Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 01:34
Behavioral task
behavioral1
Sample
bf4b816cd75d4e727a45c738d053a6b0_NEIKI.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
bf4b816cd75d4e727a45c738d053a6b0_NEIKI.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
bf4b816cd75d4e727a45c738d053a6b0_NEIKI.exe
-
Size
329KB
-
MD5
bf4b816cd75d4e727a45c738d053a6b0
-
SHA1
50b329603b1664896a286be73ecf0efa33ed1b95
-
SHA256
ca59190b3113b1faa1f40b06e74b1d3e3eda8b984a9c38410bd8095b7cbb8c80
-
SHA512
31dc5fdb01042ad331b620b857e045055cedbab289b5a1ff3b3511d0f14df37ab751cea04db42ace59dc83d7c704854df18e4e0c28f2acfddcaa5c376b7ad1ee
-
SSDEEP
6144:GBSqbws+H3Lb+Qw/WYgFIgsh0KXoQr8jTQjewInBIE1+J3RzAHV+EueR2F:GBSj7LKQweY0sam38vZwIBIE1+J3pQtI
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjgehgnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpcoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmjaohol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bejfao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clojhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkbaii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emifeqid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pohhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feddombd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjofdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iimfld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nihcog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohbikbkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famope32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpigma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnaiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbnljqic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbeofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjpaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldheebad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnnko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eelkeeah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aficjnpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgmpnhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjicjbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbjbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jofejpmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgfjhcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmlael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgkonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klhgfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmfkfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofhjopbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcllbhdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aomnhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehjqgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cedpbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iihiphln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfhhjklc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnpflj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioooiack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcecbq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eakhdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccmpce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbgqjdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fogibnha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elfcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijphofem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ingkdeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjljnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acfdnihk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjamgmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehjqgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbiaemkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgnjde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alihaioe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaimopli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhfjjdjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbjpil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdiqpigl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifampo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbcoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbafdlod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paaddgkj.