Analysis
-
max time kernel
136s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 03:22
Behavioral task
behavioral1
Sample
ddc39edb3f51a37feb8e1dfa32a771f0_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ddc39edb3f51a37feb8e1dfa32a771f0_NEIKI.exe
Resource
win10v2004-20240426-en
General
-
Target
ddc39edb3f51a37feb8e1dfa32a771f0_NEIKI.exe
-
Size
176KB
-
MD5
ddc39edb3f51a37feb8e1dfa32a771f0
-
SHA1
bb2e690000d05bb33e9a1be5628f48cb70572581
-
SHA256
61c2807bc25c61053aab607554b19f2254afb9320f87689287bc552a067b5b3f
-
SHA512
268fbd1010f35b7112e93e248c463f3dd2125ba447010c8cfdeb6e272e71ce0e0ae5792b892963978fb0257e53e8d38afebb84d14f73e1ffce006b5c34a4ed86
-
SSDEEP
3072:JYcQty2veUjmOiBn3w8BdTj2h33ppaS46HUF2pMXSfN6RnQShl:StnvLjVu3w8BdTj2V3ppQ60MMCf0RnQ4
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqbamo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnocof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpaifalo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjjmog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdnjgmle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbfpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obphlhkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phpfqmio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipldfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maaepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhikcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dedkdcie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppphak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqfbaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blfdia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcagkdba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdjagjco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddmaok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnjafap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpgffpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjepaecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibccic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoaihhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmmnjfnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Accfbokl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhajlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikbnacmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iihkpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amddjegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjdkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dphifcoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnnch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocegdjij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pghieg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbddcoei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icifbang.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbfkbhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccjfgphj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlhbal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glhonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obgomgee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abbpem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lljfpnjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmkadgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhlhjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phbcfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dohfbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhgjblfq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqqlbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gimjhafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjolnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jianff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfmepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peajdajk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpikgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqikdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bajjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imakkfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anmjcieo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijjpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goiojk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfonc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjghpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifllil32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/2240-0-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000023288-6.dat