Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 03:37
Behavioral task
behavioral1
Sample
e15ebf140356bb92df8859071726c5a0_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e15ebf140356bb92df8859071726c5a0_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
e15ebf140356bb92df8859071726c5a0_NEIKI.exe
-
Size
143KB
-
MD5
e15ebf140356bb92df8859071726c5a0
-
SHA1
c4e667e7783c32b8617f9f99950932becf1132bf
-
SHA256
512745830ea66aef9d4208ee877f0e1f136ee50e11e8cc28aa0a95175c5d2199
-
SHA512
dc3cbeaf87e399bff576c0f0f9b711bbcf79ce97f3a9e68bf00b732714f50964dfdea72ae456599d375cfa915648b49040178e79eaee763644e39f60aee85245
-
SSDEEP
1536:RZrFnOemtOZwv3S/Kuy8aL4vzUQ5ziJE93isirBUBEVGBtVM2hZV03fca13y:HJONxOs2z3N93bsGfhv0vt3y
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpcnonob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhngjmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okojkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmecmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljffag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqcpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjqccigf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfgebbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icmegf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjdjklek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inngcfid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljkaeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjpacfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Incbgnmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Helngnie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjdnlhco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfeog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbnbkbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbjgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplfdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkiefp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahlhkhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edfpih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkaglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeeecekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ackkppma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ancefgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kihqkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omdneebf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Endjaief.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkjfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghkndf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abhimnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnmcfeia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoigpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbackc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmlecec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejkima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aboaff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbokgpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiccofna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hijgml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkomjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aibcba32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2076-0-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x000d000000012334-5.dat family_berbew behavioral1/memory/2076-6-0x0000000000250000-0x0000000000290000-memory.dmp family_berbew behavioral1/files/0x0008000000014971-18.dat family_berbew behavioral1/memory/2728-22-0x0000000000290000-0x00000000002D0000-memory.dmp family_berbew behavioral1/files/0x0007000000014b63-31.dat family_berbew behavioral1/memory/2556-32-0x0000000000260000-0x00000000002A0000-memory.dmp family_berbew behavioral1/memory/2636-39-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0009000000014e51-45.dat family_berbew behavioral1/memory/2580-53-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000015ceb-59.dat family_berbew behavioral1/memory/2580-60-0x0000000000250000-0x0000000000290000-memory.dmp family_berbew behavioral1/memory/2616-72-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000015d28-73.dat family_berbew behavioral1/memory/2512-81-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000015d56-87.dat family_berbew