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x0009000000014738-5.dat family_berbew behavioral1/files/0x0008000000015264-29.dat family_berbew behavioral1/files/0x00090000000155d4-40.dat family_berbew behavioral1/files/0x0007000000015c87-48.dat family_berbew behavioral1/files/0x0006000000016cf0-66.dat family_berbew behavioral1/files/0x0006000000016d11-75.dat family_berbew behavioral1/files/0x0006000000016d36-88.dat family_berbew behavioral1/files/0x0006000000016d4a-102.dat family_berbew behavioral1/files/0x0006000000016d55-116.dat family_berbew behavioral1/files/0x0013000000014e3d-130.dat family_berbew behavioral1/files/0x0006000000017090-158.dat family_berbew behavioral1/files/0x0005000000018698-172.dat family_berbew behavioral1/files/0x0006000000018ae2-192.dat family_berbew behavioral1/files/0x0006000000018b15-204.dat family_berbew behavioral1/files/0x0006000000018b37-212.dat family_berbew behavioral1/files/0x0006000000018b4a-229.dat family_berbew behavioral1/files/0x00050000000192c9-256.dat family_berbew behavioral1/files/0x0005000000019410-298.dat family_berbew behavioral1/memory/2100-302-0x00000000003C0000-0x00000000003F4000-memory.dmp family_berbew behavioral1/files/0x000500000001946f-311.dat family_berbew behavioral1/files/0x00040000000194dc-340.dat family_berbew behavioral1/files/0x00050000000194ea-350.dat family_berbew behavioral1/files/0x00050000000195a7-427.dat family_berbew behavioral1/files/0x00050000000195a9-437.dat family_berbew behavioral1/files/0x0005000000019bef-495.dat family_berbew behavioral1/files/0x0005000000019ce6-507.dat family_berbew behavioral1/files/0x0005000000019bd7-483.dat family_berbew behavioral1/files/0x000500000001996e-470.dat family_berbew behavioral1/memory/2592-463-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew behavioral1/files/0x0005000000019646-459.dat family_berbew behavioral1/files/0x00050000000195ba-449.dat family_berbew behavioral1/memory/1780-440-0x0000000000230000-0x0000000000264000-memory.dmp family_berbew behavioral1/memory/1832-434-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew behavioral1/files/0x0005000000019d59-517.dat family_berbew behavioral1/files/0x00050000000195a4-416.dat family_berbew behavioral1/files/0x000500000001a013-537.dat family_berbew behavioral1/files/0x000500000001a2d0-547.dat family_berbew behavioral1/files/0x000500000001a3c8-566.dat family_berbew behavioral1/files/0x000500000001a3d4-580.dat family_berbew behavioral1/files/0x000500000001a429-591.dat family_berbew behavioral1/files/0x000500000001a431-600.dat family_berbew behavioral1/files/0x000500000001a43b-611.dat family_berbew behavioral1/files/0x000500000001a443-622.dat family_berbew behavioral1/files/0x000500000001a447-632.dat family_berbew behavioral1/files/0x000500000001a44f-656.dat family_berbew behavioral1/files/0x000500000001a45f-707.dat family_berbew behavioral1/files/0x000500000001a463-720.dat family_berbew behavioral1/files/0x000500000001a467-734.dat family_berbew behavioral1/files/0x000500000001a46c-748.dat family_berbew behavioral1/files/0x000500000001a479-786.dat family_berbew behavioral1/files/0x000500000001a47d-799.dat family_berbew behavioral1/files/0x000500000001a484-812.dat family_berbew behavioral1/files/0x000500000001a474-774.dat family_berbew behavioral1/files/0x000500000001a489-825.dat family_berbew behavioral1/files/0x000500000001a543-838.dat family_berbew behavioral1/files/0x000500000001ad1c-850.dat family_berbew behavioral1/files/0x000500000001c288-862.dat family_berbew behavioral1/files/0x000500000001c6d5-874.dat family_berbew behavioral1/files/0x000500000001c71e-887.dat family_berbew behavioral1/files/0x000500000001c832-916.dat family_berbew behavioral1/files/0x000500000001c837-929.dat family_berbew behavioral1/files/0x000500000001c83b-939.dat family_berbew behavioral1/files/0x000500000001c83f-953.dat family_berbew behavioral1/files/0x000500000001c847-972.