family_berbew behavioral2/memory/1504-12-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/memory/4712-15-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x00070000000233f0-14.dat family_berbew behavioral2/files/0x00070000000233f2-23.dat family_berbew behavioral2/memory/2568-28-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x00070000000233f4-30.dat family_berbew behavioral2/memory/1912-32-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x00070000000233f6-38.dat family_berbew behavioral2/memory/2852-39-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x00070000000233f8-46.dat family_berbew behavioral2/memory/3684-48-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x00070000000233fa-56.dat family_berbew behavioral2/memory/3264-55-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x00070000000233fc-62.dat family_berbew behavioral2/memory/5044-68-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x00070000000233fe-70.dat family_berbew behavioral2/memory/1968-72-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023400-78.dat family_berbew behavioral2/memory/4044-80-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023402-86.dat family_berbew behavioral2/memory/1928-88-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023404-89.dat family_berbew behavioral2/memory/5024-96-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023406-102.dat family_berbew behavioral2/memory/2620-104-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023408-110.dat family_berbew behavioral2/memory/3984-112-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002340a-118.dat family_berbew behavioral2/memory/3760-120-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002340c-126.dat family_berbew behavioral2/memory/4204-128-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002340e-134.dat family_berbew behavioral2/memory/4808-136-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023410-142.dat family_berbew behavioral2/memory/4548-144-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023412-150.dat family_berbew behavioral2/memory/4904-156-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023414-159.dat family_berbew behavioral2/memory/2352-160-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023416-166.dat family_berbew behavioral2/memory/2088-168-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023418-174.dat family_berbew behavioral2/memory/1264-176-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002341a-182.dat family_berbew behavioral2/memory/3652-184-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002341c-190.dat family_berbew behavioral2/memory/4512-191-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x00080000000233ec-198.dat family_berbew behavioral2/memory/4232-200-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002341f-206.dat family_berbew behavioral2/memory/1832-207-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023421-214.dat family_berbew behavioral2/memory/3544-220-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023423-223.dat family_berbew behavioral2/memory/3876-224-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023425-230.dat family_berbew behavioral2/memory/3260-232-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023427-238.dat family_berbew behavioral2/memory/3292-240-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023429-246.dat family_berbew behavioral2/memory/4396-247-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002342b-254.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1504 Nbfefj32.exe 4712 Nqifafjb.exe 2568 Nojfon32.exe 1912 Nbibki32.exe 2852 Nicjhchb.exe 3684 Nkagdoge.exe 3264 Nbkoai32.exe 5044 Niegnc32.exe 1968 Nghgipmj.exe 4044 Nnbpfj32.exe 1928 Nqqlbe32.exe 5024 Ngjdopkg.exe 2620 Noalpmli.exe 3984 Obphlhkm.exe 3760 Oijqibbj.exe 4204 Oodiem32.exe 4808 Obbeah32.exe 4548 Okkjjnok.exe 4904 Obdbgh32.exe 2352 Oecncc32.exe 2088 Ophbqlea.exe 1264 Obgomgee.exe 3652 Oiagia32.exe 4512 Olocem32.exe 4232 Obikbgbb.exe 1832 Oiccoa32.exe 3544 Opmllk32.exe 3876 Pblhhg32.exe 3260 Piepdahl.exe 3292 Ppphak32.exe 4396 Pelaib32.exe 1688 Phkmem32.exe 2864 Pneebg32.exe 3060 Pacaoc32.exe 2776 Pijjpp32.exe 3776 Plifll32.exe 2192 Pngbhg32.exe 3656 