Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 03:35
Behavioral task
behavioral1
Sample
e0c91f179e4912ae202815a1214a9160_NEIKI.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
e0c91f179e4912ae202815a1214a9160_NEIKI.exe
Resource
win10v2004-20240226-en
General
-
Target
e0c91f179e4912ae202815a1214a9160_NEIKI.exe
-
Size
362KB
-
MD5
e0c91f179e4912ae202815a1214a9160
-
SHA1
a980961f59760ef24092ac8dea6459f204be4bab
-
SHA256
e4d422c4f14810a5509e2be2d02e974d80d3e50edf6abdafe41c3c5585dc87e3
-
SHA512
5c37e9405a11c266abd58a9c1669d5b78f39248a5a7dda1576a69363378a0e37250d0afbb3b069adef4466e1dfd559ced5aadc15443a9f91323b0f0d13ab10d7
-
SSDEEP
6144:OZv2M8gtGDuMEUrQVad7nG3mbDp2o+SsmiMyhtHEyr5psPc1aj8DOvlvuZxriEl/:cv2MztmuMtrQ07nGWxWSsmiMyh95r5Oa
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lahkigca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkcdafqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cddjebgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmffhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lndohedg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjnmlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djnpnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpgfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jifdebic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kemejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhcdaibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efncicpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feeiob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkkmqnck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgbafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjndop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qbcpbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihgainbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onpjghhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalmklfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihankokm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igihbknb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lafndg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifnechbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfjhgdck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leljop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhlfmgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifnechbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dknekeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gakcimgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pklhlael.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbfpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qeohnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmahdggc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogblbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llcefjgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmanoifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Endhhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjqiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfbkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oaiibg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bgknheej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Balkchpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Comimg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqlafm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnclnihj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgbhabjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piehkkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Echfaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fenmdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipgbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gangic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmfjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icfofg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oebimf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebpkce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkeelohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cadhnmnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmmkcoap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnojdcfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncgdbmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjgiiad.