibank32.exe 84 PID 1300 wrote to memory of 4564 1300 Clqnjf32.exe 85 PID 1300 wrote to memory of 4564 1300 Clqnjf32.exe 85 PID 1300 wrote to memory of 4564 1300 Clqnjf32.exe 85 PID 4564 wrote to memory of 3648 4564 Cpljkdig.exe 86 PID 4564 wrote to memory of 3648 4564 Cpljkdig.exe 86 PID 4564 wrote to memory of 3648 4564 Cpljkdig.exe 86 PID 3648 wrote to memory of 4120 3648 Ccjfgphj.exe 87 PID 3648 wrote to memory of 4120 3648 Ccjfgphj.exe 87 PID 3648 wrote to memory of 4120 3648 Ccjfgphj.exe 87 PID 4120 wrote to memory of 1052 4120 Camfbm32.exe 88 PID 4120 wrote to memory of 1052 4120 Camfbm32.exe 88 PID 4120 wrote to memory of 1052 4120 Camfbm32.exe 88 PID 1052 wrote to memory of 4212 1052 Cidncj32.exe 89 PID 1052 wrote to memory of 4212 1052 Cidncj32.exe 89 PID 1052 wrote to memory of 4212 1052 Cidncj32.exe 89 PID 4212 wrote to memory of 1324 4212 Clckpf32.exe 90 PID 4212 wrote to memory of 1324 4212 Clckpf32.exe 90 PID 4212 wrote to memory of 1324 4212 Clckpf32.exe 90 PID 1324 wrote to memory of 3460 1324 Cpofpdgd.exe 91 PID 1324 wrote to memory of 3460 1324 Cpofpdgd.exe 91 PID 1324 wrote to memory of 3460 1324 Cpofpdgd.exe 91 PID 3460 wrote to memory of 3588 3460 Ccmclp32.exe 93 PID 3460 wrote to memory of 3588 3460 Ccmclp32.exe 93 PID 3460 wrote to memory of 3588 3460 Ccmclp32.exe 93 PID 3588 wrote to memory of 4272 3588 Cekohk32.exe 94 PID 3588 wrote to memory of 4272 3588 Cekohk32.exe 94 PID 3588 wrote to memory of 4272 3588 Cekohk32.exe 94 PID 4272 wrote to memory of 4688 4272 Dlegeemh.exe 95 PID 4272 wrote to memory of 4688 4272 Dlegeemh.exe 95 PID 4272 wrote to memory of 4688 4272 Dlegeemh.exe 95 PID 4688 wrote to memory of 1732 4688 Dpacfd32.exe 96 PID 4688 wrote to memory of 1732 4688 Dpacfd32.exe 96 PID 4688 wrote to memory of 1732 4688 Dpacfd32.exe 96 PID 1732 wrote to memory of 1656 1732 Dcopbp32.exe 98 PID 1732 wrote to memory of 1656 1732 Dcopbp32.exe 98 PID 1732 wrote to memory of 1656 1732 Dcopbp32.exe 98 PID 1656 wrote to memory of 1592 1656 Denlnk32.exe 99 PID 1656 wrote to memory of 1592 1656 Denlnk32.exe 99 PID 1656 wrote to memory of 1592 1656 Denlnk32.exe 99 PID 1592 wrote to memory of 4608 1592 Dhlhjf32.exe 100 PID 1592 wrote to memory of 4608 1592 Dhlhjf32.exe 100 PID 1592 wrote to memory of 4608 1592 Dhlhjf32.exe 100 PID 4608 wrote to memory of 4904 4608 Dpcpkc32.exe 101 PID 4608 wrote to memory of 4904 4608 Dpcpkc32.exe 101 PID 4608 wrote to memory of 4904 4608 Dpcpkc32.exe 101 PID 4904 wrote to memory of 1600 4904 Dephckaf.exe 103 PID 4904 wrote to memory of 1600 4904 Dephckaf.exe 103 PID 4904 wrote to memory of 1600 4904 Dephckaf.exe 103 PID 1600 wrote to memory of 2500 1600 Dhnepfpj.exe 104 PID 1600 wrote to memory of 2500 1600 Dhnepfpj.exe 104 PID 1600 wrote to memory of 2500 1600 Dhnepfpj.exe 104 PID 2500 wrote to memory of 3208 2500 Dljqpd32.exe 105 PID 2500 wrote to memory of 3208 2500 Dljqpd32.exe 105 PID 2500 wrote to memory of 3208 2500 Dljqpd32.exe 105 PID 3208 wrote to memory of 1960 3208 Dcdimopp.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb181474faf941ff624f6197304d7190_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\bb181474faf941ff624f6197304d7190_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Cefemliq.exeC:\Windows\system32\Cefemliq.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Cibank32.exeC:\Windows\system32\Cibank32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Clqnjf32.exeC:\Windows\system32\Clqnjf32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Cpljkdig.exeC:\Windows\system32\Cpljkdig.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Ccjfgphj.exeC:\Windows\system32\Ccjfgphj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\Camfbm32.exeC:\Windows\system32\Camfbm32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\Cidncj32.exeC:\Windows\system32\Cidncj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Clckpf32.exeC:\Windows\system32\Clckpf32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\Cpofpdgd.exeC:\Windows\system32\Cpofpdgd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Ccmclp32.exeC:\Windows\system32\Ccmclp32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\Cekohk32.exeC:\Windows\system32\Cekohk32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\Dlegeemh.exeC:\Windows\system32\Dlegeemh