Paendb32.exe 4648 Peajdajk.exe 1908 Phpfqmio.exe 4636 Ppgobjia.exe 5104 Pniomgpl.exe 2900 Pecgja32.exe 2940 Phbcfl32.exe 4440 Qpikgj32.exe 3608 Qbggce32.exe 748 Qefdpq32.exe 4532 Qhdpll32.exe 4976 Qpkhmi32.exe 376 Qnnhhflf.exe 4224 Qamdda32.exe 4816 Qiclfo32.exe 3688 Albibj32.exe 1508 Ablaodbm.exe 4408 Aejmkpaq.exe 2840 Ahiigkqd.exe 2672 Abnnddpj.exe 3880 Aemjpp32.exe 3888 Aihfanhg.exe 4404 Ahkflk32.exe 4684 Abqjjd32.exe 4468 Aeoffo32.exe 4476 Ahncbk32.exe 4020 Aliobieh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cagecd32.dll Pkfblfab.exe File created C:\Windows\SysWOW64\Qdldlm32.dll Pjkombfj.exe File created C:\Windows\SysWOW64\Mgfqmfde.exe Mdhdajea.exe File created C:\Windows\SysWOW64\Daconoae.exe Dodbbdbb.exe File opened for modification C:\Windows\SysWOW64\Gcddpdpo.exe Gkmlofol.exe File created C:\Windows\SysWOW64\Bkomqm32.dll Gcddpdpo.exe File opened for modification C:\Windows\SysWOW64\Chcddk32.exe Ceehho32.exe File created C:\Windows\SysWOW64\Kpmkpqcp.dll Daifnk32.exe File opened for modification C:\Windows\SysWOW64\Domfgpca.exe Dhcnke32.exe File created C:\Windows\SysWOW64\Gbajhpfb.dll Gidphq32.exe File created C:\Windows\SysWOW64\Hjfihc32.exe Hclakimb.exe File created C:\Windows\SysWOW64\Lifenaok.dll Mdfofakp.exe File opened for modification C:\Windows\SysWOW64\Pblhhg32.exe Opmllk32.exe File created C:\Windows\SysWOW64\Lbcpmlmc.dll Peajdajk.exe File created C:\Windows\SysWOW64\Pdgdjjem.dll Mgghhlhq.exe File created C:\Windows\SysWOW64\Ecaobgnf.dll Mmlpoqpg.exe File created C:\Windows\SysWOW64\Mkeebhjc.dll Kacphh32.exe File created C:\Windows\SysWOW64\Cgkghl32.dll Gameonno.exe File created C:\Windows\SysWOW64\Mciobn32.exe Mdfofakp.exe File created C:\Windows\SysWOW64\Hlkolh32.dll Becifhfj.exe File opened for modification C:\Windows\SysWOW64\Lnhmng32.exe Lilanioo.exe File created C:\Windows\SysWOW64\Jpnchp32.exe Jmpgldhg.exe File created C:\Windows\SysWOW64\Mdhdajea.exe Mlampmdo.exe File opened for modification C:\Windows\SysWOW64\Njnpppkn.exe Ncdgcf32.exe File created C:\Windows\SysWOW64\Deagdn32.exe Dogogcpo.exe File created C:\Windows\SysWOW64\Cdahgfpd.dll Chphoh32.exe File opened for modification C:\Windows\SysWOW64\Ngcgcjnc.exe Nddkgonp.exe File created C:\Windows\SysWOW64\Bdknoa32.dll Nbhkac32.exe File created C:\Windows\SysWOW64\Gaelmc32.dll Alhhhcal.exe File opened for modification C:\Windows\SysWOW64\Alkdnboj.exe Ahoimd32.exe File created C:\Windows\SysWOW64\Pmidog32.exe Pnfdcjkg.exe File created C:\Windows\SysWOW64\Eqalmafo.exe Ehjdldfl.exe File created C:\Windows\SysWOW64\Cegjejoc.dll Dboigi32.exe File created C:\Windows\SysWOW64\Fdnjgmle.exe Fbpnkama.exe File opened for modification C:\Windows\SysWOW64\Llgjjnlj.exe Lmdina32.exe File created C:\Windows\SysWOW64\Mnkhmbin.dll Miemjaci.exe File opened for modification C:\Windows\SysWOW64\Ejjqeg32.exe Ebbidj32.exe File opened for modification C:\Windows\SysWOW64\Pcojkhap.exe Pqpnombl.exe File opened for modification C:\Windows\SysWOW64\Aniajnnn.exe Alkdnboj.exe File created C:\Windows\SysWOW64\Laffdj32.dll Himldi32.exe File opened for modification C:\Windows\SysWOW64\Oflgep32.exe Ocnjidkf.exe File created C:\Windows\SysWOW64\Dopigd32.exe Dfiafg32.exe File created C:\Windows\SysWOW64\Cdcbljie.dll Ijdeiaio.exe File created C:\Windows\SysWOW64\Fhqcam32.exe Fdegandp.exe File created C:\Windows\SysWOW64\Hjakkfbf.dll Iejcji32.exe File created C:\Windows\SysWOW64\Hfligghk.dll Njciko32.exe File opened for modification C:\Windows\SysWOW64\Pncgmkmj.exe Pflplnlg.exe File opened for modification C:\Windows\SysWOW64\Clbceo32.exe Chghdqbf.exe File created C:\Windows\SysWOW64\Ipdejo32.dll Ikbnacmd.exe File created C:\Windows\SysWOW64\Kemhff32.exe Kboljk32.exe File created C:\Windows\SysWOW64\Gfghpl32.dll Deagdn32.exe File opened for modification C:\Windows\SysWOW64\Ehonfc32.exe Efpajh32.exe File created C:\Windows\SysWOW64\Lffnijnj.dll Mdmnlj32.exe File opened for modification C:\Windows\SysWOW64\Ocnjidkf.exe Oponmilc.exe File created C:\Windows\SysWOW64\Naeheh32.dll Cnnlaehj.exe File created C:\Windows\SysWOW64\Dhkjej32.exe Daqbip32.exe File opened for modification C:\Windows\SysWOW64\Pecgja32.exe Pniomgpl.exe File created C:\Windows\SysWOW64\Ldfkbccm.dll Qhdpll32.exe File created C:\Windows\SysWOW64\Albibj32.exe Qiclfo32.exe File created C:\Windows\SysWOW64\Bhdibj32.exe Bbhqjchp.exe File created C:\Windows\SysWOW64\Jkeang32.dll Ngcgcjnc.exe File created C:\Windows\SysWOW64\Eodlho32.exe Eqalmafo.exe File