Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 03:31
Behavioral task
behavioral1
Sample
dfcfde888f8b4c72052b02909b102180_NEIKI.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
dfcfde888f8b4c72052b02909b102180_NEIKI.exe
Resource
win10v2004-20240426-en
General
-
Target
dfcfde888f8b4c72052b02909b102180_NEIKI.exe
-
Size
240KB
-
MD5
dfcfde888f8b4c72052b02909b102180
-
SHA1
a87449e8cd705949badb4660c46bf81d4fed4a2e
-
SHA256
8732260052cda05f9c79d0083f6cb5a7b5a93414138bf507874b84516af76921
-
SHA512
6f90a24fc2981fde8aa11a0746379af179684b7ab95e40a95689529d7a4e3a3f9db4641637341b1f3c49fb85d630079976dc8de46d0d7437c8664924c5e1e719
-
SSDEEP
6144:rqFxX0omEcAJN+SYSUZCb6M3W8DStQUkA1FiHwSD:rqTmtycSly8DSUA1YHVD
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgbcpq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlhhndno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ichllgfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmbpmapf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpicodoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amqccfed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opplolac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afohaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cldooj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oemegc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glpdde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfedqagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbjochdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gifhnpea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnjplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meicnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmecmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbkbgjcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfghdcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oaiibg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edfpih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iphecepe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daqamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adpkee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjkndb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcjnfdbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldmoepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gjngmmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbpeoc32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000b00000001226d-5.dat family_berbew behavioral1/files/0x0008000000015cea-18.dat family_berbew behavioral1/files/0x0007000000015d09-32.dat family_berbew behavioral1/files/0x0008000000015d42-52.dat family_berbew behavioral1/files/0x0008000000016c67-59.dat family_berbew behavioral1/files/0x0006000000016cde-78.dat family_berbew behavioral1/files/0x0006000000016d1a-85.dat family_berbew behavioral1/files/0x0006000000016d2b-98.dat family_berbew behavioral1/files/0x0006000000016d3b-111.dat family_berbew behavioral1/files/0x0006000000016d4c-125.dat family_berbew behavioral1/files/0x0006000000016d68-138.dat family_berbew behavioral1/files/0x0009000000015cb7-151.dat family_berbew behavioral1/files/0x0006000000016d78-164.dat family_berbew behavioral1/files/0x0006000000016db2-185.dat family_berbew behavioral1/files/0x0006000000016dd1-193.dat family_berbew behavioral1/files/0x000600000001720f-209.dat family_berbew behavioral1/files/0x00060000000173d3-217.dat family_berbew behavioral1/files/0x0006000000017568-227.dat family_berbew behavioral1/files/0x00060000000175f4-236.dat family_berbew behavioral1/files/0x0005000000018701-247.dat family_berbew behavioral1/files/0x0005000000018711-258.dat family_berbew behavioral1/files/0x0005000000018784-269.dat family_berbew behavioral1/files/0x00050000000187a2-280.dat family_berbew behavioral1/files/0x0006000000018bc6-292.dat family_berbew behavioral1/files/0x00060000000190d6-302.dat family_berbew behavioral1/files/0x0005000000019349-313.dat family_berbew behavioral1/files/0x00050000000193d2-326.dat family_berbew behavioral1/files/0x000500000001941b-329.dat family_berbew behavioral1/files/0x000500000001950d-370.dat family_berbew behavioral1/files/0x0005000000019590-378.dat family_berbew behavioral1/files/0x0005000000019470-356.dat