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 852 Cedpbd32.exe 2496 Cdjmcpnl.exe 2480 Cifelgmd.exe 2612 Dkfbfjdf.exe 2528 Ddnfop32.exe 2420 Depbfhpe.exe 1784 Dcccpl32.exe 1124 Diphbfdi.exe 2044 Elqaca32.exe 2680 Ehgbhbgn.exe 2312 Ednbncmb.exe 1772 Epecbd32.exe 1652 Flqmbd32.exe 1992 Fjdnlhco.exe 772 Fdnolfon.exe 3016 Fnfcel32.exe 436 Fdbhge32.exe 2024 Gjpqpl32.exe 1184 Ggcaiqhj.exe 1888 Gqlebf32.exe 2828 Gnpflj32.exe 568 Gjfgqk32.exe 2100 Gmecmg32.exe 2780 Gfmgelil.exe 892 Gcahoqhf.exe 2072 Heealhla.exe 2448 Hbiaemkk.exe 2504 Hbknkl32.exe 2616 Hnbopmnm.exe 2580 Hfmddp32.exe 544 Imiigiab.exe 576 Ifampo32.exe 964 Imleli32.exe 2416 Iibfajdc.exe 1832 Ioooiack.exe 1780 Ilcoce32.exe 1828 Ibmgpoia.exe 2592 Jhjphfgi.exe 1768 Jbpdeogo.exe 2292 Jofejpmc.exe 1144 Jdcmbgkj.exe 856 Jnkakl32.exe 1576 Jgdfdbhk.exe 952 Jgfcja32.exe 1632 Lgkhdddo.exe 2228 Lgmeid32.exe 1856 Lmjnak32.exe 2092 Lgoboc32.exe 2036 Ljnnko32.exe 2944 Lcfbdd32.exe 2208 Mkaghg32.exe 2888 Mbkpeake.exe 2476 Mkddnf32.exe 1752 Mbnljqic.exe 2624 Melifl32.exe 1940 Mlfacfpc.exe 312 Macilmnk.exe 3020 Mlhnifmq.exe 1484 Maefamlh.exe 2356 Mlkjne32.exe 3052 Mnifja32.exe 2452 Ncfoch32.exe 1808 Njpgpbpf.exe 1520 Nfghdcfj.exe -
Loads dropped DLL 64 IoCs
pid Process 640 bf4b816cd75d4e727a45c738d053a6b0_NEIKI.exe 640 bf4b816cd75d4e727a45c738d053a6b0_NEIKI.exe 852 Cedpbd32.exe 852 Cedpbd32.exe 2496 Cdjmcpnl.exe 2496 Cdjmcpnl.exe 2480 Cifelgmd.exe 2480 Cifelgmd.exe 2612 Dkfbfjdf.exe 2612 Dkfbfjdf.exe 2528 Ddnfop32.exe 2528 Ddnfop32.exe 2420 Depbfhpe.exe 2420 Depbfhpe.exe 1784 Dcccpl32.exe 1784 Dcccpl32.exe 1124 Diphbfdi.exe 1124 Diphbfdi.exe 2044 Elqaca32.exe 2044 Elqaca32.exe 2680 Ehgbhbgn.exe 2680 Ehgbhbgn.exe 2312 Ednbncmb.exe 2312 Ednbncmb.exe 1772 Epecbd32.exe 1772 Epecbd32.exe 1652 Flqmbd32.exe 1652 Flqmbd32.exe 1992 Fjdnlhco.exe 1992 Fjdnlhco.exe 772 Fdnolfon.exe 772 Fdnolfon.exe 3016 Fnfcel32.exe 3016 Fnfcel32.exe 436 Fdbhge32.exe 436 Fdbhge32.exe 2024 Gjpqpl32.exe 2024 Gjpqpl32.exe 1184 Ggcaiqhj.exe 1184 Ggcaiqhj.exe 1888 Gqlebf32.exe 1888 Gqlebf32.exe 2828 Gnpflj32.exe 2828 Gnpflj32.exe 568 Gjfgqk32.exe 568 Gjfgqk32.exe 2100 Gmecmg32.exe 2100 Gmecmg32.exe 2780 Gfmgelil.exe 2780 Gfmgelil.exe 892 Gcahoqhf.exe 892 Gcahoqhf.exe 2072 Heealhla.exe 2072 Heealhla.exe 2448 Hbiaemkk.exe 2448 Hbiaemkk.exe 2504 Hbknkl32.exe 2504 Hbknkl32.exe 2616 Hnbopmnm.exe 2616 Hnbopmnm.exe 2580 Hfmddp32.exe 2580 Hfmddp32.exe 544 Imiigiab.exe 544 Imiigiab.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dognqkje.dll Aflfjc32.exe File opened for modification C:\Windows\SysWOW64\Jpgjgboe.exe Jeafjiop.exe File created C:\Windows\SysWOW64\Jbhcim32.exe Jpigma32.exe File created C:\Windows\SysWOW64\Ghacfmic.exe Gpjkeoha.exe File created C:\Windows\SysWOW64\Kpkpadnl.exe Kjahej32.exe File created C:\Windows\SysWOW64\Pjdjea32.dll Nplimbka.exe File created C:\Windows\SysWOW64\Clojhf32.exe Cbffoabe.exe File created C:\Windows\SysWOW64\Ncfalqpm.exe Nnjicjbf.exe File created C:\Windows\SysWOW64\Nihcog32.exe Nppofado.exe File created C:\Windows\SysWOW64\Gonale32.exe Ghdiokbq.exe File created C:\Windows\SysWOW64\Hqiqjlga.exe Hcepqh32.exe File created C:\Windows\SysWOW64\Kemjcm32.dll Cedpbd32.exe File created C:\Windows\SysWOW64\Lcfbdd32.exe Ljnnko32.exe File opened for modification C:\Windows\SysWOW64\Feddombd.exe Eojlbb32.exe File opened for modification C:\Windows\SysWOW64\Diphbfdi.exe Dcccpl32.exe File created C:\Windows\SysWOW64\Fkfgkgmk.dll Pljcllqe.exe File opened for modification C:\Windows\SysWOW64\Bjbeofpp.exe Befmfpbi.exe File created C:\Windows\SysWOW64\Miidam32.dll Cacclpae.exe File opened for modification C:\Windows\SysWOW64\Haqnea32.exe Hjgehgnh.exe File created C:\Windows\SysWOW64\Gbcknkna.dll Ncfalqpm.exe File created C:\Windows\SysWOW64\Pfnmmn32.exe Paaddgkj.exe File opened for modification C:\Windows\SysWOW64\Ggapbcne.exe Glklejoo.exe File created C:\Windows\SysWOW64\Nedhjj32.exe Mcckcbgp.exe File created C:\Windows\SysWOW64\Kkijcgjo.dll Mciabmlo.exe File created C:\Windows\SysWOW64\Aihgmjad.dll Aaejojjq.exe File opened for modification C:\Windows\SysWOW64\Ccpeld32.exe Cmfmojcb.exe File created C:\Windows\SysWOW64\Afffenbp.exe Aomnhd32.exe File created C:\Windows\SysWOW64\Phoogg32.dll Agglbp32.exe File created C:\Windows\SysWOW64\Kocpbfei.exe Khjgel32.exe File created C:\Windows\SysWOW64\Qiioon32.exe Qcogbdkg.exe