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000e00000001214d-5.dat family_berbew behavioral1/files/0x000800000001451c-18.dat family_berbew behavioral1/files/0x0007000000014733-33.dat family_berbew behavioral1/files/0x0007000000014856-47.dat family_berbew behavioral1/files/0x0007000000015cb7-61.dat family_berbew behavioral1/files/0x0006000000015cd6-81.dat family_berbew behavioral1/files/0x0006000000015cea-89.dat family_berbew behavioral1/files/0x0006000000015cfd-102.dat family_berbew behavioral1/files/0x0006000000015d13-116.dat family_berbew behavioral1/files/0x0039000000014415-136.dat family_berbew behavioral1/files/0x0006000000015d72-144.dat family_berbew behavioral1/files/0x0006000000015de5-165.dat family_berbew behavioral1/files/0x0006000000015fd4-172.dat family_berbew behavioral1/files/0x0006000000016133-186.dat family_berbew behavioral1/files/0x0006000000016448-200.dat family_berbew behavioral1/files/0x00060000000165d4-220.dat family_berbew behavioral1/files/0x0006000000016a7d-229.dat family_berbew behavioral1/files/0x0006000000016c5d-238.dat family_berbew behavioral1/files/0x0006000000016caf-248.dat family_berbew behavioral1/memory/444-255-0x00000000003B0000-0x00000000003F1000-memory.dmp family_berbew behavioral1/files/0x0006000000016d05-258.dat family_berbew behavioral1/files/0x0006000000016d22-269.dat family_berbew behavioral1/memory/1532-276-0x0000000000290000-0x00000000002D1000-memory.dmp family_berbew behavioral1/files/0x0006000000016d33-279.dat family_berbew behavioral1/memory/1604-283-0x00000000002F0000-0x0000000000331000-memory.dmp family_berbew behavioral1/memory/1604-282-0x00000000002F0000-0x0000000000331000-memory.dmp family_berbew behavioral1/files/0x0006000000016d44-292.dat family_berbew behavioral1/memory/1640-297-0x0000000001FA0000-0x0000000001FE1000-memory.dmp family_berbew behavioral1/memory/1640-293-0x0000000001FA0000-0x0000000001FE1000-memory.dmp family_berbew behavioral1/files/0x0006000000016d55-301.dat family_berbew behavioral1/memory/1244-305-0x00000000002D0000-0x0000000000311000-memory.dmp family_berbew behavioral1/memory/1244-304-0x00000000002D0000-0x0000000000311000-memory.dmp family_berbew behavioral1/files/0x0006000000016d6c-314.dat family_berbew behavioral1/memory/772-316-0x0000000000310000-0x0000000000351000-memory.dmp family_berbew behavioral1/memory/772-315-0x0000000000310000-0x0000000000351000-memory.dmp family_berbew behavioral1/files/0x0006000000016d78-323.dat family_berbew behavioral1/memory/1148-327-0x0000000000450000-0x0000000000491000-memory.dmp family_berbew behavioral1/memory/1148-326-0x0000000000450000-0x0000000000491000-memory.dmp family_berbew behavioral1/files/0x0006000000016db2-334.dat family_berbew behavioral1/memory/2248-338-0x0000000000310000-0x0000000000351000-memory.dmp family_berbew behavioral1/files/0x0006000000016dd1-345.dat family_berbew behavioral1/files/0x000600000001720f-358.dat family_berbew behavioral1/memory/2068-360-0x00000000002A0000-0x00000000002E1000-memory.dmp family_berbew behavioral1/memory/2200-370-0x00000000002E0000-0x0000000000321000-memory.dmp family_berbew behavioral1/files/0x00060000000173d3-367.dat family_berbew behavioral1/files/0x0006000000017568-378.dat family_berbew behavioral1/memory/2500-393-0x0000000000260000-0x00000000002A1000-memory.dmp family_berbew behavioral1/memory/2500-392-0x0000000000260000-0x00000000002A1000-memory.dmp family_berbew behavioral1/files/0x00060000000175f4-389.dat family_berbew behavioral1/files/0x0005000000018701-400.dat family_berbew behavioral1/memory/2636-408-0x00000000002A0000-0x00000000002E1000-memory.dmp family_berbew behavioral1/memory/2636-407-0x00000000002A0000-0x00000000002E1000-memory.dmp family_berbew behavioral1/files/0x0005000000018711-411.dat family_berbew behavioral1/files/0x0005000000018784-424.dat family_berbew behavioral1/files/0x00050000000187a2-431.dat family_berbew behavioral1/memory/284-435-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew behavioral1/memory/284-434-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew behavioral1/memory/2640-446-0x00000000003B0000-0x00000000003F1000-memory.dmp family_berbew behavioral1/memory/2640-445-0x00000000003B0000-0x00000000003F1000-memory.dmp family_berbew behavioral1/files/0x0006000000018bc6-442.dat family_berbew behavioral1/files/0x00060000000190d6-453.dat family_berbew behavioral1/memory/2128-457-0x00000000002E0000-0x0000000000321000-memory.dmp family_berbew behavioral1/memory/2128-456-0x00000000002E0000-0x0000000000321000-memory.dmp family_berbew behavioral1/files/0x0005000000019349-464.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2008 Ldnhad32.exe 2604 Lpeifeca.exe 2692 Lpgele32.exe 2580 Llnfaffc.exe 2728 Llqcfe32.exe 2496 Mcjkcplm.exe 2288 Migpeiag.exe 1424 Mabejlob.exe 2140 Mepnpj32.exe 316 Mkmfhacp.exe 2272 Nnnojlpa.exe 2356 Nkaocp32.exe 2216 Nocemcbj.exe 1516 Nhlifi32.exe 2124 Nohnhc32.exe 1476 Ohqbqhde.exe 632 Okalbc32.exe 444 Obkdonic.exe 2100 Odjpkihg.exe 1532 Oghlgdgk.exe 1604 Ocomlemo.exe 1640 Okfencna.exe 1244 Ogmfbd32.exe 772 Ongnonkb.exe 1148 Pjmodopf.exe 2248 Pmlkpjpj.exe 1700 Piblek32.exe 2068 Plahag32.exe 2200 Piehkkcl.exe 2592 Ppoqge32.exe 2500 Plfamfpm.exe 2636 Pbpjiphi.exe 2468 Penfelgm.exe 2712 Qlhnbf32.exe 284 Qmlgonbe.exe 2640 Qagcpljo.exe 2128 Ajphib32.exe 1980 Adhlaggp.exe 1584 Ajbdna32.exe 1620 Aalmklfi.exe 2960 Afiecb32.exe 2236 Ambmpmln.exe 2224 Apajlhka.exe 1112 Afkbib32.exe 828 Aiinen32.exe 2436 Afmonbqk.exe 976 Ailkjmpo.exe 1348 Aljgfioc.exe 660 Boiccdnf.exe 696 Bebkpn32.exe 2964 Bhahlj32.exe 2972 Bbflib32.exe 2908 Baildokg.exe 2832 Bhcdaibd.exe 3040 Bkaqmeah.exe 2596 Begeknan.exe 2784 Bhfagipa.exe 2764 Bnbjopoi.exe 2976 Bpafkknm.exe 1664 Bgknheej.exe 2144 Bjijdadm.exe 1900 Bpcbqk32.exe 2804 Cgmkmecg.exe 2352 Ckignd32.exe -