family_berbew behavioral1/files/0x0005000000019620-403.dat family_berbew behavioral1/files/0x000500000001961c-390.dat family_berbew behavioral1/files/0x0005000000019624-411.dat family_berbew behavioral1/files/0x0005000000019437-348.dat family_berbew behavioral1/memory/2456-426-0x0000000000250000-0x0000000000292000-memory.dmp family_berbew behavioral1/files/0x0005000000019626-424.dat family_berbew behavioral1/files/0x000500000001962a-436.dat family_berbew behavioral1/files/0x000500000001962e-445.dat family_berbew behavioral1/files/0x0005000000019679-466.dat family_berbew behavioral1/files/0x0005000000019632-456.dat family_berbew behavioral1/files/0x00050000000196bb-478.dat family_berbew behavioral1/files/0x0005000000019702-489.dat family_berbew behavioral1/memory/568-496-0x0000000000250000-0x0000000000292000-memory.dmp family_berbew behavioral1/files/0x0005000000019716-499.dat family_berbew behavioral1/files/0x0005000000019900-510.dat family_berbew behavioral1/files/0x0005000000019962-523.dat family_berbew behavioral1/files/0x0005000000019c66-533.dat family_berbew behavioral1/files/0x0005000000019c6a-543.dat family_berbew behavioral1/files/0x0005000000019dcf-552.dat family_berbew behavioral1/files/0x0005000000019eb7-563.dat family_berbew behavioral1/files/0x000500000001a04e-572.dat family_berbew behavioral1/files/0x000500000001a0b6-584.dat family_berbew behavioral1/files/0x000500000001a0f6-593.dat family_berbew behavioral1/files/0x000500000001a418-605.dat family_berbew behavioral1/files/0x000500000001a472-616.dat family_berbew behavioral1/files/0x000500000001a47a-626.dat family_berbew behavioral1/files/0x000500000001a4b3-639.dat family_berbew behavioral1/files/0x000500000001a4d1-654.dat family_berbew behavioral1/files/0x000500000001a4db-660.dat family_berbew behavioral1/files/0x000500000001a4eb-673.dat family_berbew behavioral1/files/0x000500000001a4ef-684.dat family_berbew behavioral1/files/0x000500000001a4f3-697.dat family_berbew behavioral1/files/0x000500000001a4f8-706.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2360 Ccdlbf32.exe 2152 Ccfhhffh.exe 2736 Comimg32.exe 2572 Cjbmjplb.exe 2620 Cfinoq32.exe 2496 Cndbcc32.exe 2508 Dgmglh32.exe 2504 Ddagfm32.exe 2344 Dnilobkm.exe 2520 Dgaqgh32.exe 2200 Ddeaalpg.exe 2424 Dmafennb.exe 1288 Dfijnd32.exe 352 Emcbkn32.exe 2864 Eflgccbp.exe 2248 Emeopn32.exe 1492 Epfhbign.exe 2868 Ebedndfa.exe 764 Epieghdk.exe 2812 Eeempocb.exe 1532 Eiaiqn32.exe 1992 Ennaieib.exe 864 Fehjeo32.exe 2996 Fnpnndgp.exe 2988 Fjgoce32.exe 2156 Fmekoalh.exe 2952 Fmhheqje.exe 1596 Fbdqmghm.exe 2068 Fphafl32.exe 2160 Fddmgjpo.exe 2604 Ffbicfoc.exe 2688 Fiaeoang.exe 2728 Fmlapp32.exe 2564 Gangic32.exe 2456 Gieojq32.exe 2528 Gelppaof.exe 1432 Ghkllmoi.exe 1676 Gkihhhnm.exe 2356 Gmgdddmq.exe 1192 Geolea32.exe 568 Gaemjbcg.exe 300 Gddifnbk.exe 1784 Hmlnoc32.exe 2096 Hdfflm32.exe 836 Hicodd32.exe 2340 Hdhbam32.exe 1764 Hejoiedd.exe 1316 Hpocfncj.exe 1968 Hobcak32.exe 1312 Hellne32.exe 2404 Hpapln32.exe 2964 Hjjddchg.exe 2396 Hlhaqogk.exe 2164 Iaeiieeb.exe 2548 Ilknfn32.exe 2652 Ioijbj32.exe 1572 Idfbkq32.exe 2748 Ikpjgkjq.exe 2704 Iokfhi32.exe 2884 Iqmcpahh.exe 1680 Iggkllpe.exe 1280 Idklfpon.exe 1828 Icmlam32.exe 2180 Ikddbj32.exe -
Loads dropped DLL 64 IoCs
pid Process 2420 dfcfde888f8b4c72052b02909b102180_NEIKI.exe 2420 dfcfde888f8b4c72052b02909b102180_NEIKI.exe 2360 Ccdlbf32.exe 2360 Ccdlbf32.exe 2152 Ccfhhffh.exe 2152 Ccfhhffh.exe 2736 Comimg32.exe 2736 Comimg32.exe 2572 Cjbmjplb.exe 2572 Cjbmjplb.exe 2620 Cfinoq32.exe 2620 Cfinoq32.exe 2496 Cndbcc32.exe 2496 Cndbcc32.exe 2508 Dgmglh32.exe 2508 Dgmglh32.exe 2504 Ddagfm32.exe 2504 Ddagfm32.exe 2344 Dnilobkm.exe 2344 Dnilobkm.exe 2520 Dgaqgh32.exe 2520 Dgaqgh32.exe 2200 Ddeaalpg.exe 2200 Ddeaalpg.exe 2424 Dmafennb.exe 2424 Dmafennb.exe 1288 Dfijnd32.exe 1288 Dfijnd32.exe 352 Emcbkn32.exe 352 Emcbkn32.exe 2864 Eflgccbp.exe 2864 Eflgccbp.exe 2248 Emeopn32.exe 2248 Emeopn32.exe 1492 Epfhbign.exe 1492 Epfhbign.exe 2868 Ebedndfa.exe 2868 Ebedndfa.exe 764 Epieghdk.exe 764 Epieghdk.exe 2812 Eeempocb.exe 2812 Eeempocb.exe 1532 Eiaiqn32.exe 1532 Eiaiqn32.exe 1992 Ennaieib.exe 1992 Ennaieib.exe 864 Fehjeo32.exe 864 Fehjeo32.exe 2996 Fnpnndgp.exe 2996 Fnpnndgp.exe 2988 Fjgoce32.exe 2988 