Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 01:25
Behavioral task
behavioral1
Sample
bc1ba1d0dafe06d87d01da11301d7910_NEIKI.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
bc1ba1d0dafe06d87d01da11301d7910_NEIKI.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
bc1ba1d0dafe06d87d01da11301d7910_NEIKI.exe
-
Size
240KB
-
MD5
bc1ba1d0dafe06d87d01da11301d7910
-
SHA1
2d8646477b69bf6cfc2a32775f0b80c95f5f1d5a
-
SHA256
ed6bf88e4ae990bb275d09bbb9ac49e5076d052cce03bc399f9ee575380f82ab
-
SHA512
0126213e40a102aec1757271ff78feef706527b16206d2a7d95f175e0e6e5102f166036f07456fbd7c8c81ad1146567f62a8b21d3fc75c6ddf4c1178719edc51
-
SSDEEP
6144:aN/Woqn5dXBxfsOqpooEcAJN+SYSUZCb6M3W8DStQUkA1FiHwSD:KWtn5NXJotycSly8DSUA1YHVD
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeempocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbqecg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mggpgmof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmceigep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cafecmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chnqkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfmdho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhkcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefeijle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbkknojp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llnofpcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odobjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgljfbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnkbdlbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkmmhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hellne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmhmpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldlqakb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqideepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blgpef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adeplhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bebkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckignd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nncahjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpdbloof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcbjgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkopcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cljcelan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejgcdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeqdep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aemkjiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcihlong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkbhgojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amfcikek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlfdkoin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iblpjdpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnippoha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcnpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfegbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhnmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Affhncfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afmonbqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbpodagk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdamqndn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbhke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkommo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbdjhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnbhek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pijbfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eilpeooq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmolnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdpjlajk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nondgn32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000b0000000143e5-5.dat family_berbew behavioral1/files/0x000700000001487f-22.dat family_berbew behavioral1/files/0x0007000000014b18-34.dat family_berbew behavioral1/files/0x000a000000014bbc-47.dat family_berbew behavioral1/files/0x0006000000015cd9-61.dat family_berbew behavioral1/files/0x0006000000015cff-81.dat family_berbew behavioral1/files/0x0006000000015d42-94.dat family_berbew behavioral1/files/0x0006000000015d56-108.dat family_berbew behavioral1/files/0x0006000000015d6b-121.dat family_berbew behavioral1/files/0x0006000000015d87-131.dat family_berbew behavioral1/files/0x0006000000015f65-162.dat family_berbew behavioral1/files/0x000600000001610f-173.dat