Loads dropped DLL 64 IoCs
pid Process 2740 e0c91f179e4912ae202815a1214a9160_NEIKI.exe 2740 e0c91f179e4912ae202815a1214a9160_NEIKI.exe 2008 Ldnhad32.exe 2008 Ldnhad32.exe 2604 Lpeifeca.exe 2604 Lpeifeca.exe 2692 Lpgele32.exe 2692 Lpgele32.exe 2580 Llnfaffc.exe 2580 Llnfaffc.exe 2728 Llqcfe32.exe 2728 Llqcfe32.exe 2496 Mcjkcplm.exe 2496 Mcjkcplm.exe 2288 Migpeiag.exe 2288 Migpeiag.exe 1424 Mabejlob.exe 1424 Mabejlob.exe 2140 Mepnpj32.exe 2140 Mepnpj32.exe 316 Mkmfhacp.exe 316 Mkmfhacp.exe 2272 Nnnojlpa.exe 2272 Nnnojlpa.exe 2356 Nkaocp32.exe 2356 Nkaocp32.exe 2216 Nocemcbj.exe 2216 Nocemcbj.exe 1516 Nhlifi32.exe 1516 Nhlifi32.exe 2124 Nohnhc32.exe 2124 Nohnhc32.exe 1476 Ohqbqhde.exe 1476 Ohqbqhde.exe 632 Okalbc32.exe 632 Okalbc32.exe 444 Obkdonic.exe 444 Obkdonic.exe 2100 Odjpkihg.exe 2100 Odjpkihg.exe 1532 Oghlgdgk.exe 1532 Oghlgdgk.exe 1604 Ocomlemo.exe 1604 Ocomlemo.exe 1640 Okfencna.exe 1640 Okfencna.exe 1244 Ogmfbd32.exe 1244 Ogmfbd32.exe 772 Ongnonkb.exe 772 Ongnonkb.exe 1148 Pjmodopf.exe 1148 Pjmodopf.exe 2248 Pmlkpjpj.exe 2248 Pmlkpjpj.exe 1700 Piblek32.exe 1700 Piblek32.exe 2068 Plahag32.exe 2068 Plahag32.exe 2200 Piehkkcl.exe 2200 Piehkkcl.exe 2592 Ppoqge32.exe 2592 Ppoqge32.exe 2500 Plfamfpm.exe 2500 Plfamfpm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nlbeqb32.exe Nehmdhja.exe File created C:\Windows\SysWOW64\Cljiflem.dll Jghmfhmb.exe File opened for modification C:\Windows\SysWOW64\Aganeoip.exe Aaheie32.exe File created C:\Windows\SysWOW64\Mlibjc32.exe Mijfnh32.exe File created C:\Windows\SysWOW64\Ddgjdk32.exe Dcenlceh.exe File created C:\Windows\SysWOW64\Nqdgapkm.dll Jbgkcb32.exe File created C:\Windows\SysWOW64\Okanklik.exe Oaiibg32.exe File created C:\Windows\SysWOW64\Hkfmal32.dll Chcqpmep.exe File created C:\Windows\SysWOW64\Mcbndm32.dll Dbpodagk.exe File created C:\Windows\SysWOW64\Qpehocqo.dll Hakphqja.exe File created C:\Windows\SysWOW64\Nlpdbghp.dll Pnimnfpc.exe File created C:\Windows\SysWOW64\Blkioa32.exe Bilmcf32.exe File opened for modification C:\Windows\SysWOW64\Goddhg32.exe Gkihhhnm.exe File created C:\Windows\SysWOW64\Ecjlgm32.dll Iipgcaob.exe File opened for modification C:\Windows\SysWOW64\Lpekon32.exe Lndohedg.exe File created C:\Windows\SysWOW64\Ncgdbmmp.exe Nolhan32.exe File opened for modification C:\Windows\SysWOW64\Agdjkogm.exe Aajbne32.exe File opened for modification C:\Windows\SysWOW64\Bbflib32.exe Bhahlj32.exe File created C:\Windows\SysWOW64\Facdeo32.exe Fjilieka.exe File created C:\Windows\SysWOW64\Ejmmiihp.dll Ckoilb32.exe File created C:\Windows\SysWOW64\Fadminnn.exe Fnfamcoj.exe File created C:\Windows\SysWOW64\Ohgbmh32.dll Nhlifi32.exe File created C:\Windows\SysWOW64\Nbfphc32.dll Fcjcfe32.exe File opened for modification C:\Windows\SysWOW64\Niebhf32.exe Nckjkl32.exe File created C:\Windows\SysWOW64\Fiedkadc.dll Ohqbqhde.exe File created C:\Windows\SysWOW64\Dbkknojp.exe Dkqbaecc.exe File opened for modification C:\Windows\SysWOW64\Enhacojl.exe Efaibbij.exe File created C:\Windows\SysWOW64\Giicle32.dll Hipkdnmf.exe File created C:\Windows\SysWOW64\Lbbjgn32.dll Pfikmh32.exe File created C:\Windows\SysWOW64\Fcmbeioh.dll Piblek32.exe File created C:\Windows\SysWOW64\Bhcdaibd.exe Baildokg.exe File opened for modification C:\Windows\SysWOW64\Bhcdaibd.exe Baildokg.exe File created C:\Windows\SysWOW64\Bjijdadm.exe Bgknheej.exe File opened for modification C:\Windows\SysWOW64\Lmcijcbe.exe Lemaif32.exe File opened for modification C:\Windows\SysWOW64\Pclfkc32.exe Pmanoifd.exe File created C:\Windows\SysWOW64\Jmocpado.exe Jbjochdi.exe File created C:\Windows\SysWOW64\Jbkpmm32.dll Mhbped32.exe File created C:\Windows\SysWOW64\Pdaoog32.exe Pfoocjfd.exe File opened for modification C:\Windows\SysWOW64\Jcjdpj32.exe Jqlhdo32.exe File created C:\Windows\SysWOW64\Bipikqbi.dll Joaeeklp.exe File opened for modification C:\Windows\SysWOW64\Neplhf32.exe Nofdklgl.exe File created C:\Windows\SysWOW64\Ohaeia32.exe Oebimf32.exe File opened for modification C:\Windows\SysWOW64\Baildokg.exe Bbflib32.exe File created C:\Windows\SysWOW64\Ojdngl32.dll Bhahlj32.exe File opened for