behavioral1/memory/1268-94-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000015d67-106.dat family_berbew behavioral1/memory/2424-107-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000015d79-113.dat family_berbew behavioral1/memory/2424-114-0x0000000000250000-0x0000000000290000-memory.dmp family_berbew behavioral1/files/0x0006000000015d8f-129.dat family_berbew behavioral1/memory/2696-133-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/624-134-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000015e3a-140.dat family_berbew behavioral1/memory/624-142-0x0000000000280000-0x00000000002C0000-memory.dmp family_berbew behavioral1/files/0x002f000000014708-155.dat family_berbew behavioral1/memory/2960-160-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000015fe9-166.dat family_berbew behavioral1/memory/2960-167-0x0000000000250000-0x0000000000290000-memory.dmp family_berbew behavioral1/files/0x00060000000161e7-179.dat family_berbew behavioral1/memory/2824-186-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x00060000000164b2-192.dat family_berbew behavioral1/memory/796-199-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x000600000001661c-205.dat family_berbew behavioral1/memory/796-211-0x0000000000250000-0x0000000000290000-memory.dmp family_berbew behavioral1/files/0x0006000000016a9a-219.dat family_berbew behavioral1/memory/2180-226-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000016c63-228.dat family_berbew behavioral1/memory/1288-232-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000016cb7-240.dat family_berbew behavioral1/memory/1288-245-0x00000000002D0000-0x0000000000310000-memory.dmp family_berbew behavioral1/files/0x0006000000016d0d-248.dat family_berbew behavioral1/memory/2344-252-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/1760-251-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000016d26-260.dat family_berbew behavioral1/files/0x0006000000016d7e-268.dat family_berbew behavioral1/memory/348-273-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/936-276-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/936-285-0x0000000000280000-0x00000000002C0000-memory.dmp family_berbew behavioral1/files/0x0006000000016da7-282.dat family_berbew behavioral1/memory/1068-287-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/936-286-0x0000000000280000-0x00000000002C0000-memory.dmp family_berbew behavioral1/files/0x0006000000016dbf-293.dat family_berbew behavioral1/memory/1764-298-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000016eb2-307.dat family_berbew behavioral1/memory/328-313-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x00060000000173d5-315.dat family_berbew behavioral1/memory/2384-324-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x00060000000173e0-326.dat family_berbew behavioral1/files/0x000600000001745e-336.dat family_berbew behavioral1/memory/2596-340-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/2936-339-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x000600000001749c-348.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2728 Bhahlj32.exe 2556 Beehencq.exe 2636 Balijo32.exe 2580 Bopicc32.exe 2616 Bgknheej.exe 2512 Baqbenep.exe 1268 Cngcjo32.exe 2424 Ccdlbf32.exe 2696 Cphlljge.exe 624 Cfeddafl.exe 1060 Cciemedf.exe 2960 Copfbfjj.exe 2108 Chhjkl32.exe 2824 Dbpodagk.exe 796 Dngoibmo.exe 1492 Dgodbh32.exe 2180 Dqhhknjp.exe 1288 Dgaqgh32.exe 1760 Ddeaalpg.exe 2344 Dfgmhd32.exe 348 Dnneja32.exe 936 Dgfjbgmh.exe 1068 Djefobmk.exe 1764 Ebpkce32.exe 328 Epdkli32.exe 2384 Efncicpm.exe 2936 Eilpeooq.exe 2596 Ebedndfa.exe 2808 Enkece32.exe 2476 Eeempocb.exe 2688 Egdilkbf.exe 2872 Fckjalhj.exe 2240 Fcmgfkeg.exe 2520 Fmekoalh.exe 1816 Fpdhklkl.exe 2000 Facdeo32.exe 1056 Ffbicfoc.exe 1964 Gpknlk32.exe 2120 Gicbeald.exe 1952 Gpmjak32.exe 596 Gbnccfpb.exe 1260 Gdopkn32.exe 1716 Goddhg32.exe 2052 Ghmiam32.exe 288 Gmjaic32.exe 1796 Gphmeo32.exe 2852 Ghoegl32.exe 2028 Hmlnoc32.exe 2300 Hahjpbad.exe 2832 Hcifgjgc.exe 2980 Hkpnhgge.exe 2288 Hicodd32.exe 2668 Hdhbam32.exe 2220 Hckcmjep.exe 2448 Hlcgeo32.exe 2876 Hobcak32.exe 1664 Hellne32.exe 2700 Hhjhkq32.exe 1028 Hpapln32.exe 1620 Hodpgjha.exe 2228 Henidd32.exe 1980 Hhmepp32.exe 600 Hogmmjfo.exe 1832 Iaeiieeb.exe -
Loads dropped DLL 64 IoCs