family_berbew behavioral1/files/0x000600000001630a-184.dat family_berbew behavioral1/files/0x0006000000016851-212.dat family_berbew behavioral1/files/0x0006000000016c64-239.dat family_berbew behavioral1/files/0x00090000000146fc-300.dat family_berbew behavioral1/files/0x00060000000173d0-355.dat family_berbew behavioral1/files/0x0006000000018b5c-420.dat family_berbew behavioral1/files/0x0005000000019414-472.dat family_berbew behavioral1/files/0x0005000000019453-495.dat family_berbew behavioral1/files/0x00050000000194ad-510.dat family_berbew behavioral1/files/0x00050000000195ab-530.dat family_berbew behavioral1/files/0x000500000001960e-552.dat family_berbew behavioral1/files/0x0005000000019618-574.dat family_berbew behavioral1/files/0x0005000000019624-618.dat family_berbew behavioral1/files/0x000500000001966d-627.dat family_berbew behavioral1/files/0x000500000001980d-649.dat family_berbew behavioral1/files/0x0005000000019ddd-706.dat family_berbew behavioral1/files/0x000500000001a453-771.dat family_berbew behavioral1/files/0x000500000001a4c5-828.dat family_berbew behavioral1/files/0x000500000001a4f8-971.dat family_berbew behavioral1/files/0x000500000001a50b-1022.dat family_berbew behavioral1/files/0x000500000001a84a-1059.dat family_berbew behavioral1/files/0x000500000001c763-1098.dat family_berbew behavioral1/files/0x000500000001c892-1152.dat family_berbew behavioral1/files/0x000500000001c89f-1193.dat family_berbew behavioral1/files/0x000500000001c8b8-1258.dat family_berbew behavioral1/files/0x000500000001c8c0-1276.dat family_berbew behavioral1/files/0x000400000001c942-1309.dat family_berbew behavioral1/files/0x000400000001c946-1322.dat family_berbew behavioral1/files/0x000400000001c972-1395.dat family_berbew behavioral1/files/0x000400000001ca1d-1407.dat family_berbew behavioral1/files/0x000400000001cb5a-1438.dat family_berbew behavioral1/files/0x000400000001cb75-1456.dat family_berbew behavioral1/files/0x000400000001cb8d-1485.dat family_berbew behavioral1/files/0x000400000001cba9-1527.dat family_berbew behavioral1/files/0x000400000001cbbd-1542.dat family_berbew behavioral1/files/0x000400000001cbdd-1585.dat family_berbew behavioral1/files/0x000400000001cc20-1625.dat family_berbew behavioral1/files/0x000400000001cc40-1647.dat family_berbew behavioral1/files/0x000400000001cc95-1665.dat family_berbew behavioral1/files/0x000400000001cc98-1672.dat family_berbew behavioral1/files/0x000400000001cc9d-1688.dat family_berbew behavioral1/files/0x000400000001ced9-1779.dat family_berbew behavioral1/files/0x000400000001cf7e-1804.dat family_berbew behavioral1/files/0x000400000001d007-1820.dat family_berbew behavioral1/files/0x000400000001d3bb-1941.dat family_berbew behavioral1/files/0x000400000001d3d0-1966.dat family_berbew behavioral1/files/0x000400000001d3e7-1989.dat family_berbew behavioral1/files/0x000400000001d3fe-2014.dat family_berbew behavioral1/files/0x000400000001d530-2039.dat family_berbew behavioral1/files/0x000400000001d6ce-2062.dat family_berbew behavioral1/files/0x000400000001d725-2078.dat family_berbew behavioral1/files/0x000400000001d7b8-2137.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1068 Mkjica32.exe 1260 Mdcnlglc.exe 2504 Mkmfhacp.exe 2552 Mnkbdlbd.exe 2616 Mdejaf32.exe 2512 Njbcim32.exe 2520 Ndgggf32.exe 2888 Nkaocp32.exe 1508 Nnplpl32.exe 2288 Npnhlg32.exe 2164 Ncmdhb32.exe 1528 Nnbhek32.exe 2500 Nqqdag32.exe 2440 Ngkmnacm.exe 2860 Nlgefh32.exe 1420 Ncancbha.exe 2824 Nbdnoo32.exe 1696 Njkfpl32.exe 1204 Nkmbgdfl.exe 2248 Nohnhc32.exe 1792 Ofbfdmeb.exe 2852 Ohqbqhde.exe 1540 Omloag32.exe 2356 Onmkio32.exe 2000 Obigjnkf.exe 2036 Odgcfijj.exe 2608 Okalbc32.exe 2672 Obkdonic.exe 2656 Oiellh32.exe 2396 Oghlgdgk.exe 2408 Ojficpfn.exe 1744 Obnqem32.exe 1604 Ocomlemo.exe 884 Okfencna.exe 1564 Ondajnme.exe 3056 Oenifh32.exe 1920 Ogmfbd32.exe 1544 Ojkboo32.exe 1456 Ongnonkb.exe 1136 Paejki32.exe 2228 Pccfge32.exe 1952 Pfbccp32.exe 1772 Pipopl32.exe 880 Paggai32.exe 1716 Ppjglfon.exe 568 Pbiciana.exe 948 Pjpkjond.exe 2548 Pmnhfjmg.exe 2544 Plahag32.exe 2320 Pchpbded.exe 2736 Pfflopdh.exe 2688 Piehkkcl.exe 1496 Pmqdkj32.exe 1968 Ppoqge32.exe 2676 Pnbacbac.exe 2172 Pfiidobe.exe 684 Pelipl32.exe 2364 Pigeqkai.exe 1128 Plfamfpm.exe 2116 Ppamme32.exe 2808 Pbpjiphi.exe 788 Penfelgm.exe 2184 Pijbfj32.exe 2108 Qhmbagfa.exe -
Loads dropped DLL 64 IoCs