Fjgoce32.exe 2156 Fmekoalh.exe 2156 Fmekoalh.exe 2952 Fmhheqje.exe 2952 Fmhheqje.exe 1596 Fbdqmghm.exe 1596 Fbdqmghm.exe 2068 Fphafl32.exe 2068 Fphafl32.exe 2160 Fddmgjpo.exe 2160 Fddmgjpo.exe 2604 Ffbicfoc.exe 2604 Ffbicfoc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Debadpeg.exe Process not Found File created C:\Windows\SysWOW64\Ggfpgi32.exe Process not Found File created C:\Windows\SysWOW64\Ibacbcgg.exe Process not Found File created C:\Windows\SysWOW64\Ldhnfd32.dll Qfokbnip.exe File created C:\Windows\SysWOW64\Fncdgcqm.exe Flehkhai.exe File created C:\Windows\SysWOW64\Ccigfn32.exe Clooiddm.exe File created C:\Windows\SysWOW64\Ajmijmnn.exe Process not Found File created C:\Windows\SysWOW64\Mmfdhojb.exe Mfllkece.exe File opened for modification C:\Windows\SysWOW64\Aennba32.exe Ancefgfd.exe File created C:\Windows\SysWOW64\Obdojcef.exe Process not Found File opened for modification C:\Windows\SysWOW64\Iacjjacb.exe Process not Found File created C:\Windows\SysWOW64\Fchopn32.dll Process not Found File created C:\Windows\SysWOW64\Jikhnaao.exe Process not Found File created C:\Windows\SysWOW64\Qoeeolig.exe Qmgibqjc.exe File opened for modification C:\Windows\SysWOW64\Dkfbfjdf.exe Ddliip32.exe File created C:\Windows\SysWOW64\Abpcooea.exe Process not Found File created C:\Windows\SysWOW64\Pikijafg.dll Process not Found File created C:\Windows\SysWOW64\Ekhkjm32.exe Ehjona32.exe File created C:\Windows\SysWOW64\Mjceldap.dll Process not Found File created C:\Windows\SysWOW64\Cfiini32.dll Miooigfo.exe File created C:\Windows\SysWOW64\Nblnkb32.dll Ofjfhk32.exe File created C:\Windows\SysWOW64\Mhofcjea.dll Ddigjkid.exe File opened for modification C:\Windows\SysWOW64\Pclhdl32.exe Pakllc32.exe File opened for modification C:\Windows\SysWOW64\Meabakda.exe Mngjeamd.exe File opened for modification C:\Windows\SysWOW64\Aomnhd32.exe Process not Found File created C:\Windows\SysWOW64\Pijjilik.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gjifodii.exe Process not Found File created C:\Windows\SysWOW64\Ohkgmi32.dll Mbpnanch.exe File created C:\Windows\SysWOW64\Ccahbp32.exe Ckjpacfp.exe File opened for modification C:\Windows\SysWOW64\Balkchpi.exe Bonoflae.exe File opened for modification C:\Windows\SysWOW64\Heokmmgb.exe Hbqoqbho.exe File created C:\Windows\SysWOW64\Cceogcfj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gqlebf32.exe Gjbmelgm.exe File created C:\Windows\SysWOW64\Njdqka32.exe Nfidjbdg.exe File created C:\Windows\SysWOW64\Mledlaqd.dll Dnoomqbg.exe File created C:\Windows\SysWOW64\Ecqqpgli.exe Ebodiofk.exe File opened for modification C:\Windows\SysWOW64\Eccpoo32.exe Edqocbkp.exe File created C:\Windows\SysWOW64\Geeemeif.exe Gbfiaj32.exe File created C:\Windows\SysWOW64\Aniimjbo.exe Qjnmlk32.exe File created C:\Windows\SysWOW64\Phgjdk32.dll Idfdcijh.exe File opened for modification C:\Windows\SysWOW64\Jioopgef.exe Process not Found File opened for modification C:\Windows\SysWOW64\Aficjnpm.exe Process not Found File created C:\Windows\SysWOW64\Mpioaoic.dll Qjjgclai.exe File opened for modification C:\Windows\SysWOW64\Hkcdafqb.exe Hhehek32.exe File created C:\Windows\SysWOW64\Kincipnk.exe Kbdklf32.exe File created C:\Windows\SysWOW64\Knpemf32.exe Kkaiqk32.exe File opened for modification C:\Windows\SysWOW64\Hjaeba32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hcepqh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bbjdjjdn.exe Baigca32.exe File created C:\Windows\SysWOW64\Noejib32.dll Cffljlpc.exe File created C:\Windows\SysWOW64\Qhilkege.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bhbkpgbf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lndohedg.exe Ljibgg32.exe File created C:\Windows\SysWOW64\Ekhnnojb.dll Process not Found File opened for modification C:\Windows\SysWOW64\Eplkpgnh.exe Eqijej32.exe File opened for modification C:\Windows\SysWOW64\Gdgcpi32.exe Gedbdlbb.exe File created C:\Windows\SysWOW64\Affdle32.exe Anolkh32.exe File created C:\Windows\SysWOW64\Hcldhnkk.exe Process not Found File created C:\Windows\SysWOW64\Cegfepjn.dll Process not Found File created C:\Windows\SysWOW64\Nhlhki32.dll Kjqccigf.exe File created C:\Windows\SysWOW64\Pdaoog32.exe Pfoocjfd.exe File created C:\Windows\SysWOW64\Kfkpknkq.exe Kcmcoblm.exe File created C:\Windows\SysWOW64\Ddblgn32.exe Process not Found File created C:\Windows\SysWOW64\Ojefmknj.