pid Process 2076 e15ebf140356bb92df8859071726c5a0_NEIKI.exe 2076 e15ebf140356bb92df8859071726c5a0_NEIKI.exe 2728 Bhahlj32.exe 2728 Bhahlj32.exe 2556 Beehencq.exe 2556 Beehencq.exe 2636 Balijo32.exe 2636 Balijo32.exe 2580 Bopicc32.exe 2580 Bopicc32.exe 2616 Bgknheej.exe 2616 Bgknheej.exe 2512 Baqbenep.exe 2512 Baqbenep.exe 1268 Cngcjo32.exe 1268 Cngcjo32.exe 2424 Ccdlbf32.exe 2424 Ccdlbf32.exe 2696 Cphlljge.exe 2696 Cphlljge.exe 624 Cfeddafl.exe 624 Cfeddafl.exe 1060 Cciemedf.exe 1060 Cciemedf.exe 2960 Copfbfjj.exe 2960 Copfbfjj.exe 2108 Chhjkl32.exe 2108 Chhjkl32.exe 2824 Dbpodagk.exe 2824 Dbpodagk.exe 796 Dngoibmo.exe 796 Dngoibmo.exe 1492 Dgodbh32.exe 1492 Dgodbh32.exe 2180 Dqhhknjp.exe 2180 Dqhhknjp.exe 1288 Dgaqgh32.exe 1288 Dgaqgh32.exe 1760 Ddeaalpg.exe 1760 Ddeaalpg.exe 2344 Dfgmhd32.exe 2344 Dfgmhd32.exe 348 Dnneja32.exe 348 Dnneja32.exe 936 Dgfjbgmh.exe 936 Dgfjbgmh.exe 1068 Djefobmk.exe 1068 Djefobmk.exe 1764 Ebpkce32.exe 1764 Ebpkce32.exe 328 Epdkli32.exe 328 Epdkli32.exe 2384 Efncicpm.exe 2384 Efncicpm.exe 2936 Eilpeooq.exe 2936 Eilpeooq.exe 2596 Ebedndfa.exe 2596 Ebedndfa.exe 2808 Enkece32.exe 2808 Enkece32.exe 2476 Eeempocb.exe 2476 Eeempocb.exe 2688 Egdilkbf.exe 2688 Egdilkbf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ongbcmlc.dll Fcmgfkeg.exe File created C:\Windows\SysWOW64\Ofbhhkda.dll Pgpeal32.exe File opened for modification C:\Windows\SysWOW64\Cillkbac.exe Process not Found File created C:\Windows\SysWOW64\Fffgkhmc.dll Process not Found File created C:\Windows\SysWOW64\Fppnga32.dll Cllkin32.exe File created C:\Windows\SysWOW64\Hdojinhb.dll Lneaqn32.exe File opened for modification C:\Windows\SysWOW64\Npolmh32.exe Process not Found File created C:\Windows\SysWOW64\Ldkkdd32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nfdddm32.exe Process not Found File created C:\Windows\SysWOW64\Afdignjb.dll Ndemjoae.exe File opened for modification C:\Windows\SysWOW64\Bfkpqn32.exe Bdmddc32.exe File created C:\Windows\SysWOW64\Hjqmnofi.dll Process not Found File created C:\Windows\SysWOW64\Elooehob.dll Kdefgj32.exe File opened for modification C:\Windows\SysWOW64\Nagbgl32.exe Process not Found File created C:\Windows\SysWOW64\Mjcaimgg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jbdonb32.exe Jkjfah32.exe File created C:\Windows\SysWOW64\Lbbjgn32.dll Pmccjbaf.exe File opened for modification C:\Windows\SysWOW64\Aeenochi.exe Amnfnfgg.exe File created C:\Windows\SysWOW64\Binieb32.dll Cpkkjc32.exe File created C:\Windows\SysWOW64\Olfhkk32.dll Gaafhloq.exe File opened for modification C:\Windows\SysWOW64\Bbbgod32.exe Process not Found File created C:\Windows\SysWOW64\Hicodd32.exe Hkpnhgge.exe File opened for modification C:\Windows\SysWOW64\Hckcmjep.exe Hdhbam32.exe File created C:\Windows\SysWOW64\Oqhiplaj.dll Adnopfoj.exe File created C:\Windows\SysWOW64\Lifbmn32.exe Kgefefnd.exe File created C:\Windows\SysWOW64\Pfapejnp.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kjoifb32.exe Kgpmjf32.exe File created C:\Windows\SysWOW64\Lclgjg32.exe Lmbonmll.exe File created C:\Windows\SysWOW64\Gjmagfog.dll Process not Found File opened for modification C:\Windows\SysWOW64\Onfoin32.exe Process not Found File created C:\Windows\SysWOW64\Hoebpc32.exe Hlffdh32.exe File created C:\Windows\SysWOW64\Nplfdj32.exe Nhdocl32.exe File created C:\Windows\SysWOW64\Dolnad32.exe Dlnbeh32.exe File opened for modification C:\Windows\SysWOW64\Pjbjhgde.exe Pcibkm32.exe File created C:\Windows\SysWOW64\Eqefma32.dll Mapccndn.exe File opened for modification C:\Windows\SysWOW64\Hpjeialg.exe Hloiib32.exe File created C:\Windows\SysWOW64\Ogknoe32.exe Process not Found File created C:\Windows\SysWOW64\Jcjbelmp.dll Kmgbdo32.exe File opened for modification C:\Windows\SysWOW64\Gbnflo32.exe Ghiaof32.exe File created C:\Windows\SysWOW64\Bfomkg32.dll Ipehmebh.exe File created C:\Windows\SysWOW64\Mbcoio32.exe Process not Found File created C:\Windows\SysWOW64\Bopicc32.exe Balijo32.exe File opened for modification C:\Windows\SysWOW64\Pjhknm32.exe Pcnbablo.exe File created C:\Windows\SysWOW64\Okojkf32.exe Odebolpe.exe File opened for modification C:\Windows\SysWOW64\Dgbeiiqe.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hgpjhn32.exe Process not Found File created C:\Windows\SysWOW64\Meagci32.exe Mcbjgn32.exe File opened for modification C:\Windows\SysWOW64\Ofhjopbg.exe Process not Found File created C:\Windows\SysWOW64\Imafcg32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pmgbao32.exe Process not Found File created C:\Windows\SysWOW64\Cefkjiak.