pid Process 2004 bc1ba1d0dafe06d87d01da11301d7910_NEIKI.exe 2004 bc1ba1d0dafe06d87d01da11301d7910_NEIKI.exe 1068 Mkjica32.exe 1068 Mkjica32.exe 1260 Mdcnlglc.exe 1260 Mdcnlglc.exe 2504 Mkmfhacp.exe 2504 Mkmfhacp.exe 2552 Mnkbdlbd.exe 2552 Mnkbdlbd.exe 2616 Mdejaf32.exe 2616 Mdejaf32.exe 2512 Njbcim32.exe 2512 Njbcim32.exe 2520 Ndgggf32.exe 2520 Ndgggf32.exe 2888 Nkaocp32.exe 2888 Nkaocp32.exe 1508 Nnplpl32.exe 1508 Nnplpl32.exe 2288 Npnhlg32.exe 2288 Npnhlg32.exe 2164 Ncmdhb32.exe 2164 Ncmdhb32.exe 1528 Nnbhek32.exe 1528 Nnbhek32.exe 2500 Nqqdag32.exe 2500 Nqqdag32.exe 2440 Ngkmnacm.exe 2440 Ngkmnacm.exe 2860 Nlgefh32.exe 2860 Nlgefh32.exe 1420 Ncancbha.exe 1420 Ncancbha.exe 2824 Nbdnoo32.exe 2824 Nbdnoo32.exe 1696 Njkfpl32.exe 1696 Njkfpl32.exe 1204 Nkmbgdfl.exe 1204 Nkmbgdfl.exe 2248 Nohnhc32.exe 2248 Nohnhc32.exe 1792 Ofbfdmeb.exe 1792 Ofbfdmeb.exe 2852 Ohqbqhde.exe 2852 Ohqbqhde.exe 1540 Omloag32.exe 1540 Omloag32.exe 2356 Onmkio32.exe 2356 Onmkio32.exe 2000 Obigjnkf.exe 2000 Obigjnkf.exe 2036 Odgcfijj.exe 2036 Odgcfijj.exe 2608 Okalbc32.exe 2608 Okalbc32.exe 2672 Obkdonic.exe 2672 Obkdonic.exe 2656 Oiellh32.exe 2656 Oiellh32.exe 2396 Oghlgdgk.exe 2396 Oghlgdgk.exe 2408 Ojficpfn.exe 2408 Ojficpfn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cljcelan.exe Cngcjo32.exe File created C:\Windows\SysWOW64\Enlbgc32.dll Hiekid32.exe File opened for modification C:\Windows\SysWOW64\Albjlcao.exe Ahgnke32.exe File opened for modification C:\Windows\SysWOW64\Abmbhn32.exe Anafhopc.exe File created C:\Windows\SysWOW64\Coelaaoi.exe Ckjpacfp.exe File created C:\Windows\SysWOW64\Gghcajge.dll bc1ba1d0dafe06d87d01da11301d7910_NEIKI.exe File created C:\Windows\SysWOW64\Anlmmp32.exe Apimacnn.exe File opened for modification C:\Windows\SysWOW64\Kaceodek.exe Kbqecg32.exe File opened for modification C:\Windows\SysWOW64\Ghlpli32.dll Ihankokm.exe File opened for modification C:\Windows\SysWOW64\Jonplmcb.exe Jkbcln32.exe File created C:\Windows\SysWOW64\Pogjpc32.dll Kafbec32.exe File created C:\Windows\SysWOW64\Onjnkb32.dll Aaaoij32.exe File created C:\Windows\SysWOW64\Ecmkghcl.exe Eihfjo32.exe File created C:\Windows\SysWOW64\Kcfdakpf.dll Emeopn32.exe File created C:\Windows\SysWOW64\Hkkmeglp.dll Hkpnhgge.exe File opened for modification C:\Windows\SysWOW64\Kblhgk32.exe Kcihlong.exe File created C:\Windows\SysWOW64\Ajenen32.dll Plahag32.exe File created C:\Windows\SysWOW64\Akodpalp.dll Kjnfniii.exe File opened for modification C:\Windows\SysWOW64\Chpmpg32.exe Cddaphkn.exe File opened for modification C:\Windows\SysWOW64\Dhjgal32.exe Ddokpmfo.exe File created C:\Windows\SysWOW64\Lkoacn32.dll Mlibjc32.exe File opened for modification C:\Windows\SysWOW64\Bpiipf32.exe Bioqclil.exe File created C:\Windows\SysWOW64\Mclgfa32.dll Bbjbaa32.exe File created C:\Windows\SysWOW64\Cddfocpb.dll Kcdnao32.exe File created C:\Windows\SysWOW64\Olndbg32.dll Fpdhklkl.exe File created C:\Windows\SysWOW64\Aloeodfi.dll Ffpmnf32.exe File opened for modification C:\Windows\SysWOW64\Fmlapp32.exe Fiaeoang.exe File created C:\Windows\SysWOW64\Gbijhg32.exe Gonnhhln.exe File opened for modification C:\Windows\SysWOW64\Kemejc32.exe Jbnhng32.exe File opened for modification C:\Windows\SysWOW64\Cahail32.exe Cnmehnan.exe File opened for modification C:\Windows\SysWOW64\Fpdhklkl.exe Faagpp32.exe File created C:\Windows\SysWOW64\Fmnhkk32.dll Pipopl32.exe File created C:\Windows\SysWOW64\Mjccnjpk.dll Aplpai32.exe File created C:\Windows\SysWOW64\Cciemedf.exe Comimg32.exe File opened for modification C:\Windows\SysWOW64\Ffbicfoc.exe Fbgmbg32.exe File opened for modification C:\Windows\SysWOW64\Hdhbam32.exe Hpmgqnfl.exe File opened for modification C:\Windows\SysWOW64\Olpdjf32.exe Onmdoioa.exe File created C:\Windows\SysWOW64\Aamfnkai.exe Abjebn32.exe File opened for modification C:\Windows\SysWOW64\Ogmfbd32.exe Oenifh32.exe File created C:\Windows\SysWOW64\Ccahbp32.exe Coelaaoi.exe File created C:\Windows\SysWOW64\Dcfdgiid.exe Ddcdkl32.exe File opened for modification C:\Windows\SysWOW64\Dcfdgiid.exe Ddcdkl32.exe File created C:\Windows\SysWOW64\Jicgpb32.exe Jfekcg32.exe File opened for modification C:\Windows\SysWOW64\Aekodi32.exe Aaobdjof.exe File created C:\Windows\SysWOW64\Dlkaflan.dll Dfoqmo32.exe File created C:\Windows\SysWOW64\Cbkeib32.exe Cciemedf.exe File created C:\Windows\SysWOW64\Omeope32.dll Clcflkic.exe File created C:\Windows\SysWOW64\Bmoado32.dll Imfqjbli.exe File created C:\Windows\SysWOW64\Kcfkfo32.exe Kpkofpgq.exe File opened for modification C:\Windows\SysWOW64\Ojcecjee.exe Ofhick32.exe File opened for modification C:\Windows\SysWOW64\Qfokbnip.exe Qabcjgkh.exe File opened for modification C:\Windows\SysWOW64\Pnbacbac.exe Ppoqge32.exe File created C:\Windows\SysWOW64\Fncann32.dll Dhmcfkme.exe File opened for modification