Analysis
-
max time kernel
131s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 03:39
Behavioral task
behavioral1
Sample
e1f99531ed31b1a7d28d970e554dc4b0_NEIKI.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
e1f99531ed31b1a7d28d970e554dc4b0_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
e1f99531ed31b1a7d28d970e554dc4b0_NEIKI.exe
-
Size
256KB
-
MD5
e1f99531ed31b1a7d28d970e554dc4b0
-
SHA1
8f46a3d823a15723b29b864705c7a9147e193a81
-
SHA256
07925cd0fef3aaa9316bafd7cbe778c7c0b513c4dd5ca71ba8a4c2ccd26d5c87
-
SHA512
144782b9592aa9ae6cb2459f41149b0841c65a8dddf522716a8b402aaf07a993f2e66c395e38230b8ef76dd57f2e6a38d0722dd82b87154ceceaa7e4273f76ba
-
SSDEEP
6144:WjqcpsBWEjlpmmxieQbWGRdA6sQc/Yp7TVX3J/1awbWGRdA6sQc/YRU:ExpFSlpJxifbWGRdA6sQhPbWGRdA6sQi
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekmhejao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmeede32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqojclne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofegni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qiiflaoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljqhkckn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpccmhdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfnoqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgkiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chfegk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnlhncgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gihpkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emmdom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfqlfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llcghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjnnbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpfmlghd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bafndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnegbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inebjihf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfldgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mokmdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfmfefni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogekbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doojec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbenoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kabcopmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocgkan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Komhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpbjkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocnlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcjjhdjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbebbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqklkbbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbcfbjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apjkcadp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebaplnie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jemfhacc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amnebo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoeieolb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddllkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gihpkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llmhaold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibhkfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gngeik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhkbdmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jahqiaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bphqji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Digehphc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncnofeof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmipdk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adkqoohc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkcndeen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlbejloe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bddjpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnmopk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfmmplad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlofcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibhkfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbgkei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiphjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbbffdlq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmkqpkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gemkelcd.