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bqgmfkhg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ocimgp32.exe Oqkqkdne.exe File opened for modification C:\Windows\SysWOW64\Kohkfj32.exe Kklpekno.exe File opened for modification C:\Windows\SysWOW64\Ejjbbkpj.exe Ebcjamoh.exe File opened for modification C:\Windows\SysWOW64\Pdgkco32.exe Pnmcfeia.exe File created C:\Windows\SysWOW64\Daddfpbk.dll Idfnicfl.exe File opened for modification C:\Windows\SysWOW64\Bgaebe32.exe Process not Found File created C:\Windows\SysWOW64\Cdpkangm.dll Process not Found File created C:\Windows\SysWOW64\Bfkpqn32.exe Bdmddc32.exe File opened for modification C:\Windows\SysWOW64\Fnfcel32.exe Fmegncpp.exe File created C:\Windows\SysWOW64\Ggpbcccn.dll Process not Found File created C:\Windows\SysWOW64\Ibebkc32.dll Kkaiqk32.exe File opened for modification C:\Windows\SysWOW64\Mfelmo32.dll Gpelnb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5724 4896 Process not Found 428 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmgpon32.dll" Ilncom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccngld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbcfadgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnielm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdgpnqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faigdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lahmbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pppcjfnh.dll" Cfhiplmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmebbjme.dll" Gnpflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijdqna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cklmgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhmfod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmbemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Palkkl32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleajenp.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keledb32.dll" Copfbfjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odebolpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlbjhf32.dll" Lhpfqama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jicdaj32.dll" Qimhoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Modkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akaneplm.dll" Iaelanmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alenfc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgfjbgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faflglmh.dll" Ogmhkmki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hphidanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlnipf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlekia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgagbb32.dll" Mdpjlajk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cklfll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgihhjl.dll" Ghmkjedk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Halbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkkapd32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfgdhjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjifqd32.dll" Aidnohbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdgmd32.dll" Emieil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liklhmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bibpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllmhajo.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lilfnc32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll" Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbehjo32.dll" Bfkifhib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqlebf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqdhhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbfabp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aplifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biojif32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2728 2076 e15ebf140356bb92df8859071726c5a0_NEIKI.exe 28 PID 2076 wrote to memory of 2728 2076 e15ebf140356bb92df8859071726c5a0_NEIKI.exe 28 PID 2076 wrote to memory of 2728 2076 e15ebf140356bb92df8859071726c5a0_NEIKI.exe 28 PID 2076 wrote to memory of 2728 2076 e15ebf140356bb92df8859071726c5a0_NEIKI.exe 28 PID 2728 wrote to memory of 2556 2728 Bhahlj32.exe 29 PID 2728 wrote to memory of 2556 2728 Bhahlj32.exe 29 PID 2728 wrote to memory of 2556 2728 Bhahlj32.exe 29 PID 2728 wrote to memory of 2556 2728 Bhahlj32.exe 29 PID 2556 wrote to memory of 2636 2556 