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 7504 7724 Process not Found 1861 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hfbhkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cakqgeoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebhchpcd.dll" Hbfepmmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbglcb32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddjmnoki.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hljdna32.dll" Nplmop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll" Baadng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijikd32.dll" Mfllkece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Heealhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qggpmn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgefik32.dll" Ojcecjee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cdoajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhiakc32.dll" Daqamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geqakadc.dll" Fblmglgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfenefej.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gicaikhj.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhplkhl.dll" Ilqpdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbddqihf.dll" Kqdhhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} dfcfde888f8b4c72052b02909b102180_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppiecpn.dll" Cjbmjplb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkhnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mfglep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahbakd32.dll" Npolmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcbaa32.dll" Dgmglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lahkigca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndmjedoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajjfkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gcahoqhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aefeijle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qngmgjeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifgnma32.dll" Jolepe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ljghjpfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ollopmbl.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bpiipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpbgnedh.dll" Mlcbenjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kaklpcoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nmbknddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgfcja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pakllc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Caidaeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkdgkc32.dll" Ajjfkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkqbaecc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kincipnk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2360 2420 dfcfde888f8b4c72052b02909b102180_NEIKI.exe 28 PID 2420 wrote to memory of 2360 2420 dfcfde888f8b4c72052b02909b102180_NEIKI.exe 28 PID 2420 wrote to memory of 2360 2420 dfcfde888f8b4c72052b02909b102180_NEIKI.exe 28 PID 2420 wrote to memory of 2360 2420 dfcfde888f8b4c72052b02909b102180_NEIKI.exe 28 PID 2360 wrote to memory of 2152 2360 Ccdlbf32.exe 29 PID 2360 wrote to memory of 2152 2360 Ccdlbf32.exe 29 PID 2360 wrote to memory of 2152 2360 Ccdlbf32.exe 29 PID 2360 wrote to memory of 2152 2360 Ccdlbf32.exe 29 PID 2152 wrote to memory of 2736 2152 Ccfhhffh.exe 30 PID 2152 wrote to memory of 2736 2152 Ccfhhffh.exe 30 PID 2152 wrote to memory of 2736 2152 Ccfhhffh.exe 30 PID 2152 wrote to memory of 2736 2152 Ccfhhffh.exe 30 PID 2736 wrote to memory of 2572 2736 Comimg32.exe 31 PID 2736 wrote to memory of 2572 2736 Comimg32.exe 31 PID 2736 wrote to memory of 2572 2736 Comimg32.exe 31 PID 2736 wrote to memory of 2572 2736 Comimg32.exe 31 PID 2572 wrote to memory of 2620 2572 Cjbmjplb.exe 32 PID 2572 wrote to memory of 2620 2572 Cjbmjplb.exe 32 PID 2572 wrote to memory of 2620 2572 Cjbmjplb.exe 32 PID 2572 wrote to memory of 2620 2572 Cjbmjplb.exe 32 PID 2620 wrote to memory of 2496 2620 Cfinoq32.exe 