C:\Windows\SysWOW64\Lijjoe32.exe Lflmci32.exe File opened for modification C:\Windows\SysWOW64\Bbhela32.exe Bpiipf32.exe File opened for modification C:\Windows\SysWOW64\Cghggc32.exe Cclkfdnc.exe File created C:\Windows\SysWOW64\Cndbcc32.exe Cobbhfhg.exe File opened for modification C:\Windows\SysWOW64\Bloqah32.exe Bhcdaibd.exe File created C:\Windows\SysWOW64\Hppiecpn.dll Cbnbobin.exe File created C:\Windows\SysWOW64\Hpocfncj.exe Hlcgeo32.exe File created C:\Windows\SysWOW64\Hojopmqk.dll Hjhhocjj.exe File opened for modification C:\Windows\SysWOW64\Jfcnngnd.exe Jbgbni32.exe File created C:\Windows\SysWOW64\Pmdmeemc.dll Pmqdkj32.exe File opened for modification C:\Windows\SysWOW64\Djbiicon.exe Dfgmhd32.exe -
Program crash 1 IoCs
pid pid_target Process 9076 9028 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohqbqhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oghlgdgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eeempocb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglhipbb.dll" Keoapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lijjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afohaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkommo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dqjepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gdopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll" Hkkalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pfjbgnme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amkpegnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Anccmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfmdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmljjm32.dll" Cgbdhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpocfncj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjqccigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojfaijcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bldcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbfabp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ojcecjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Boqbfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qlhnbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkdol32.dll" Cbkeib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goipbehm.dll" Ifnechbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loclnq32.dll" Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mmfbogcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdgneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Obkdonic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahch32.dll" Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lojomkdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkgmi32.dll" Mmceigep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndkmpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkemkhcd.dll" Pefijfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmcfdad.dll" Dfijnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Abhimnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aidnohbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hlhaqogk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jfqahgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdklej32.dll" Lihmjejl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lhbcfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndbcpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jcbellac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkdaf32.dll" Pbfpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ofbfdmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Paejki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eiaiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Filldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll" Gejcjbah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Igdogl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmabnaj.dll" Pgioaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghohc32.dll" Ckafbbph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkqbaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll" Hobcak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Biicik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopljni.dll" Mkjica32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bagpopmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lkncmmle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2004 wrote to memory of 1068 2004 bc1ba1d0dafe06d87d01da11301d7910_NEIKI.exe 28 PID 2004 wrote to memory of 1068 2004 