opened for modification C:\Windows\SysWOW64\Ipnalhii.exe Impepm32.exe File created C:\Windows\SysWOW64\Ojleohnl.dll Kbfbkj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14548 15064 WerFault.exe 802 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaacilcc.dll" Qecppkdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjghpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdqejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcmbkd32.dll" Niegnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phnelk32.dll" Paendb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mciobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiejmbkl.dll" Obfhba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogaodjbe.dll" Fhajlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndghmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obidhaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Medgncoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daconoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geekfi32.dll" Himcoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipqnahgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndkahnhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpgmha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obfhba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paegjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agffge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Immapg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aejmkpaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbnhphbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lilanioo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkpgck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onhhamgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll" Cjpckf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmmnjfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pngbhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knceql32.dll" Dllmfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fokbim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpablkhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eodlho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abckpb32.dll" Jeaikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gibgla32.dll" Capchmmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjocgdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkgqfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmkadgpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnbpfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffldcca.dll" Dohfbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll" Bcoenmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdnjgmle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lebkhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll" Iinlemia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnapdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pghieg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qchmagie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odimnk32.dll" Obphlhkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diihojkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnocof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmjdjgjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojleohnl.dll" Kbfbkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll" Qcgffqei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epogol32.dll" Pcccfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npfkgjdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obikbgbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdfmi32.dll" Fjepaecb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dedkdcie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeaikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmcojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odocigqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cafpanem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Digkijmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlkolh32.dll" Becifhfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcddpdpo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2240 wrote to memory of 1504 2240 ddc39edb3f51a37feb8e1dfa32a771f0_NEIKI.exe 82 PID 2240 wrote to memory of 1504 2240 ddc39edb3f51a37feb8e1dfa32a771f0_NEIKI.exe 82 PID 2240 wrote to