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/1744-0-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00090000000235ad-7.dat family_berbew behavioral2/memory/3064-9-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00080000000235b3-15.dat family_berbew behavioral2/memory/4504-17-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/672-25-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000235b5-24.dat family_berbew behavioral2/files/0x00070000000235b7-32.dat family_berbew behavioral2/memory/1004-37-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000235b9-39.dat family_berbew behavioral2/memory/4828-41-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000235bb-47.dat family_berbew behavioral2/memory/3412-48-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000235bd-55.dat family_berbew behavioral2/memory/4588-56-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000235bf-63.dat family_berbew behavioral2/memory/652-65-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000235c1-71.dat family_berbew behavioral2/memory/3076-77-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000235c3-79.dat family_berbew behavioral2/memory/1264-80-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000235c5-88.dat family_berbew behavioral2/memory/3248-89-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000235c7-95.dat family_berbew behavioral2/memory/2156-96-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000235c9-103.dat family_berbew behavioral2/memory/956-105-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000235cb-106.dat family_berbew behavioral2/memory/1636-112-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000235cd-119.dat family_berbew behavioral2/memory/1648-121-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000235cf-127.dat family_berbew behavioral2/memory/512-128-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000235d1-135.dat family_berbew behavioral2/memory/3720-136-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000235d3-143.dat family_berbew behavioral2/memory/3272-145-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00080000000235b1-151.dat family_berbew behavioral2/memory/3564-152-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000235d6-159.dat family_berbew behavioral2/memory/1388-160-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000235d8-167.dat family_berbew behavioral2/memory/4080-169-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000235da-175.dat family_berbew behavioral2/memory/1060-177-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000235dc-183.dat family_berbew behavioral2/memory/4304-185-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00080000000235de-191.dat family_berbew behavioral2/memory/968-193-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000235e1-199.dat family_berbew behavioral2/memory/4440-200-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000235e3-207.dat family_berbew behavioral2/memory/2928-209-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000235e5-216.dat family_berbew behavioral2/memory/2320-221-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00080000000232d6-224.dat family_berbew behavioral2/memory/4908-225-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000235e8-232.dat family_berbew behavioral2/files/0x00070000000235ea-239.dat family_berbew behavioral2/files/0x00070000000235ec-247.dat family_berbew behavioral2/files/0x00070000000235ee-255.dat family_berbew behavioral2/memory/3492-246-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/2352-245-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/2508-306-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3064 