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\Dpacfd32.exeC:\Windows\system32\Dpacfd32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Dcopbp32.exeC:\Windows\system32\Dcopbp32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Denlnk32.exeC:\Windows\system32\Denlnk32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Dhlhjf32.exeC:\Windows\system32\Dhlhjf32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Dpcpkc32.exeC:\Windows\system32\Dpcpkc32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Dephckaf.exeC:\Windows\system32\Dephckaf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\Dhnepfpj.exeC:\Windows\system32\Dhnepfpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Dljqpd32.exeC:\Windows\system32\Dljqpd32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Dcdimopp.exeC:\Windows\system32\Dcdimopp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Dagiil32.exeC:\Windows\system32\Dagiil32.exe23⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Djnaji32.exeC:\Windows\system32\Djnaji32.exe24⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Dllmfd32.exeC:\Windows\system32\Dllmfd32.exe25⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Dokjbp32.exeC:\Windows\system32\Dokjbp32.exe26⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Daifnk32.exeC:\Windows\system32\Daifnk32.exe27⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Djpnohej.exeC:\Windows\system32\Djpnohej.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Dlojkddn.exeC:\Windows\system32\Dlojkddn.exe29⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Dchbhn32.exeC:\Windows\system32\Dchbhn32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:788 -
C:\Windows\SysWOW64\Elagacbk.exeC:\Windows\system32\Elagacbk.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4364 -
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe33⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe34⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Efikji32.exeC:\Windows\system32\Efikji32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3868 -
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4696 -
C:\Windows\SysWOW64\Eoapbo32.exeC:\Windows\system32\Eoapbo32.exe37⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Ebploj32.exeC:\Windows\system32\Ebploj32.exe38⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Eflhoigi.exeC:\Windows\system32\Eflhoigi.exe39⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe40⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Eqalmafo.exeC:\Windows\system32\Eqalmafo.exe41⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Ecphimfb.exeC:\Windows\system32\Ecphimfb.exe42⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe43⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Ejjqeg32.exeC:\Windows\system32\Ejjqeg32.exe44⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Elhmablc.exeC:\Windows\system32\Elhmablc.exe45⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Eofinnkf.exeC:\Windows\system32\Eofinnkf.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3092 -
C:\Windows\SysWOW64\Ebeejijj.exeC:\Windows\system32\Ebeejijj.exe47⤵
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Ejlmkgkl.exeC:\Windows\system32\Ejlmkgkl.exe48⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Eoifcnid.exeC:\Windows\system32\Eoifcnid.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe50⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe51⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe52⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Fqhbmqqg.exeC:\Windows\system32\Fqhbmqqg.exe53⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe54⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Ffekegon.exeC:\Windows\system32\Ffekegon.exe56⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe57⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe58⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Fcikolnh.exeC:\Windows\system32\Fcikolnh.exe59⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe61⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe62⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe63⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe64⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Fmclmabe.exeC:\Windows\system32\Fmclmabe.exe65⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe66⤵PID:3476