memory of 1504 2240 ddc39edb3f51a37feb8e1dfa32a771f0_NEIKI.exe 82 PID 1504 wrote to memory of 4712 1504 Nbfefj32.exe 83 PID 1504 wrote to memory of 4712 1504 Nbfefj32.exe 83 PID 1504 wrote to memory of 4712 1504 Nbfefj32.exe 83 PID 4712 wrote to memory of 2568 4712 Nqifafjb.exe 84 PID 4712 wrote to memory of 2568 4712 Nqifafjb.exe 84 PID 4712 wrote to memory of 2568 4712 Nqifafjb.exe 84 PID 2568 wrote to memory of 1912 2568 Nojfon32.exe 85 PID 2568 wrote to memory of 1912 2568 Nojfon32.exe 85 PID 2568 wrote to memory of 1912 2568 Nojfon32.exe 85 PID 1912 wrote to memory of 2852 1912 Nbibki32.exe 86 PID 1912 wrote to memory of 2852 1912 Nbibki32.exe 86 PID 1912 wrote to memory of 2852 1912 Nbibki32.exe 86 PID 2852 wrote to memory of 3684 2852 Nicjhchb.exe 87 PID 2852 wrote to memory of 3684 2852 Nicjhchb.exe 87 PID 2852 wrote to memory of 3684 2852 Nicjhchb.exe 87 PID 3684 wrote to memory of 3264 3684 Nkagdoge.exe 88 PID 3684 wrote to memory of 3264 3684 Nkagdoge.exe 88 PID 3684 wrote to memory of 3264 3684 Nkagdoge.exe 88 PID 3264 wrote to memory of 5044 3264 Nbkoai32.exe 89 PID 3264 wrote to memory of 5044 3264 Nbkoai32.exe 89 PID 3264 wrote to memory of 5044 3264 Nbkoai32.exe 89 PID 5044 wrote to memory of 1968 5044 Niegnc32.exe 90 PID 5044 wrote to memory of 1968 5044 Niegnc32.exe 90 PID 5044 wrote to memory of 1968 5044 Niegnc32.exe 90 PID 1968 wrote to memory of 4044 1968 Nghgipmj.exe 91 PID 1968 wrote to memory of 4044 1968 Nghgipmj.exe 91 PID 1968 wrote to memory of 4044 1968 Nghgipmj.exe 91 PID 4044 wrote to memory of 1928 4044 Nnbpfj32.exe 92 PID 4044 wrote to memory of 1928 4044 Nnbpfj32.exe 92 PID 4044 wrote to memory of 1928 4044 Nnbpfj32.exe 92 PID 1928 wrote to memory of 5024 1928 Nqqlbe32.exe 93 PID 1928 wrote to memory of 5024 1928 Nqqlbe32.exe 93 PID 1928 wrote to memory of 5024 1928 Nqqlbe32.exe 93 PID 5024 wrote to memory of 2620 5024 Ngjdopkg.exe 94 PID 5024 wrote to memory of 2620 5024 Ngjdopkg.exe 94 PID 5024 wrote to memory of 2620 5024 Ngjdopkg.exe 94 PID 2620 wrote to memory of 3984 2620 Noalpmli.exe 95 PID 2620 wrote to memory of 3984 2620 Noalpmli.exe 95 PID 2620 wrote to memory of 3984 2620 Noalpmli.exe 95 PID 3984 wrote to memory of 3760 3984 Obphlhkm.exe 97 PID 3984 wrote to memory of 3760 3984 Obphlhkm.exe 97 PID 3984 wrote to memory of 3760 3984 Obphlhkm.exe 97 PID 3760 wrote to memory of 4204 3760 Oijqibbj.exe 98 PID 3760 wrote to memory of 4204 3760 Oijqibbj.exe 98 PID 3760 wrote to memory of 4204 3760 Oijqibbj.exe 98 PID 4204 wrote to memory of 4808 4204 Oodiem32.exe 99 PID 4204 wrote to memory of 4808 4204 Oodiem32.exe 99 PID 4204 wrote to memory of 4808 4204 Oodiem32.exe 99 PID 4808 wrote to memory of 4548 4808 Obbeah32.exe 101 PID 4808 wrote to memory of 4548 4808 Obbeah32.exe 101 PID 4808 wrote to memory of 4548 4808 Obbeah32.exe 101 PID 4548 wrote to memory of 4904 4548 Okkjjnok.exe 102 PID 4548 wrote to memory of 4904 4548 Okkjjnok.exe 102 PID 4548 wrote to memory of 4904 4548 Okkjjnok.exe 102 PID 4904 wrote to memory of 2352 4904 Obdbgh32.exe 103 PID 4904 wrote to memory of 2352 4904 Obdbgh32.exe 103 PID 4904 wrote to memory of 2352 4904 Obdbgh32.exe 103 PID 2352 wrote to memory of 2088 2352 Oecncc32.exe 104 PID 2352 wrote to memory of 2088 2352 Oecncc32.exe 104 PID 2352 wrote to memory of 2088 2352 Oecncc32.exe 104 PID 2088 wrote to memory of 1264 2088 Ophbqlea.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddc39edb3f51a37feb8e1dfa32a771f0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\ddc39edb3f51a37feb8e1dfa32a771f0_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Nbfefj32.exeC:\Windows\system32\Nbfefj32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Nqifafjb.exeC:\Windows\system32\Nqifafjb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Nojfon32.exeC:\Windows\system32\Nojfon32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Nbibki32.exeC:\Windows\system32\Nbibki32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Nicjhchb.exeC:\Windows\system32\Nicjhchb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Nkagdoge.exeC:\Windows\system32\Nkagdoge.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\Nbkoai32.exeC:\Windows\system32\Nbkoai32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Niegnc32.exeC:\Windows\system32\Niegnc32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Nghgipmj.exeC:\Windows\system32\Nghgipmj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Nnbpfj32.exeC:\Windows\system32\Nnbpfj32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\Nqqlbe32.exeC:\Windows\system32\Nqqlbe32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Ngjdopkg.exeC:\Windows\system32\Ngjdopkg.