modification C:\Windows\SysWOW64\Ckoilb32.exe Ceaadk32.exe File opened for modification C:\Windows\SysWOW64\Mlfojn32.exe Melfncqb.exe File created C:\Windows\SysWOW64\Bhfagipa.exe Begeknan.exe File created C:\Windows\SysWOW64\Inqcif32.exe Ikbgmj32.exe File created C:\Windows\SysWOW64\Mcaiqm32.dll Ofmbnkhg.exe File created C:\Windows\SysWOW64\Dlcdphdj.dll Claifkkf.exe File created C:\Windows\SysWOW64\Hnojdcfi.exe Hkpnhgge.exe File opened for modification C:\Windows\SysWOW64\Lhpfqama.exe Lafndg32.exe File created C:\Windows\SysWOW64\Kpbbidem.dll Nehmdhja.exe File created C:\Windows\SysWOW64\Dfmdho32.exe Cahail32.exe File created C:\Windows\SysWOW64\Egqdeaqb.dll Djmicm32.exe File created C:\Windows\SysWOW64\Ikhbnkpn.dll Fjmaaddo.exe File created C:\Windows\SysWOW64\Gbdalp32.dll Ngdifkpi.exe File created C:\Windows\SysWOW64\Aijpnfif.exe Abphal32.exe File created C:\Windows\SysWOW64\Omeope32.dll Chhjkl32.exe File opened for modification C:\Windows\SysWOW64\Gpmjak32.exe Ghfbqn32.exe File created C:\Windows\SysWOW64\Ajecmj32.exe Ackkppma.exe File created C:\Windows\SysWOW64\Ojolhk32.exe Ndbcpd32.exe File created C:\Windows\SysWOW64\Oddpfc32.exe Onjgiiad.exe File opened for modification C:\Windows\SysWOW64\Gdgcpi32.exe Fmmkcoap.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5584 5568 WerFault.exe 571 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndmjedoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Glgaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oflcmqaa.dll" Oghopm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfnmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhekfh32.dll" Ajbdna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijmee32.dll" Nhiffc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjpnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll" Gbnccfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjhlioai.dll" Behnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejmmiihp.dll" Ckoilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cahail32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocomlemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kfbkmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lndohedg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlidlf32.dll" Fphafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godgob32.dll" Gebbnpfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Onecbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pgbafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nialog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mieeibkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfqqcc32.dll" Ldnhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohqbqhde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbdklf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mholen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebjglbml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Leljop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcpbee32.dll" Melfncqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gdopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmhbhf32.dll" Hdnepk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdmddc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mabejlob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbkoipg.dll" Ogmfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iipgcaob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iefhhbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcfhi32.dll" Lfdmggnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Globlmmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID e0c91f179e4912ae202815a1214a9160_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jchhkjhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Melfncqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Anlfbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghfbqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gaemjbcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpbefoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhiffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aaloddnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkamkfgh.dll" Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afcklihm.dll" Ilncom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knklagmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iimckbco.dll" Lghjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fcjcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Igonafba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgcampld.dll" Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mmhodf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Naoniipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kklpekno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Beejng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afkbib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqdgapkm.dll" Jbgkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aganeoip.