-
C:\Windows\SysWOW64\Fcnejk32.exeC:\Windows\system32\Fcnejk32.exe67⤵PID:928
-
C:\Windows\SysWOW64\Fbqefhpm.exeC:\Windows\system32\Fbqefhpm.exe68⤵PID:3492
-
C:\Windows\SysWOW64\Fjhmgeao.exeC:\Windows\system32\Fjhmgeao.exe69⤵PID:3384
-
C:\Windows\SysWOW64\Fmficqpc.exeC:\Windows\system32\Fmficqpc.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4292 -
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe71⤵PID:3916
-
C:\Windows\SysWOW64\Gbcakg32.exeC:\Windows\system32\Gbcakg32.exe72⤵PID:4360
-
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe73⤵PID:4400
-
C:\Windows\SysWOW64\Gmhfhp32.exeC:\Windows\system32\Gmhfhp32.exe74⤵PID:2976
-
C:\Windows\SysWOW64\Gogbdl32.exeC:\Windows\system32\Gogbdl32.exe75⤵
- Modifies registry class
PID:316 -
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe76⤵PID:3764
-
C:\Windows\SysWOW64\Gjlfbd32.exeC:\Windows\system32\Gjlfbd32.exe77⤵PID:5024
-
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe78⤵PID:5116
-
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2044 -
C:\Windows\SysWOW64\Gbgkfg32.exeC:\Windows\system32\Gbgkfg32.exe80⤵PID:3428
-
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe81⤵PID:4864
-
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe82⤵PID:3416
-
C:\Windows\SysWOW64\Gpklpkio.exeC:\Windows\system32\Gpklpkio.exe83⤵PID:4240
-
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3136 -
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe85⤵
- Modifies registry class
PID:552 -
C:\Windows\SysWOW64\Gpnhekgl.exeC:\Windows\system32\Gpnhekgl.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1608 -
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe87⤵PID:3996
-
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe88⤵PID:5164
-
C:\Windows\SysWOW64\Gifmnpnl.exeC:\Windows\system32\Gifmnpnl.exe89⤵PID:5212
-
C:\Windows\SysWOW64\Gameonno.exeC:\Windows\system32\Gameonno.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5256 -
C:\Windows\SysWOW64\Hclakimb.exeC:\Windows\system32\Hclakimb.exe91⤵PID:5304
-
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe92⤵PID:5348
-
C:\Windows\SysWOW64\Hjfihc32.exeC:\Windows\system32\Hjfihc32.exe93⤵PID:5392
-
C:\Windows\SysWOW64\Hmdedo32.exeC:\Windows\system32\Hmdedo32.exe94⤵PID:5440
-
C:\Windows\SysWOW64\Hapaemll.exeC:\Windows\system32\Hapaemll.exe95⤵PID:5484
-
C:\Windows\SysWOW64\Hcnnaikp.exeC:\Windows\system32\Hcnnaikp.exe96⤵PID:5532
-
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe97⤵PID:5576
-
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe98⤵PID:5620
-
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe99⤵PID:5664
-
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe100⤵PID:5708
-
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe101⤵PID:5752
-
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe102⤵PID:5792
-
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe103⤵PID:5832
-
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe104⤵PID:5884
-
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe105⤵PID:5924
-
C:\Windows\SysWOW64\Hpgkkioa.exeC:\Windows\system32\Hpgkkioa.exe106⤵
- Modifies registry class
PID:5964 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe107⤵PID:6012
-
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe108⤵PID:6056
-
C:\Windows\SysWOW64\Hjmoibog.exeC:\Windows\system32\Hjmoibog.exe109⤵
- Modifies registry class
PID:6104 -
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe110⤵PID:4348
-
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe111⤵PID:436
-
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe112⤵PID:5268
-
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe113⤵PID:5340
-
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe114⤵PID:3444
-
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe115⤵
- Modifies registry class
PID:5508 -
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe116⤵PID:5600
-
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe117⤵PID:5656
-
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe118⤵PID:5716
-
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe119⤵PID:5784
-
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe120⤵PID:5840
-
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe121⤵PID:5912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-