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Noalpmli.exeC:\Windows\system32\Noalpmli.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Obphlhkm.exeC:\Windows\system32\Obphlhkm.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\Oijqibbj.exeC:\Windows\system32\Oijqibbj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\Oodiem32.exeC:\Windows\system32\Oodiem32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\Obbeah32.exeC:\Windows\system32\Obbeah32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Okkjjnok.exeC:\Windows\system32\Okkjjnok.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Obdbgh32.exeC:\Windows\system32\Obdbgh32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\Oecncc32.exeC:\Windows\system32\Oecncc32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Ophbqlea.exeC:\Windows\system32\Ophbqlea.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Obgomgee.exeC:\Windows\system32\Obgomgee.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Oiagia32.exeC:\Windows\system32\Oiagia32.exe24⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Olocem32.exeC:\Windows\system32\Olocem32.exe25⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Obikbgbb.exeC:\Windows\system32\Obikbgbb.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:4232 -
C:\Windows\SysWOW64\Oiccoa32.exeC:\Windows\system32\Oiccoa32.exe27⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Opmllk32.exeC:\Windows\system32\Opmllk32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3544 -
C:\Windows\SysWOW64\Pblhhg32.exeC:\Windows\system32\Pblhhg32.exe29⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Piepdahl.exeC:\Windows\system32\Piepdahl.exe30⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Ppphak32.exeC:\Windows\system32\Ppphak32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Pelaib32.exeC:\Windows\system32\Pelaib32.exe32⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Phkmem32.exeC:\Windows\system32\Phkmem32.exe33⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Pneebg32.exeC:\Windows\system32\Pneebg32.exe34⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Pacaoc32.exeC:\Windows\system32\Pacaoc32.exe35⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Pijjpp32.exeC:\Windows\system32\Pijjpp32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Plifll32.exeC:\Windows\system32\Plifll32.exe37⤵
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Pngbhg32.exeC:\Windows\system32\Pngbhg32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Paendb32.exeC:\Windows\system32\Paendb32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:3656 -
C:\Windows\SysWOW64\Peajdajk.exeC:\Windows\system32\Peajdajk.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4648 -
C:\Windows\SysWOW64\Phpfqmio.exeC:\Windows\system32\Phpfqmio.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Ppgobjia.exeC:\Windows\system32\Ppgobjia.exe42⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Pniomgpl.exeC:\Windows\system32\Pniomgpl.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5104 -
C:\Windows\SysWOW64\Pecgja32.exeC:\Windows\system32\Pecgja32.exe44⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Phbcfl32.exeC:\Windows\system32\Phbcfl32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Qpikgj32.exeC:\Windows\system32\Qpikgj32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Qbggce32.exeC:\Windows\system32\Qbggce32.exe47⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Qefdpq32.exeC:\Windows\system32\Qefdpq32.exe48⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Qhdpll32.exeC:\Windows\system32\Qhdpll32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4532 -
C:\Windows\SysWOW64\Qpkhmi32.exeC:\Windows\system32\Qpkhmi32.exe50⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Qnnhhflf.exeC:\Windows\system32\Qnnhhflf.exe51⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Qamdda32.exeC:\Windows\system32\Qamdda32.exe52⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Qiclfo32.exeC:\Windows\system32\Qiclfo32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4816 -