Beehencq.exe 30 PID 2556 wrote to memory of 2636 2556 Beehencq.exe 30 PID 2556 wrote to memory of 2636 2556 Beehencq.exe 30 PID 2556 wrote to memory of 2636 2556 Beehencq.exe 30 PID 2636 wrote to memory of 2580 2636 Balijo32.exe 31 PID 2636 wrote to memory of 2580 2636 Balijo32.exe 31 PID 2636 wrote to memory of 2580 2636 Balijo32.exe 31 PID 2636 wrote to memory of 2580 2636 Balijo32.exe 31 PID 2580 wrote to memory of 2616 2580 Bopicc32.exe 32 PID 2580 wrote to memory of 2616 2580 Bopicc32.exe 32 PID 2580 wrote to memory of 2616 2580 Bopicc32.exe 32 PID 2580 wrote to memory of 2616 2580 Bopicc32.exe 32 PID 2616 wrote to memory of 2512 2616 Bgknheej.exe 33 PID 2616 wrote to memory of 2512 2616 Bgknheej.exe 33 PID 2616 wrote to memory of 2512 2616 Bgknheej.exe 33 PID 2616 wrote to memory of 2512 2616 Bgknheej.exe 33 PID 2512 wrote to memory of 1268 2512 Baqbenep.exe 34 PID 2512 wrote to memory of 1268 2512 Baqbenep.exe 34 PID 2512 wrote to memory of 1268 2512 Baqbenep.exe 34 PID 2512 wrote to memory of 1268 2512 Baqbenep.exe 34 PID 1268 wrote to memory of 2424 1268 Cngcjo32.exe 35 PID 1268 wrote to memory of 2424 1268 Cngcjo32.exe 35 PID 1268 wrote to memory of 2424 1268 Cngcjo32.exe 35 PID 1268 wrote to memory of 2424 1268 Cngcjo32.exe 35 PID 2424 wrote to memory of 2696 2424 Ccdlbf32.exe 36 PID 2424 wrote to memory of 2696 2424 Ccdlbf32.exe 36 PID 2424 wrote to memory of 2696 2424 Ccdlbf32.exe 36 PID 2424 wrote to memory of 2696 2424 Ccdlbf32.exe 36 PID 2696 wrote to memory of 624 2696 Cphlljge.exe 37 PID 2696 wrote to memory of 624 2696 Cphlljge.exe 37 PID 2696 wrote to memory of 624 2696 Cphlljge.exe 37 PID 2696 wrote to memory of 624 2696 Cphlljge.exe 37 PID 624 wrote to memory of 1060 624 Cfeddafl.exe 38 PID 624 wrote to memory of 1060 624 Cfeddafl.exe 38 PID 624 wrote to memory of 1060 624 Cfeddafl.exe 38 PID 624 wrote to memory of 1060 624 Cfeddafl.exe 38 PID 1060 wrote to memory of 2960 1060 Cciemedf.exe 39 PID 1060 wrote to memory of 2960 1060 Cciemedf.exe 39 PID 1060 wrote to memory of 2960 1060 Cciemedf.exe 39 PID 1060 wrote to memory of 2960 1060 Cciemedf.exe 39 PID 2960 wrote to memory of 2108 2960 Copfbfjj.exe 40 PID 2960 wrote to memory of 2108 2960 Copfbfjj.exe 40 PID 2960 wrote to memory of 2108 2960 Copfbfjj.exe 40 PID 2960 wrote to memory of 2108 2960 Copfbfjj.exe 40 PID 2108 wrote to memory of 2824 2108 Chhjkl32.exe 41 PID 2108 wrote to memory of 2824 2108 Chhjkl32.exe 41 PID 2108 wrote to memory of 2824 2108 Chhjkl32.exe 41 PID 2108 wrote to memory of 2824 2108 Chhjkl32.exe 41 PID 2824 wrote to memory of 796 2824 Dbpodagk.exe 42 PID 2824 wrote to memory of 796 2824 Dbpodagk.exe 42 PID 2824 wrote to memory of 796 2824 Dbpodagk.exe 42 PID 2824 wrote to memory of 796 2824 Dbpodagk.exe 42 PID 796 wrote to memory of 1492 796 Dngoibmo.exe 43 PID 796 wrote to memory of 1492 796 Dngoibmo.exe 43 PID 796 wrote to memory of 1492 796 Dngoibmo.exe 43 PID 796 wrote to memory of 1492 796 Dngoibmo.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\e15ebf140356bb92df8859071726c5a0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\e15ebf140356bb92df8859071726c5a0_NEIKI.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:348 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1068 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:328 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe33⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe35⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe36⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe37⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe38⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe39⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe40⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe41⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe42⤵
- Executes dropped EXE
PID:596 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe43⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe44⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe45⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe46⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe47⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe48⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe49⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe50⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe52⤵PID:2252
-