File opened for modification C:\Windows\SysWOW64\Cbffoabe.exe Ckmnbg32.exe File created C:\Windows\SysWOW64\Ebklic32.exe Ekdchf32.exe File created C:\Windows\SysWOW64\Ekfpmf32.exe Edlhqlfi.exe File created C:\Windows\SysWOW64\Kbjbge32.exe Jplfkjbd.exe File opened for modification C:\Windows\SysWOW64\Nfkapb32.exe Npaich32.exe File created C:\Windows\SysWOW64\Kdnild32.exe Koaqcn32.exe File created C:\Windows\SysWOW64\Ckmcef32.dll Qiioon32.exe File opened for modification C:\Windows\SysWOW64\Jokqnhpa.exe Jdflqo32.exe File created C:\Windows\SysWOW64\Bfabnl32.exe Baefnmml.exe File created C:\Windows\SysWOW64\Jhhcghdk.dll Dcbnpgkh.exe File created C:\Windows\SysWOW64\Nmmnnh32.dll Jeafjiop.exe File opened for modification C:\Windows\SysWOW64\Kdklfe32.exe Jampjian.exe File created C:\Windows\SysWOW64\Lkgngb32.exe Lfkeokjp.exe File opened for modification C:\Windows\SysWOW64\Fapeic32.exe Fpohakbp.exe File created C:\Windows\SysWOW64\Feddombd.exe Eojlbb32.exe File created C:\Windows\SysWOW64\Nabkgh32.dll Gjpqpl32.exe File created C:\Windows\SysWOW64\Hcgjmo32.exe Hjofdi32.exe File opened for modification C:\Windows\SysWOW64\Lfhhjklc.exe Kpkpadnl.exe File opened for modification C:\Windows\SysWOW64\Dfmeccao.exe Daplkmbg.exe File opened for modification C:\Windows\SysWOW64\Kocpbfei.exe Khjgel32.exe File created C:\Windows\SysWOW64\Dcccpl32.exe Depbfhpe.exe File opened for modification C:\Windows\SysWOW64\Plolgk32.exe Peedka32.exe File created C:\Windows\SysWOW64\Ckboie32.dll Qackpado.exe File opened for modification C:\Windows\SysWOW64\Dhiomn32.exe Copjdhib.exe File created C:\Windows\SysWOW64\Gmpcgace.exe Gfejjgli.exe File opened for modification C:\Windows\SysWOW64\Kpkpadnl.exe Kjahej32.exe File created C:\Windows\SysWOW64\Bkpglbaj.exe Bhbkpgbf.exe File created C:\Windows\SysWOW64\Qdnpmb32.dll Ifampo32.exe File created C:\Windows\SysWOW64\Jdbfnoac.dll Lgkhdddo.exe File created C:\Windows\SysWOW64\Ncfoch32.exe Mnifja32.exe File created C:\Windows\SysWOW64\Apldjp32.dll Gonocmbi.exe File created C:\Windows\SysWOW64\Apoldh32.dll Gkephn32.exe File created C:\Windows\SysWOW64\Dqaegjop.dll Agjobffl.exe File created C:\Windows\SysWOW64\Ggagmjbq.exe Fepjea32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2516 852 WerFault.exe 535 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmjdaqgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpohakbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnmjop32.dll" Cbjlhpkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goldfelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mplfpn32.dll" Fnfcel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhjfgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afffenbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kilgoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fooembgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkephn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdeqfhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alenfc32.dll" Njpgpbpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjpaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddnfop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdnolfon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fepjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boemlbpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Folhgbid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cifelgmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpkpadnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fncpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djbfplfp.dll" Lbcbjlmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekdchf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbidne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkpccb32.dll" Ldheebad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahdkab32.dll" Lkbmbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjdlhfqf.dll" Depbfhpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjgoje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjnkj32.dll" Kbmome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaiqn32.dll" Opqoge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cagienkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhhkapeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggcaiqhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfhgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfkhoe32.dll" Befmfpbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkgngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll" Cbblda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbmfgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfghdcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biolanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnkoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncfalqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjpqpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omefkplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llbqfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckjamgmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckbpqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfddo32.dll" Jmkmjoec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peedka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idicbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incjbkig.dll" Aebmjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccjoli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foolgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfeaiime.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afliclij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khjgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqkhngff.dll" Ggcaiqhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idgglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdjqhf.dll" Qeppdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggkja32.dll" Oaogognm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmipdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" bf4b816cd75d4e727a45c738d053a6b0_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oonldcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgfplhjm.dll" Jpigma32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 640 wrote to memory of 852 640 bf4b816cd75d4e727a45c738d053a6b0_NEIKI.exe 535 PID 640 wrote to memory of 852 640 bf4b816cd75d4e727a45c738d053a6b0_NEIKI.exe 535 PID 640 wrote to memory of 852 640 bf4b816cd75d4e727a45c738d053a6b0_NEIKI.exe 535 PID 640 wrote to memory of 852 640 bf4b816cd75d4e727a45c738d053a6b0_NEIKI.exe 535 PID 852 wrote to memory of 2496 852 Cedpbd32.exe 491 PID 852 wrote to memory of 2496 852 Cedpbd32.exe 491 PID 852 wrote to memory of 2496 852 Cedpbd32.exe 491 PID 852 wrote to memory of 2496 852 Cedpbd32.exe 491 PID 2496 wrote to memory of 2480 2496 Cdjmcpnl.exe 30 PID 2496 wrote to memory of 2480 2496 Cdjmcpnl.exe 30 PID 2496 wrote to memory of 2480 2496 Cdjmcpnl.exe 30 PID 2496 wrote to memory of 2480 2496 Cdjmcpnl.exe 30 PID 2480 wrote to memory of 2612 2480 Cifelgmd.exe 31 PID 2480 wrote to memory of 2612 2480 Cifelgmd.exe 31 PID 2480 wrote to memory of 2612 2480 Cifelgmd.exe 31 PID 2480 wrote to memory of 2612 2480 Cifelgmd.exe 31 PID 2612 wrote to memory of 2528 2612 Dkfbfjdf.exe 32 PID 2612 wrote to memory of 2528 2612 Dkfbfjdf.exe 32 PID 2612 wrote to memory of 2528 2612 Dkfbfjdf.exe 32 PID 2612 wrote to memory of 2528 2612 Dkfbfjdf.exe 32 PID 2528 wrote to memory of 2420 2528 Ddnfop32.exe 33 PID 2528 wrote to memory of 2420 2528 Ddnfop32.exe 33 PID 2528 wrote to memory of 2420 2528 Ddnfop32.exe 33 PID 2528 wrote to memory of 2420 2528 Ddnfop32.exe 33 PID 2420 wrote to memory of 1784 2420 Depbfhpe.exe 34 PID 2420 wrote to memory of 1784 2420 Depbfhpe.exe 34 PID 2420 wrote to memory of 1784 2420 Depbfhpe.exe 34 PID 2420 wrote to memory of 1784 2420 Depbfhpe.exe 34 PID 1784 wrote to memory of 1124 1784 Dcccpl32.exe 35 PID 1784 wrote to memory of 1124 1784 Dcccpl32.exe 35 PID 1784 wrote to memory of 1124 1784 Dcccpl32.exe 35 PID 1784 wrote to memory of 1124 1784 Dcccpl32.exe 35 PID 1124 wrote to memory of 2044 1124 Diphbfdi.exe 36 PID 1124 wrote to memory of 2044 1124 Diphbfdi.exe 36 PID 1124 wrote to memory of 2044 1124 Diphbfdi.exe 36 PID 1124 wrote to memory of 2044 1124 Diphbfdi.exe 36 PID 2044 wrote to memory of 2680 2044 Elqaca32.exe 37 PID 2044 wrote to memory of 2680 2044 Elqaca32.exe 37 PID 2044 