Bkjiao32.exe 4504 Bhnikc32.exe 672 Bklfgo32.exe 1004 Bafndi32.exe 4828 Bddjpd32.exe 3412 Bedgjgkg.exe 4588 Bhbcfbjk.exe 652 Bomkcm32.exe 3076 Bffcpg32.exe 1264 Coohhlpe.exe 3248 Camddhoi.exe 2156 Coadnlnb.exe 956 Cfkmkf32.exe 1636 Ckhecmcf.exe 1648 Cfnjpfcl.exe 512 Clgbmp32.exe 3720 Cbdjeg32.exe 3272 Cljobphg.exe 3564 Cbfgkffn.exe 1388 Chqogq32.exe 4080 Dfdpad32.exe 1060 Dhclmp32.exe 4304 Ddjmba32.exe 968 Dnbakghm.exe 4440 Digehphc.exe 2928 Dbpjaeoc.exe 2320 Dmennnni.exe 4908 Dodjjimm.exe 2352 Dngjff32.exe 3492 Dbbffdlq.exe 2852 Dfnbgc32.exe 2576 Eiloco32.exe 4444 Emhkdmlg.exe 2612 Ekkkoj32.exe 4620 Eofgpikj.exe 1580 Enigke32.exe 2508 Ebdcld32.exe 3500 Efpomccg.exe 3240 Eiokinbk.exe 1612 Emjgim32.exe 4728 Ekmhejao.exe 1860 Ebgpad32.exe 3912 Eeelnp32.exe 4540 Eiahnnph.exe 3400 Emmdom32.exe 3348 Ekodjiol.exe 3080 Eokqkh32.exe 2956 Ennqfenp.exe 1976 Epmmqheb.exe 1256 Eppjfgcp.exe 3908 Fmcjpl32.exe 3232 Fflohaij.exe 2028 Fngcmcfe.exe 1928 Flkdfh32.exe 1656 Fmkqpkla.exe 756 Ffceip32.exe 3900 Fpkibf32.exe 4788 Glbjggof.exe 3600 Gejopl32.exe 624 Gemkelcd.exe 1784 Gflhoo32.exe 2128 Gfodeohd.exe 4552 Glkmmefl.exe 4116 Gbeejp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Afjpan32.dll Bphqji32.exe File created C:\Windows\SysWOW64\Ibknda32.dll Bklfgo32.exe File opened for modification C:\Windows\SysWOW64\Qodeajbg.exe Qfmmplad.exe File opened for modification C:\Windows\SysWOW64\Cogddd32.exe Cgqlcg32.exe File created C:\Windows\SysWOW64\Hpfbcn32.exe Giljfddl.exe File opened for modification C:\Windows\SysWOW64\Iojkeh32.exe Ihpcinld.exe File created C:\Windows\SysWOW64\Mjidgkog.exe Mablfnne.exe File created C:\Windows\SysWOW64\Nimmifgo.exe Nfnamjhk.exe File created C:\Windows\SysWOW64\Pmhbqbae.exe Pjjfdfbb.exe File created C:\Windows\SysWOW64\Glkmmefl.exe Gfodeohd.exe File created C:\Windows\SysWOW64\Onapdl32.exe Oghghb32.exe File created C:\Windows\SysWOW64\Ckbemgcp.exe Chdialdl.exe File opened for modification C:\Windows\SysWOW64\Ckbemgcp.exe Chdialdl.exe File created C:\Windows\SysWOW64\Dhdbhifj.exe Dqnjgl32.exe File created C:\Windows\SysWOW64\Bfcjjj32.dll Dqnjgl32.exe File opened for modification C:\Windows\SysWOW64\Geoapenf.exe Gndick32.exe File created C:\Windows\SysWOW64\Bdlfjh32.exe Bmbnnn32.exe File created C:\Windows\SysWOW64\Gdgfnm32.dll Joekag32.exe File created C:\Windows\SysWOW64\Dbbffdlq.exe Dngjff32.exe File created C:\Windows\SysWOW64\Lblldc32.dll Ipgbdbqb.exe File opened for modification C:\Windows\SysWOW64\Kpcjgnhb.exe Kfnfjehl.exe File opened for modification C:\Windows\SysWOW64\Kcbfcigf.exe Kpcjgnhb.exe File created C:\Windows\SysWOW64\Ahaceo32.exe Apjkcadp.exe File created C:\Windows\SysWOW64\Foclgq32.exe Fijdjfdb.exe File created C:\Windows\SysWOW64\Iaejqcdo.dll Joqafgni.exe File created C:\Windows\SysWOW64\Jhnojl32.exe Jadgnb32.exe File created C:\Windows\SysWOW64\Bkfmmb32.dll Nqmojd32.exe File created C:\Windows\SysWOW64\Abjmkf32.exe Aplaoj32.exe File created C:\Windows\SysWOW64\Bipecnkd.exe Bbfmgd32.exe File opened for modification C:\Windows\SysWOW64\Legben32.exe Lomjicei.exe File created C:\Windows\SysWOW64\Chqogq32.exe Cbfgkffn.exe File opened for modification C:\Windows\SysWOW64\Jpcapp32.exe Jmeede32.exe File created C:\Windows\SysWOW64\Fdllgpbm.dll Lflbkcll.exe File opened for modification C:\Windows\SysWOW64\Ofhknodl.exe Ogekbb32.exe File created C:\Windows\SysWOW64\Edionhpn.exe Eomffaag.exe File opened for modification C:\Windows\SysWOW64\Jeapcq32.exe Jpegkj32.exe File created C:\Windows\SysWOW64\Jahqiaeb.exe Jpgdai32.exe File created C:\Windows\SysWOW64\Hicakqhn.dll Kgdpni32.exe File opened for modification C:\Windows\SysWOW64\Oplfkeob.exe Nfcabp32.exe File opened for modification C:\Windows\SysWOW64\Edeeci32.exe Ebfign32.exe File opened for modification C:\Windows\SysWOW64\Qfmfefni.exe Qapnmopa.exe File created C:\Windows\SysWOW64\Bedgjgkg.exe Bddjpd32.exe File opened for modification C:\Windows\SysWOW64\Mnegbp32.exe Mfnoqc32.exe File opened for modification C:\Windows\SysWOW64\Nnojho32.exe Mfhbga32.exe File created C:\Windows\SysWOW64\Dgcihgaj.exe