bc1ba1d0dafe06d87d01da11301d7910_NEIKI.exe 28 PID 2004 wrote to memory of 1068 2004 bc1ba1d0dafe06d87d01da11301d7910_NEIKI.exe 28 PID 2004 wrote to memory of 1068 2004 bc1ba1d0dafe06d87d01da11301d7910_NEIKI.exe 28 PID 1068 wrote to memory of 1260 1068 Mkjica32.exe 29 PID 1068 wrote to memory of 1260 1068 Mkjica32.exe 29 PID 1068 wrote to memory of 1260 1068 Mkjica32.exe 29 PID 1068 wrote to memory of 1260 1068 Mkjica32.exe 29 PID 1260 wrote to memory of 2504 1260 Mdcnlglc.exe 30 PID 1260 wrote to memory of 2504 1260 Mdcnlglc.exe 30 PID 1260 wrote to memory of 2504 1260 Mdcnlglc.exe 30 PID 1260 wrote to memory of 2504 1260 Mdcnlglc.exe 30 PID 2504 wrote to memory of 2552 2504 Mkmfhacp.exe 31 PID 2504 wrote to memory of 2552 2504 Mkmfhacp.exe 31 PID 2504 wrote to memory of 2552 2504 Mkmfhacp.exe 31 PID 2504 wrote to memory of 2552 2504 Mkmfhacp.exe 31 PID 2552 wrote to memory of 2616 2552 Mnkbdlbd.exe 32 PID 2552 wrote to memory of 2616 2552 Mnkbdlbd.exe 32 PID 2552 wrote to memory of 2616 2552 Mnkbdlbd.exe 32 PID 2552 wrote to memory of 2616 2552 Mnkbdlbd.exe 32 PID 2616 wrote to memory of 2512 2616 Mdejaf32.exe 33 PID 2616 wrote to memory of 2512 2616 Mdejaf32.exe 33 PID 2616 wrote to memory of 2512 2616 Mdejaf32.exe 33 PID 2616 wrote to memory of 2512 2616 Mdejaf32.exe 33 PID 2512 wrote to memory of 2520 2512 Njbcim32.exe 34 PID 2512 wrote to memory of 2520 2512 Njbcim32.exe 34 PID 2512 wrote to memory of 2520 2512 Njbcim32.exe 34 PID 2512 wrote to memory of 2520 2512 Njbcim32.exe 34 PID 2520 wrote to memory of 2888 2520 Ndgggf32.exe 35 PID 2520 wrote to memory of 2888 2520 Ndgggf32.exe 35 PID 2520 wrote to memory of 2888 2520 Ndgggf32.exe 35 PID 2520 wrote to memory of 2888 2520 Ndgggf32.exe 35 PID 2888 wrote to memory of 1508 2888 Nkaocp32.exe 36 PID 2888 wrote to memory of 1508 2888 Nkaocp32.exe 36 PID 2888 wrote to memory of 1508 2888 Nkaocp32.exe 36 PID 2888 wrote to memory of 1508 2888 Nkaocp32.exe 36 PID 1508 wrote to memory of 2288 1508 Nnplpl32.exe 37 PID 1508 wrote to memory of 2288 1508 Nnplpl32.exe 37 PID 1508 wrote to memory of 2288 1508 Nnplpl32.exe 37 PID 1508 wrote to memory of 2288 1508 Nnplpl32.exe 37 PID 2288 wrote to memory of 2164 2288 Npnhlg32.exe 38 PID 2288 wrote to memory of 2164 2288 Npnhlg32.exe 38 PID 2288 wrote to memory of 2164 2288 Npnhlg32.exe 38 PID 2288 wrote to memory of 2164 2288 Npnhlg32.exe 38 PID 2164 wrote to memory of 1528 2164 Ncmdhb32.exe 39 PID 2164 wrote to memory of 1528 2164 Ncmdhb32.exe 39 PID 2164 wrote to memory of 1528 2164 Ncmdhb32.exe 39 PID 2164 wrote to memory of 1528 2164 Ncmdhb32.exe 39 PID 1528 wrote to memory of 2500 1528 Nnbhek32.exe 40 PID 1528 wrote to memory of 2500 1528 Nnbhek32.exe 40 PID 1528 wrote to memory of 2500 1528 Nnbhek32.exe 40 PID 1528 wrote to memory of 2500 1528 Nnbhek32.exe 40 PID 2500 wrote to memory of 2440 2500 Nqqdag32.exe 41 PID 2500 wrote to memory of 2440 2500 Nqqdag32.exe 41 PID 2500 wrote to memory of 2440 2500 Nqqdag32.exe 41 PID 2500 wrote to memory of 2440 2500 Nqqdag32.exe 41 PID 2440 wrote to memory of 2860 2440 Ngkmnacm.exe 42 PID 2440 wrote to memory of 2860 2440 Ngkmnacm.exe 42 PID 2440 wrote to memory of 2860 2440 Ngkmnacm.exe 42 PID 2440 wrote to memory of 2860 2440 Ngkmnacm.exe 42 PID 2860 wrote to memory of 1420 2860 Nlgefh32.exe 43 PID 2860 wrote to memory of 1420 2860 Nlgefh32.exe 43 PID 2860 wrote to memory of 1420 2860 Nlgefh32.exe 43 PID 2860 wrote to memory of 1420 2860 Nlgefh32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc1ba1d0dafe06d87d01da11301d7910_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\bc1ba1d0dafe06d87d01da11301d7910_NEIKI.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1420 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1204 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe33⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe34⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe35⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe36⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3056 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe38⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe39⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe40⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe42⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe43⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1772 