wrote to memory of 2680 2044 Elqaca32.exe 37 PID 2044 wrote to memory of 2680 2044 Elqaca32.exe 37 PID 2680 wrote to memory of 2312 2680 Ehgbhbgn.exe 38 PID 2680 wrote to memory of 2312 2680 Ehgbhbgn.exe 38 PID 2680 wrote to memory of 2312 2680 Ehgbhbgn.exe 38 PID 2680 wrote to memory of 2312 2680 Ehgbhbgn.exe 38 PID 2312 wrote to memory of 1772 2312 Ednbncmb.exe 39 PID 2312 wrote to memory of 1772 2312 Ednbncmb.exe 39 PID 2312 wrote to memory of 1772 2312 Ednbncmb.exe 39 PID 2312 wrote to memory of 1772 2312 Ednbncmb.exe 39 PID 1772 wrote to memory of 1652 1772 Epecbd32.exe 40 PID 1772 wrote to memory of 1652 1772 Epecbd32.exe 40 PID 1772 wrote to memory of 1652 1772 Epecbd32.exe 40 PID 1772 wrote to memory of 1652 1772 Epecbd32.exe 40 PID 1652 wrote to memory of 1992 1652 Flqmbd32.exe 41 PID 1652 wrote to memory of 1992 1652 Flqmbd32.exe 41 PID 1652 wrote to memory of 1992 1652 Flqmbd32.exe 41 PID 1652 wrote to memory of 1992 1652 Flqmbd32.exe 41 PID 1992 wrote to memory of 772 1992 Fjdnlhco.exe 42 PID 1992 wrote to memory of 772 1992 Fjdnlhco.exe 42 PID 1992 wrote to memory of 772 1992 Fjdnlhco.exe 42 PID 1992 wrote to memory of 772 1992 Fjdnlhco.exe 42 PID 772 wrote to memory of 3016 772 Fdnolfon.exe 43 PID 772 wrote to memory of 3016 772 Fdnolfon.exe 43 PID 772 wrote to memory of 3016 772 Fdnolfon.exe 43 PID 772 wrote to memory of 3016 772 Fdnolfon.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf4b816cd75d4e727a45c738d053a6b0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\bf4b816cd75d4e727a45c738d053a6b0_NEIKI.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Cdjmcpnl.exeC:\Windows\system32\Cdjmcpnl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Cifelgmd.exeC:\Windows\system32\Cifelgmd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Dkfbfjdf.exeC:\Windows\system32\Dkfbfjdf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Ddnfop32.exeC:\Windows\system32\Ddnfop32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Dcccpl32.exeC:\Windows\system32\Dcccpl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Diphbfdi.exeC:\Windows\system32\Diphbfdi.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Ehgbhbgn.exeC:\Windows\system32\Ehgbhbgn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Ednbncmb.exeC:\Windows\system32\Ednbncmb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Fjdnlhco.exeC:\Windows\system32\Fjdnlhco.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:436 -
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1184 -
C:\Windows\SysWOW64\Gqlebf32.exeC:\Windows\system32\Gqlebf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1888 -
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568 -
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Gcahoqhf.exeC:\Windows\system32\Gcahoqhf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:544 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:576 -
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe34⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe35⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe37⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe38⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe39⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe40⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe42⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe43⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe44⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe45⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe47⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe48⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe49⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe51⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe52⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe53⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe54⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Melifl32.exeC:\Windows\system32\Melifl32.exe56⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe57⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe58⤵
- Executes dropped EXE
PID:312 -