33 PID 2620 wrote to memory of 2496 2620 Cfinoq32.exe 33 PID 2620 wrote to memory of 2496 2620 Cfinoq32.exe 33 PID 2620 wrote to memory of 2496 2620 Cfinoq32.exe 33 PID 2496 wrote to memory of 2508 2496 Cndbcc32.exe 34 PID 2496 wrote to memory of 2508 2496 Cndbcc32.exe 34 PID 2496 wrote to memory of 2508 2496 Cndbcc32.exe 34 PID 2496 wrote to memory of 2508 2496 Cndbcc32.exe 34 PID 2508 wrote to memory of 2504 2508 Dgmglh32.exe 35 PID 2508 wrote to memory of 2504 2508 Dgmglh32.exe 35 PID 2508 wrote to memory of 2504 2508 Dgmglh32.exe 35 PID 2508 wrote to memory of 2504 2508 Dgmglh32.exe 35 PID 2504 wrote to memory of 2344 2504 Ddagfm32.exe 36 PID 2504 wrote to memory of 2344 2504 Ddagfm32.exe 36 PID 2504 wrote to memory of 2344 2504 Ddagfm32.exe 36 PID 2504 wrote to memory of 2344 2504 Ddagfm32.exe 36 PID 2344 wrote to memory of 2520 2344 Dnilobkm.exe 37 PID 2344 wrote to memory of 2520 2344 Dnilobkm.exe 37 PID 2344 wrote to memory of 2520 2344 Dnilobkm.exe 37 PID 2344 wrote to memory of 2520 2344 Dnilobkm.exe 37 PID 2520 wrote to memory of 2200 2520 Dgaqgh32.exe 38 PID 2520 wrote to memory of 2200 2520 Dgaqgh32.exe 38 PID 2520 wrote to memory of 2200 2520 Dgaqgh32.exe 38 PID 2520 wrote to memory of 2200 2520 Dgaqgh32.exe 38 PID 2200 wrote to memory of 2424 2200 Ddeaalpg.exe 39 PID 2200 wrote to memory of 2424 2200 Ddeaalpg.exe 39 PID 2200 wrote to memory of 2424 2200 Ddeaalpg.exe 39 PID 2200 wrote to memory of 2424 2200 Ddeaalpg.exe 39 PID 2424 wrote to memory of 1288 2424 Dmafennb.exe 40 PID 2424 wrote to memory of 1288 2424 Dmafennb.exe 40 PID 2424 wrote to memory of 1288 2424 Dmafennb.exe 40 PID 2424 wrote to memory of 1288 2424 Dmafennb.exe 40 PID 1288 wrote to memory of 352 1288 Dfijnd32.exe 41 PID 1288 wrote to memory of 352 1288 Dfijnd32.exe 41 PID 1288 wrote to memory of 352 1288 Dfijnd32.exe 41 PID 1288 wrote to memory of 352 1288 Dfijnd32.exe 41 PID 352 wrote to memory of 2864 352 Emcbkn32.exe 42 PID 352 wrote to memory of 2864 352 Emcbkn32.exe 42 PID 352 wrote to memory of 2864 352 Emcbkn32.exe 42 PID 352 wrote to memory of 2864 352 Emcbkn32.exe 42 PID 2864 wrote to memory of 2248 2864 Eflgccbp.exe 43 PID 2864 wrote to memory of 2248 2864 Eflgccbp.exe 43 PID 2864 wrote to memory of 2248 2864 Eflgccbp.exe 43 PID 2864 wrote to memory of 2248 2864 Eflgccbp.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfcfde888f8b4c72052b02909b102180_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\dfcfde888f8b4c72052b02909b102180_NEIKI.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:764 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2952 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe33⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe34⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe35⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe36⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe37⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe38⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe39⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe40⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe41⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe42⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:300 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe44⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe45⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe46⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe47⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe48⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe49⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe50⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe51⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe52⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe53⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe54⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe55⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe56⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe57⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe58⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe59⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe60⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe61⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe62⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe63⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe64⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe65⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe66⤵PID:2024