Dddllkbf.exe File created C:\Windows\SysWOW64\Jclnjo32.dll Nimmifgo.exe File created C:\Windows\SysWOW64\Chdialdl.exe Bnoddcef.exe File created C:\Windows\SysWOW64\Gelfeh32.dll Dddllkbf.exe File created C:\Windows\SysWOW64\Coppbe32.dll Hbenoi32.exe File created C:\Windows\SysWOW64\Mlmadjhb.dll Pbjddh32.exe File created C:\Windows\SysWOW64\Afappe32.exe Acccdj32.exe File created C:\Windows\SysWOW64\Iafphi32.dll Pfiddm32.exe File opened for modification C:\Windows\SysWOW64\Amjbbfgo.exe Akkffkhk.exe File opened for modification C:\Windows\SysWOW64\Chkobkod.exe Cpdgqmnb.exe File created C:\Windows\SysWOW64\Dbocfo32.exe Dgjoif32.exe File opened for modification C:\Windows\SysWOW64\Eklajcmc.exe Ehndnh32.exe File opened for modification C:\Windows\SysWOW64\Kheekkjl.exe Kakmna32.exe File created C:\Windows\SysWOW64\Mdcajc32.dll Mokfja32.exe File created C:\Windows\SysWOW64\Cljobphg.exe Cbdjeg32.exe File opened for modification C:\Windows\SysWOW64\Dqnjgl32.exe Dnonkq32.exe File created C:\Windows\SysWOW64\Fbmohmoh.exe Ekcgkb32.exe File created C:\Windows\SysWOW64\Finnef32.exe Fqgedh32.exe File created C:\Windows\SysWOW64\Bkkhbb32.exe Bdapehop.exe File opened for modification C:\Windows\SysWOW64\Hifcgion.exe Hfhgkmpj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11872 11796 WerFault.exe 569 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfnjpfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdhdlin.dll" Ehndnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Finnef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffeifdjo.dll" Fbgbnkfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pekihfdc.dll" Jeapcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akkffkhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdlkdhnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqfbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Holpib32.dll" Oqklkbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjjfdfbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qiiflaoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdopj32.dll" Imnocf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljqhkckn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnojho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpkdjofm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hicpgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajdbac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnlkedai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lggejg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nblolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bapgdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjhkmbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiboaq32.dll" Ddjmba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kncaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjmjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocgkan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efpomccg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phcgcqab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdeiqgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgpeha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbbffdlq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeelnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljeafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nncccnol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gihpkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hldiinke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlqeenhm.dll" Kheekkjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadafn32.dll" Nmhijd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckmcadl.dll" Oiagde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bafndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npefkf32.dll" Coohhlpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggqecq32.dll" Eofgpikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkikinpo.dll" Dbocfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpochfji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbfmgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bagmdllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgpamjnb.dll" Ggmmlamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknjieep.dll" Ckpamabg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhnikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Modgdicm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgcihgaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjliff32.dll" Lindkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbkfbcpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljcpchlo.dll" Iidphgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogekbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpcecb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgbpaipl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mokfja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqkplq32.dll" Pcpnhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngmnjok.dll" Qiiflaoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmggingc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dolqpa32.dll" Ljeafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjgeopm.dll" Ncqlkemc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1744 wrote to memory of 3064 1744 e1f99531ed31b1a7d28d970e554dc4b0_NEIKI.exe 87 PID 1744 wrote to memory of 3064 1744 e1f99531ed31b1a7d28d970e554dc4b0_NEIKI.exe 87 PID 1744 wrote to memory of 3064 1744 e1f99531ed31b1a7d28d970e554dc4b0_NEIKI.exe 87 PID 3064 wrote to memory of 4504 3064 Bkjiao32.exe 88 PID 3064 wrote to memory of 4504 3064 Bkjiao32.exe 88 PID 3064 wrote to memory of 4504 3064 Bkjiao32.exe 88 PID 4504 wrote to memory of 672 4504 Bhnikc32.exe 89 PID 4504 wrote to memory of 672 4504 Bhnikc32.exe 89 PID 4504 wrote to memory of 672 4504 Bhnikc32.exe 89 PID 672 wrote to memory of 1004 672 Bklfgo32.exe 91 PID 672 wrote to memory of 1004 672 Bklfgo32.exe 91 PID 672 wrote to memory of 1004 672 Bklfgo32.exe 91 PID 1004 wrote to memory of 4828 1004 Bafndi32.exe 92 PID 1004 wrote to memory of 4828 1004 Bafndi32.exe 92 PID 1004 wrote to memory of 4828 1004 Bafndi32.exe 92 PID 4828 wrote to memory of 3412 4828 Bddjpd32.exe 94 PID 4828 wrote to memory of 3412 4828 Bddjpd32.exe 94 PID 4828 wrote to memory of 3412 4828 Bddjpd32.exe 94 PID 3412 wrote to memory of 4588 3412 Bedgjgkg.exe 95 PID 3412 wrote to memory of 4588 3412 Bedgjgkg.exe 95 PID 3412 wrote to memory of 4588 3412 Bedgjgkg.exe 95 PID 4588 wrote to memory of 652 4588 Bhbcfbjk.exe 96 PID 4588 wrote to memory of 652 4588 Bhbcfbjk.exe 96 PID 4588 wrote to memory of 652 4588 Bhbcfbjk.exe 96 PID 652 wrote to memory of 3076 652 Bomkcm32.exe 98 PID 652 wrote to memory of 3076 652 Bomkcm32.exe 98 PID 652 wrote to memory of 3076 652 Bomkcm32.exe 98 PID 3076 wrote to memory of 1264 3076 Bffcpg32.exe 99 PID 3076 wrote to memory of 1264 3076 Bffcpg32.exe 99 PID 3076 wrote to memory of 1264 3076 Bffcpg32.exe 99 PID 1264 wrote to memory of 3248 1264 Coohhlpe.exe 100 PID 1264 wrote to memory of 3248 1264 Coohhlpe.exe 100 PID 1264 wrote to memory of 3248 1264 Coohhlpe.exe 100 PID 3248 wrote to memory of 2156 3248 Camddhoi.exe 101 PID 3248 wrote to memory of 2156 3248 Camddhoi.exe 101 PID 3248 wrote to memory of 2156 3248 Camddhoi.exe 101 PID 2156 wrote to memory of 956 2156 Coadnlnb.exe 102 PID 2156 wrote to memory of 956 2156 Coadnlnb.exe 102 PID 2156 wrote to memory of 956 2156 Coadnlnb.exe 102 PID 956 wrote to memory of 1636 956 Cfkmkf32.exe 103 PID 956 wrote to memory of 1636 956 Cfkmkf32.exe 103 PID 956 wrote to memory of 1636 956 Cfkmkf32.exe 103 PID 1636 wrote to memory of 1648 1636 Ckhecmcf.exe 104 PID 1636 wrote to memory of 1648 1636 Ckhecmcf.exe 104 PID 1636 wrote to memory of 1648 1636 Ckhecmcf.exe 104 PID 1648 wrote to memory of 512 1648 Cfnjpfcl.exe 105 PID 1648 wrote to memory of 512 1648 Cfnjpfcl.exe 105 PID 1648 wrote to memory of 512 1648 Cfnjpfcl.exe 105 PID 512 wrote to memory of 3720 512 Clgbmp32.exe 106 PID 512 wrote to memory of 3720 512 Clgbmp32.exe 106 PID 512 wrote to memory of 3720 512 Clgbmp32.exe 106 PID 3720 wrote