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe45⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe46⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe47⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe48⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe49⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe51⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe52⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe53⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe56⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe57⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe58⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe59⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe60⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe61⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe62⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe63⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe65⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe66⤵
- Modifies registry class
PID:1308 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe67⤵PID:1408
-
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe68⤵PID:2496
-
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe69⤵PID:1964
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe70⤵PID:2328
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe71⤵PID:1560
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe72⤵PID:1588
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe73⤵PID:3064
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe74⤵PID:1700
-
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe75⤵PID:304
-
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe76⤵PID:2468
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2696 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe78⤵PID:2856
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe79⤵PID:1444
-
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe80⤵PID:2012
-
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe81⤵PID:2596
-
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe82⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe83⤵PID:2832
-
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1688 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe85⤵PID:2028
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe86⤵PID:2524
-
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe87⤵PID:912
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe88⤵PID:1140
-
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe89⤵PID:1536
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe90⤵PID:2360
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe91⤵PID:2448
-
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe92⤵PID:2932
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe93⤵PID:2936
-
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe94⤵PID:1232
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe95⤵PID:2128
-
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe96⤵PID:2180
-
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe97⤵PID:2196
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe98⤵PID:1304
-
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2192 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe100⤵PID:1832
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe101⤵PID:2772
-
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2284 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe103⤵PID:2956
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe104⤵PID:2720
-
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe105⤵PID:2560
-
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe106⤵PID:1996
-
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe107⤵
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2076 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe109⤵PID:2592
-
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe110⤵PID:1780
-
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe111⤵PID:2060
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe112⤵PID:1532
-
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe113⤵PID:1452
-
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe114⤵PID:2168
-
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe115⤵PID:2120
-
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe116⤵
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe117⤵PID:2376
-
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe118⤵PID:1368
-
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe119⤵PID:772
-
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe120⤵PID:2312
-
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe121⤵PID:2056
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-