-
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe67⤵PID:2408
-
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe68⤵PID:2500
-
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe69⤵PID:1804
-
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe70⤵PID:2148
-
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe71⤵PID:3008
-
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe72⤵PID:2000
-
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe73⤵PID:328
-
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe74⤵PID:3048
-
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe75⤵PID:2776
-
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe76⤵PID:2772
-
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe77⤵PID:2796
-
C:\Windows\SysWOW64\Jbjochdi.exeC:\Windows\system32\Jbjochdi.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2712 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe79⤵PID:2580
-
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe80⤵PID:1956
-
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe81⤵PID:2120
-
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe82⤵PID:884
-
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe83⤵PID:2252
-
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe84⤵PID:1520
-
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe85⤵PID:776
-
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe86⤵PID:2804
-
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe87⤵PID:1148
-
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe88⤵PID:900
-
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe89⤵PID:1392
-
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe90⤵PID:1584
-
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe91⤵PID:1720
-
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe92⤵PID:2592
-
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe93⤵PID:2468
-
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe94⤵
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe95⤵PID:2536
-
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe96⤵
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe97⤵PID:1036
-
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe98⤵PID:2184
-
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe99⤵PID:304
-
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe100⤵PID:340
-
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe101⤵PID:2900
-
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe102⤵PID:2440
-
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe103⤵PID:1384
-
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe104⤵PID:2368
-
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe105⤵PID:768
-
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe106⤵PID:2992
-
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe107⤵PID:1592
-
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe108⤵PID:2144
-
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe109⤵
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe110⤵PID:2624
-
C:\Windows\SysWOW64\Lkppbl32.exeC:\Windows\system32\Lkppbl32.exe111⤵PID:2276
-
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe112⤵PID:848
-
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe113⤵PID:1096
-
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe114⤵PID:1748
-
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe115⤵PID:1920
-
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe116⤵PID:1800
-
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe117⤵PID:1964
-
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe118⤵PID:620
-
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe119⤵PID:2212
-
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe120⤵
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Mmfbogcn.exeC:\Windows\system32\Mmfbogcn.exe121⤵PID:3016
-
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe122⤵PID:2632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-