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2740 wrote to memory of 2008 2740 e0c91f179e4912ae202815a1214a9160_NEIKI.exe 28 PID 2740 wrote to memory of 2008 2740 e0c91f179e4912ae202815a1214a9160_NEIKI.exe 28 PID 2740 wrote to memory of 2008 2740 e0c91f179e4912ae202815a1214a9160_NEIKI.exe 28 PID 2740 wrote to memory of 2008 2740 e0c91f179e4912ae202815a1214a9160_NEIKI.exe 28 PID 2008 wrote to memory of 2604 2008 Ldnhad32.exe 29 PID 2008 wrote to memory of 2604 2008 Ldnhad32.exe 29 PID 2008 wrote to memory of 2604 2008 Ldnhad32.exe 29 PID 2008 wrote to memory of 2604 2008 Ldnhad32.exe 29 PID 2604 wrote to memory of 2692 2604 Lpeifeca.exe 30 PID 2604 wrote to memory of 2692 2604 Lpeifeca.exe 30 PID 2604 wrote to memory of 2692 2604 Lpeifeca.exe 30 PID 2604 wrote to memory of 2692 2604 Lpeifeca.exe 30 PID 2692 wrote to memory of 2580 2692 Lpgele32.exe 31 PID 2692 wrote to memory of 2580 2692 Lpgele32.exe 31 PID 2692 wrote to memory of 2580 2692 Lpgele32.exe 31 PID 2692 wrote to memory of 2580 2692 Lpgele32.exe 31 PID 2580 wrote to memory of 2728 2580 Llnfaffc.exe 32 PID 2580 wrote to memory of 2728 2580 Llnfaffc.exe 32 PID 2580 wrote to memory of 2728 2580 Llnfaffc.exe 32 PID 2580 wrote to memory of 2728 2580 Llnfaffc.exe 32 PID 2728 wrote to memory of 2496 2728 Llqcfe32.exe 33 PID 2728 wrote to memory of 2496 2728 Llqcfe32.exe 33 PID 2728 wrote to memory of 2496 2728 Llqcfe32.exe 33 PID 2728 wrote to memory of 2496 2728 Llqcfe32.exe 33 PID 2496 wrote to memory of 2288 2496 Mcjkcplm.exe 34 PID 2496 wrote to memory of 2288 2496 Mcjkcplm.exe 34 PID 2496 wrote to memory of 2288 2496 Mcjkcplm.exe 34 PID 2496 wrote to memory of 2288 2496 Mcjkcplm.exe 34 PID 2288 wrote to memory of 1424 2288 Migpeiag.exe 35 PID 2288 wrote to memory of 1424 2288 Migpeiag.exe 35 PID 2288 wrote to memory of 1424 2288 Migpeiag.exe 35 PID 2288 wrote to memory of 1424 2288 Migpeiag.exe 35 PID 1424 wrote to memory of 2140 1424 Mabejlob.exe 36 PID 1424 wrote to memory of 2140 1424 Mabejlob.exe 36 PID 1424 wrote to memory of 2140 1424 Mabejlob.exe 36 PID 1424 wrote to memory of 2140 1424 Mabejlob.exe 36 PID 2140 wrote to memory of 316 2140 Mepnpj32.exe 37 PID 2140 wrote to memory of 316 2140 Mepnpj32.exe 37 PID 2140 wrote to memory of 316 2140 Mepnpj32.exe 37 PID 2140 wrote to memory of 316 2140 Mepnpj32.exe 37 PID 316 wrote to memory of 2272 316 Mkmfhacp.exe 38 PID 316 wrote to memory of 2272 316 Mkmfhacp.exe 38 PID 316 wrote to memory of 2272 316 Mkmfhacp.exe 38 PID 316 wrote to memory of 2272 316 Mkmfhacp.exe 38 PID 2272 wrote to memory of 2356 2272 Nnnojlpa.exe 39 PID 2272 wrote to memory of 2356 2272 Nnnojlpa.exe 39 PID 2272 wrote to memory of 2356 2272 Nnnojlpa.exe 39 PID 2272 wrote to memory of 2356 2272 Nnnojlpa.exe 39 PID 2356 wrote to memory of 2216 2356 Nkaocp32.exe 40 PID 2356 wrote to memory of 2216 2356 Nkaocp32.exe 40 PID 2356 wrote to memory of 2216 2356 Nkaocp32.exe 40 PID 2356 wrote to memory of 2216 2356 Nkaocp32.exe 40 PID 2216 wrote to memory of 1516 2216 Nocemcbj.exe 41 PID 2216 wrote to memory of 1516 2216 Nocemcbj.exe 41 PID 2216 wrote to memory of 1516 2216 Nocemcbj.exe 41 PID 2216 wrote to memory of 1516 2216 Nocemcbj.exe 41 PID 1516 wrote to memory of 2124 1516 Nhlifi32.exe 42 PID 1516 wrote to memory of 2124 1516 Nhlifi32.exe 42 PID 1516 wrote to memory of 2124 1516 Nhlifi32.exe 42 PID 1516 wrote to memory of 2124 1516 Nhlifi32.exe 42 PID 2124 wrote to memory of 1476 2124 Nohnhc32.exe 43 PID 2124 wrote to memory of 1476 2124 Nohnhc32.exe 43 PID 2124 wrote to memory of 1476 2124 Nohnhc32.exe 43 PID 2124 wrote to memory of 1476 2124 Nohnhc32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0c91f179e4912ae202815a1214a9160_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\e0c91f179e4912ae202815a1214a9160_NEIKI.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:632 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:444 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:772 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1700 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe33⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe34⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe35⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe36⤵
- Executes dropped EXE