to memory of 3272 3720 Cbdjeg32.exe 107 PID 3720 wrote to memory of 3272 3720 Cbdjeg32.exe 107 PID 3720 wrote to memory of 3272 3720 Cbdjeg32.exe 107 PID 3272 wrote to memory of 3564 3272 Cljobphg.exe 108 PID 3272 wrote to memory of 3564 3272 Cljobphg.exe 108 PID 3272 wrote to memory of 3564 3272 Cljobphg.exe 108 PID 3564 wrote to memory of 1388 3564 Cbfgkffn.exe 109 PID 3564 wrote to memory of 1388 3564 Cbfgkffn.exe 109 PID 3564 wrote to memory of 1388 3564 Cbfgkffn.exe 109 PID 1388 wrote to memory of 4080 1388 Chqogq32.exe 110 PID 1388 wrote to memory of 4080 1388 Chqogq32.exe 110 PID 1388 wrote to memory of 4080 1388 Chqogq32.exe 110 PID 4080 wrote to memory of 1060 4080 Dfdpad32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1f99531ed31b1a7d28d970e554dc4b0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\e1f99531ed31b1a7d28d970e554dc4b0_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Bkjiao32.exeC:\Windows\system32\Bkjiao32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Bhnikc32.exeC:\Windows\system32\Bhnikc32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Bklfgo32.exeC:\Windows\system32\Bklfgo32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\Bafndi32.exeC:\Windows\system32\Bafndi32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Bddjpd32.exeC:\Windows\system32\Bddjpd32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Bedgjgkg.exeC:\Windows\system32\Bedgjgkg.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\Bhbcfbjk.exeC:\Windows\system32\Bhbcfbjk.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Bomkcm32.exeC:\Windows\system32\Bomkcm32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\Bffcpg32.exeC:\Windows\system32\Bffcpg32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Coohhlpe.exeC:\Windows\system32\Coohhlpe.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Camddhoi.exeC:\Windows\system32\Camddhoi.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\Coadnlnb.exeC:\Windows\system32\Coadnlnb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Cfkmkf32.exeC:\Windows\system32\Cfkmkf32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Ckhecmcf.exeC:\Windows\system32\Ckhecmcf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Cfnjpfcl.exeC:\Windows\system32\Cfnjpfcl.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Clgbmp32.exeC:\Windows\system32\Clgbmp32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\Cbdjeg32.exeC:\Windows\system32\Cbdjeg32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\Cljobphg.exeC:\Windows\system32\Cljobphg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\Cbfgkffn.exeC:\Windows\system32\Cbfgkffn.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\Chqogq32.exeC:\Windows\system32\Chqogq32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Dfdpad32.exeC:\Windows\system32\Dfdpad32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\Dhclmp32.exeC:\Windows\system32\Dhclmp32.exe23⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Ddjmba32.exeC:\Windows\system32\Ddjmba32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:4304 -
C:\Windows\SysWOW64\Dnbakghm.exeC:\Windows\system32\Dnbakghm.exe25⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Digehphc.exeC:\Windows\system32\Digehphc.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Dbpjaeoc.exeC:\Windows\system32\Dbpjaeoc.exe27⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Dmennnni.exeC:\Windows\system32\Dmennnni.exe28⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Dodjjimm.exeC:\Windows\system32\Dodjjimm.exe29⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Dngjff32.exeC:\Windows\system32\Dngjff32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Dbbffdlq.exeC:\Windows\system32\Dbbffdlq.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3492 -
C:\Windows\SysWOW64\Dfnbgc32.exeC:\Windows\system32\Dfnbgc32.exe32⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Eiloco32.exeC:\Windows\system32\Eiloco32.exe33⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Emhkdmlg.exeC:\Windows\system32\Emhkdmlg.exe34⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Ekkkoj32.exeC:\Windows\system32\Ekkkoj32.exe35⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Eofgpikj.exeC:\Windows\system32\Eofgpikj.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4620 -