C:\Windows\SysWOW64\Mlhnifmq.exeC:\Windows\system32\Mlhnifmq.exe59⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe60⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Mlkjne32.exeC:\Windows\system32\Mlkjne32.exe61⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe63⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Njpgpbpf.exeC:\Windows\system32\Njpgpbpf.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe66⤵PID:1852
-
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe67⤵PID:1656
-
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe68⤵
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe69⤵PID:2156
-
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe70⤵PID:2556
-
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe71⤵PID:2364
-
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe72⤵PID:2408
-
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe73⤵PID:1504
-
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe74⤵
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe75⤵PID:1960
-
C:\Windows\SysWOW64\Omcifpnp.exeC:\Windows\system32\Omcifpnp.exe76⤵PID:2628
-
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe77⤵PID:1552
-
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe78⤵
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2536 -
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe80⤵
- Drops file in System32 directory
PID:988 -
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe81⤵PID:1712
-
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe82⤵PID:2188
-
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe84⤵PID:2140
-
C:\Windows\SysWOW64\Pjcmap32.exeC:\Windows\system32\Pjcmap32.exe85⤵PID:1272
-
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe86⤵PID:2748
-
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe87⤵PID:2720
-
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe88⤵PID:2760
-
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe89⤵
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe90⤵
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Qhmcmk32.exeC:\Windows\system32\Qhmcmk32.exe91⤵PID:2484
-
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe92⤵PID:2796
-
C:\Windows\SysWOW64\Acfdnihk.exeC:\Windows\system32\Acfdnihk.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2352 -
C:\Windows\SysWOW64\Ajqljc32.exeC:\Windows\system32\Ajqljc32.exe94⤵PID:1648
-
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe95⤵PID:2744
-
C:\Windows\SysWOW64\Agdmdg32.exeC:\Windows\system32\Agdmdg32.exe96⤵PID:836
-
C:\Windows\SysWOW64\Amaelomh.exeC:\Windows\system32\Amaelomh.exe97⤵PID:2728
-
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe98⤵PID:2096
-
C:\Windows\SysWOW64\Aihfap32.exeC:\Windows\system32\Aihfap32.exe99⤵PID:2184
-
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe100⤵PID:968
-
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe101⤵
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe102⤵PID:1340
-
C:\Windows\SysWOW64\Bimoloog.exeC:\Windows\system32\Bimoloog.exe103⤵PID:1744
-
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe104⤵PID:2388
-
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe105⤵
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2816 -
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe107⤵
- Drops file in System32 directory
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:324 -
C:\Windows\SysWOW64\Bkbaii32.exeC:\Windows\system32\Bkbaii32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1696 -
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1664 -
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe111⤵
- Modifies registry class
PID:984 -
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2564 -
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe113⤵PID:1668
-
C:\Windows\SysWOW64\Cacclpae.exeC:\Windows\system32\Cacclpae.exe114⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe115⤵PID:1092
-
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe116⤵PID:2776
-
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe117⤵
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe118⤵PID:916
-
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe119⤵PID:2972
-
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe120⤵PID:1776
-
C:\Windows\SysWOW64\Chfbgn32.exeC:\Windows\system32\Chfbgn32.exe121⤵PID:960
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-