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe54⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe56⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe57⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe58⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe59⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe60⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe61⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe62⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe63⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe64⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe65⤵
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe66⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe67⤵PID:1792
-
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe68⤵PID:996
-
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe69⤵PID:1016
-
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe70⤵PID:304
-
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe72⤵PID:1568
-
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe73⤵PID:2560
-
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe74⤵PID:2772
-
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe75⤵PID:2468
-
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe76⤵PID:2504
-
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe77⤵PID:2744
-
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe78⤵PID:1512
-
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe79⤵PID:704
-
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe80⤵PID:2428
-
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe81⤵PID:980
-
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe82⤵PID:604
-
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe83⤵PID:1628
-
C:\Windows\SysWOW64\Jbjochdi.exeC:\Windows\system32\Jbjochdi.exe84⤵PID:320
-
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe85⤵PID:2004
-
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe86⤵PID:2856
-
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe87⤵PID:2212
-
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe88⤵PID:1588
-
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe89⤵PID:2672
-
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe90⤵PID:2444
-
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1504 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe92⤵PID:1672
-
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe93⤵PID:1032
-
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe94⤵PID:2124
-
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe95⤵PID:1296
-
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe96⤵PID:2548
-
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe97⤵PID:1284
-
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe98⤵PID:1684
-
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe99⤵PID:3032
-
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe100⤵PID:1528
-
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe101⤵PID:2984
-
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2208 -
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2732 -
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe104⤵PID:2608
-
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe105⤵
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe106⤵PID:2708
-
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe107⤵PID:2540
-
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe108⤵PID:1744
-
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe109⤵PID:2184
-
C:\Windows\SysWOW64\Lmcijcbe.exeC:\Windows\system32\Lmcijcbe.exe110⤵PID:324
-
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe111⤵PID:616
-
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe112⤵PID:2408
-
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe113⤵PID:1604
-
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe114⤵PID:1800
-
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe115⤵PID:2904
-
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe116⤵
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe117⤵PID:2496
-
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe118⤵PID:1848
-
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1908 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe120⤵PID:2632
-
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe121⤵PID:2284
-
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe122⤵PID:3068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-