C:\Windows\SysWOW64\Enigke32.exeC:\Windows\system32\Enigke32.exe37⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Ebdcld32.exeC:\Windows\system32\Ebdcld32.exe38⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Efpomccg.exeC:\Windows\system32\Efpomccg.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:3500 -
C:\Windows\SysWOW64\Eiokinbk.exeC:\Windows\system32\Eiokinbk.exe40⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Emjgim32.exeC:\Windows\system32\Emjgim32.exe41⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Ekmhejao.exeC:\Windows\system32\Ekmhejao.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Ebgpad32.exeC:\Windows\system32\Ebgpad32.exe43⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Eeelnp32.exeC:\Windows\system32\Eeelnp32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:3912 -
C:\Windows\SysWOW64\Eiahnnph.exeC:\Windows\system32\Eiahnnph.exe45⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Emmdom32.exeC:\Windows\system32\Emmdom32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Ekodjiol.exeC:\Windows\system32\Ekodjiol.exe47⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Eokqkh32.exeC:\Windows\system32\Eokqkh32.exe48⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Ennqfenp.exeC:\Windows\system32\Ennqfenp.exe49⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Epmmqheb.exeC:\Windows\system32\Epmmqheb.exe50⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Eppjfgcp.exeC:\Windows\system32\Eppjfgcp.exe51⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Fmcjpl32.exeC:\Windows\system32\Fmcjpl32.exe52⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Fflohaij.exeC:\Windows\system32\Fflohaij.exe53⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Fngcmcfe.exeC:\Windows\system32\Fngcmcfe.exe54⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Flkdfh32.exeC:\Windows\system32\Flkdfh32.exe55⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Fmkqpkla.exeC:\Windows\system32\Fmkqpkla.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Ffceip32.exeC:\Windows\system32\Ffceip32.exe57⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Fpkibf32.exeC:\Windows\system32\Fpkibf32.exe58⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Gidnkkpc.exeC:\Windows\system32\Gidnkkpc.exe59⤵PID:1848
-
C:\Windows\SysWOW64\Glbjggof.exeC:\Windows\system32\Glbjggof.exe60⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Gejopl32.exeC:\Windows\system32\Gejopl32.exe61⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Gemkelcd.exeC:\Windows\system32\Gemkelcd.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Gflhoo32.exeC:\Windows\system32\Gflhoo32.exe63⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Gfodeohd.exeC:\Windows\system32\Gfodeohd.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Glkmmefl.exeC:\Windows\system32\Glkmmefl.exe65⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Gbeejp32.exeC:\Windows\system32\Gbeejp32.exe66⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Hlnjbedi.exeC:\Windows\system32\Hlnjbedi.exe67⤵PID:1768
-
C:\Windows\SysWOW64\Hmmfmhll.exeC:\Windows\system32\Hmmfmhll.exe68⤵PID:1776
-
C:\Windows\SysWOW64\Hffken32.exeC:\Windows\system32\Hffken32.exe69⤵PID:1096
-
C:\Windows\SysWOW64\Hidgai32.exeC:\Windows\system32\Hidgai32.exe70⤵PID:2800
-
C:\Windows\SysWOW64\Hfhgkmpj.exeC:\Windows\system32\Hfhgkmpj.exe71⤵
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Hifcgion.exeC:\Windows\system32\Hifcgion.exe72⤵PID:1324
-
C:\Windows\SysWOW64\Hoclopne.exeC:\Windows\system32\Hoclopne.exe73⤵PID:2132
-
C:\Windows\SysWOW64\Hemdlj32.exeC:\Windows\system32\Hemdlj32.exe74⤵PID:2792
-
C:\Windows\SysWOW64\Hlglidlo.exeC:\Windows\system32\Hlglidlo.exe75⤵PID:3428
-
C:\Windows\SysWOW64\Hoeieolb.exeC:\Windows\system32\Hoeieolb.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2552 -