PID:284 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe37⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe38⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe39⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe42⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe43⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe44⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe46⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe47⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe48⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe49⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe50⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe51⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe56⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe58⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe59⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe60⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe62⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe63⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe64⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe65⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe66⤵PID:2084
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe67⤵PID:1792
-
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:540 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe69⤵PID:1484
-
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe70⤵PID:1768
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe71⤵
- Drops file in System32 directory
PID:864 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:612 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe73⤵
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe74⤵PID:2904
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe75⤵PID:1680
-
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe76⤵
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe77⤵PID:2732
-
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe78⤵
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe79⤵PID:812
-
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe80⤵PID:2552
-
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe81⤵PID:1864
-
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1616 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe83⤵PID:1212
-
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe84⤵PID:2304
-
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe85⤵PID:484
-
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe86⤵
- Modifies registry class
PID:1128 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe87⤵PID:3068
-
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe88⤵PID:1628
-
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:624 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe90⤵PID:1044
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe91⤵PID:1596
-
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe92⤵PID:1252
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe93⤵PID:2668
-
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2476 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2628 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe96⤵PID:2256
-
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe97⤵PID:2136
-
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2176 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe100⤵PID:2448
-
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe101⤵PID:2444
-
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe102⤵PID:1892
-
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe103⤵PID:1072
-
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe104⤵PID:2324
-
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe105⤵PID:2368
-
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe106⤵PID:1732
-
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe107⤵
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe108⤵PID:3000
-
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe109⤵PID:2672
-
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe110⤵PID:3004
-
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe111⤵
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1808 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe113⤵PID:2532
-
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe114⤵
- Drops file in System32 directory
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe115⤵PID:1636
-
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe116⤵PID:1684
-
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe117⤵PID:1796
-
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe118⤵
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe119⤵PID:3016
-
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:468 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe121⤵
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe122⤵PID:2568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-