C:\Windows\SysWOW64\Ifmqfm32.exeC:\Windows\system32\Ifmqfm32.exe77⤵PID:2292
-
C:\Windows\SysWOW64\Imgicgca.exeC:\Windows\system32\Imgicgca.exe78⤵PID:4032
-
C:\Windows\SysWOW64\Ibcaknbi.exeC:\Windows\system32\Ibcaknbi.exe79⤵PID:696
-
C:\Windows\SysWOW64\Iebngial.exeC:\Windows\system32\Iebngial.exe80⤵PID:2484
-
C:\Windows\SysWOW64\Ipgbdbqb.exeC:\Windows\system32\Ipgbdbqb.exe81⤵
- Drops file in System32 directory
PID:4960 -
C:\Windows\SysWOW64\Iedjmioj.exeC:\Windows\system32\Iedjmioj.exe82⤵PID:2948
-
C:\Windows\SysWOW64\Ilnbicff.exeC:\Windows\system32\Ilnbicff.exe83⤵PID:4616
-
C:\Windows\SysWOW64\Ibhkfm32.exeC:\Windows\system32\Ibhkfm32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1124 -
C:\Windows\SysWOW64\Igdgglfl.exeC:\Windows\system32\Igdgglfl.exe85⤵PID:1464
-
C:\Windows\SysWOW64\Imnocf32.exeC:\Windows\system32\Imnocf32.exe86⤵
- Modifies registry class
PID:5140 -
C:\Windows\SysWOW64\Ickglm32.exeC:\Windows\system32\Ickglm32.exe87⤵PID:5184
-
C:\Windows\SysWOW64\Iidphgcn.exeC:\Windows\system32\Iidphgcn.exe88⤵
- Modifies registry class
PID:5224 -
C:\Windows\SysWOW64\Ilcldb32.exeC:\Windows\system32\Ilcldb32.exe89⤵PID:5260
-
C:\Windows\SysWOW64\Jcmdaljn.exeC:\Windows\system32\Jcmdaljn.exe90⤵PID:5304
-
C:\Windows\SysWOW64\Jiglnf32.exeC:\Windows\system32\Jiglnf32.exe91⤵PID:5344
-
C:\Windows\SysWOW64\Jocefm32.exeC:\Windows\system32\Jocefm32.exe92⤵PID:5384
-
C:\Windows\SysWOW64\Jmeede32.exeC:\Windows\system32\Jmeede32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5424 -
C:\Windows\SysWOW64\Jpcapp32.exeC:\Windows\system32\Jpcapp32.exe94⤵PID:5464
-
C:\Windows\SysWOW64\Jgmjmjnb.exeC:\Windows\system32\Jgmjmjnb.exe95⤵PID:5504
-
C:\Windows\SysWOW64\Jpenfp32.exeC:\Windows\system32\Jpenfp32.exe96⤵PID:5544
-
C:\Windows\SysWOW64\Jcdjbk32.exeC:\Windows\system32\Jcdjbk32.exe97⤵PID:5580
-
C:\Windows\SysWOW64\Jebfng32.exeC:\Windows\system32\Jebfng32.exe98⤵PID:5628
-
C:\Windows\SysWOW64\Jokkgl32.exeC:\Windows\system32\Jokkgl32.exe99⤵PID:5672
-
C:\Windows\SysWOW64\Jgbchj32.exeC:\Windows\system32\Jgbchj32.exe100⤵PID:5716
-
C:\Windows\SysWOW64\Jnlkedai.exeC:\Windows\system32\Jnlkedai.exe101⤵
- Modifies registry class
PID:5756 -
C:\Windows\SysWOW64\Komhll32.exeC:\Windows\system32\Komhll32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5800 -
C:\Windows\SysWOW64\Kgdpni32.exeC:\Windows\system32\Kgdpni32.exe103⤵
- Drops file in System32 directory
PID:5844 -
C:\Windows\SysWOW64\Knnhjcog.exeC:\Windows\system32\Knnhjcog.exe104⤵PID:5888
-
C:\Windows\SysWOW64\Kpmdfonj.exeC:\Windows\system32\Kpmdfonj.exe105⤵PID:5928
-
C:\Windows\SysWOW64\Kckqbj32.exeC:\Windows\system32\Kckqbj32.exe106⤵PID:5976
-
C:\Windows\SysWOW64\Knqepc32.exeC:\Windows\system32\Knqepc32.exe107⤵PID:6016
-
C:\Windows\SysWOW64\Koaagkcb.exeC:\Windows\system32\Koaagkcb.exe108⤵PID:6052
-
C:\Windows\SysWOW64\Kjgeedch.exeC:\Windows\system32\Kjgeedch.exe109⤵PID:6104
-
C:\Windows\SysWOW64\Kncaec32.exeC:\Windows\system32\Kncaec32.exe110⤵
- Modifies registry class
PID:5124 -
C:\Windows\SysWOW64\Kodnmkap.exeC:\Windows\system32\Kodnmkap.exe111⤵PID:5204
-
C:\Windows\SysWOW64\Kfnfjehl.exeC:\Windows\system32\Kfnfjehl.exe112⤵
- Drops file in System32 directory
PID:5272 -
C:\Windows\SysWOW64\Kpcjgnhb.exeC:\Windows\system32\Kpcjgnhb.exe113⤵
- Drops file in System32 directory
PID:5336 -
C:\Windows\SysWOW64\Kcbfcigf.exeC:\Windows\system32\Kcbfcigf.exe114⤵PID:5420
-
C:\Windows\SysWOW64\Kfpcoefj.exeC:\Windows\system32\Kfpcoefj.exe115⤵PID:5496
-
C:\Windows\SysWOW64\Lpfgmnfp.exeC:\Windows\system32\Lpfgmnfp.exe116⤵PID:5568
-
C:\Windows\SysWOW64\Lgpoihnl.exeC:\Windows\system32\Lgpoihnl.exe117⤵PID:5644
-
C:\Windows\SysWOW64\Llmhaold.exeC:\Windows\system32\Llmhaold.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5704 -
C:\Windows\SysWOW64\Lokdnjkg.exeC:\Windows\system32\Lokdnjkg.exe119⤵PID:5768
-
C:\Windows\SysWOW64\Ljqhkckn.exeC:\Windows\system32\Ljqhkckn.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5852 -
C:\Windows\SysWOW64\Llodgnja.exeC:\Windows\system32\Llodgnja.exe121⤵PID:5920
-
C:\Windows\SysWOW64\Lomqcjie.exeC:\Windows\system32\Lomqcjie.exe122⤵PID:5992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-