C:\Windows\SysWOW64\Albibj32.exeC:\Windows\system32\Albibj32.exe54⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Ablaodbm.exeC:\Windows\system32\Ablaodbm.exe55⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Aejmkpaq.exeC:\Windows\system32\Aejmkpaq.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:4408 -
C:\Windows\SysWOW64\Ahiigkqd.exeC:\Windows\system32\Ahiigkqd.exe57⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Abnnddpj.exeC:\Windows\system32\Abnnddpj.exe58⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Aemjpp32.exeC:\Windows\system32\Aemjpp32.exe59⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Aihfanhg.exeC:\Windows\system32\Aihfanhg.exe60⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Ahkflk32.exeC:\Windows\system32\Ahkflk32.exe61⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Abqjjd32.exeC:\Windows\system32\Abqjjd32.exe62⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Aeoffo32.exeC:\Windows\system32\Aeoffo32.exe63⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Ahncbk32.exeC:\Windows\system32\Ahncbk32.exe64⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Aliobieh.exeC:\Windows\system32\Aliobieh.exe65⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Aafgkpcp.exeC:\Windows\system32\Aafgkpcp.exe66⤵PID:3296
-
C:\Windows\SysWOW64\Aimoln32.exeC:\Windows\system32\Aimoln32.exe67⤵PID:2556
-
C:\Windows\SysWOW64\Apggihko.exeC:\Windows\system32\Apggihko.exe68⤵PID:1784
-
C:\Windows\SysWOW64\Aahdqp32.exeC:\Windows\system32\Aahdqp32.exe69⤵PID:3508
-
C:\Windows\SysWOW64\Boldjd32.exeC:\Windows\system32\Boldjd32.exe70⤵PID:4416
-
C:\Windows\SysWOW64\Bbhqjchp.exeC:\Windows\system32\Bbhqjchp.exe71⤵
- Drops file in System32 directory
PID:3304 -
C:\Windows\SysWOW64\Bhdibj32.exeC:\Windows\system32\Bhdibj32.exe72⤵PID:4372
-
C:\Windows\SysWOW64\Bbjmpb32.exeC:\Windows\system32\Bbjmpb32.exe73⤵PID:988
-
C:\Windows\SysWOW64\Behiln32.exeC:\Windows\system32\Behiln32.exe74⤵PID:3168
-
C:\Windows\SysWOW64\Blbaihmn.exeC:\Windows\system32\Blbaihmn.exe75⤵PID:4420
-
C:\Windows\SysWOW64\Boanecla.exeC:\Windows\system32\Boanecla.exe76⤵PID:384
-
C:\Windows\SysWOW64\Baojaoke.exeC:\Windows\system32\Baojaoke.exe77⤵PID:3800
-
C:\Windows\SysWOW64\Bekfan32.exeC:\Windows\system32\Bekfan32.exe78⤵PID:1808
-
C:\Windows\SysWOW64\Bpqjofcd.exeC:\Windows\system32\Bpqjofcd.exe79⤵PID:3328
-
C:\Windows\SysWOW64\Bbofkbbh.exeC:\Windows\system32\Bbofkbbh.exe80⤵PID:804
-
C:\Windows\SysWOW64\Blgkdg32.exeC:\Windows\system32\Blgkdg32.exe81⤵PID:4844
-
C:\Windows\SysWOW64\Beppmmoi.exeC:\Windows\system32\Beppmmoi.exe82⤵PID:3016
-
C:\Windows\SysWOW64\Cpedjf32.exeC:\Windows\system32\Cpedjf32.exe83⤵PID:4272
-
C:\Windows\SysWOW64\Cafpanem.exeC:\Windows\system32\Cafpanem.exe84⤵
- Modifies registry class
PID:516 -
C:\Windows\SysWOW64\Chphoh32.exeC:\Windows\system32\Chphoh32.exe85⤵
- Drops file in System32 directory
PID:3208 -
C:\Windows\SysWOW64\Ccfmla32.exeC:\Windows\system32\Ccfmla32.exe86⤵PID:3232
-
C:\Windows\SysWOW64\Cedihl32.exeC:\Windows\system32\Cedihl32.exe87⤵PID:2632
-
C:\Windows\SysWOW64\Clnadfbp.exeC:\Windows\system32\Clnadfbp.exe88⤵PID:3780
-
C:\Windows\SysWOW64\Cchiaqjm.exeC:\Windows\system32\Cchiaqjm.exe89⤵PID:3952
-
C:\Windows\SysWOW64\Cefemliq.exeC:\Windows\system32\Cefemliq.exe90⤵PID:1900
-
C:\Windows\SysWOW64\Chebighd.exeC:\Windows\system32\Chebighd.exe91⤵PID:676
-
C:\Windows\SysWOW64\Cpljkdig.exeC:\Windows\system32\Cpljkdig.exe92⤵PID:5128
-
C:\Windows\SysWOW64\Ccjfgphj.exeC:\Windows\system32\Ccjfgphj.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5180 -
C:\Windows\SysWOW64\Ceibclgn.exeC:\Windows\system32\Ceibclgn.exe94⤵PID:5224
-
C:\Windows\SysWOW64\Ccmclp32.exeC:\Windows\system32\Ccmclp32.exe95⤵PID:5272
-
C:\Windows\SysWOW64\Capchmmb.exeC:\Windows\system32\Capchmmb.exe96⤵
- Modifies registry class
PID:5316 -
C:\Windows\SysWOW64\Digkijmd.exeC:\Windows\system32\Digkijmd.exe97⤵
- Modifies registry class
PID:5356 -
C:\Windows\SysWOW64\Dlegeemh.exeC:\Windows\system32\Dlegeemh.exe98⤵PID:5408
-
C:\Windows\SysWOW64\Dpacfd32.exeC:\Windows\system32\Dpacfd32.exe99⤵PID:5452
-
C:\Windows\SysWOW64\Diihojkb.exeC:\Windows\system32\Diihojkb.exe100⤵
- Modifies registry class
PID:5512 -
C:\Windows\SysWOW64\Dhlhjf32.exeC:\Windows\system32\Dhlhjf32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5564 -
C:\Windows\SysWOW64\Dpcpkc32.exeC:\Windows\system32\Dpcpkc32.exe102⤵PID:5616
-
C:\Windows\SysWOW64\Dcalgo32.exeC:\Windows\system32\Dcalgo32.exe103⤵PID:5676
-
C:\Windows\SysWOW64\Dljqpd32.exeC:\Windows\system32\Dljqpd32.exe104⤵PID:5720
-
C:\Windows\SysWOW64\Dcdimopp.exeC:\Windows\system32\Dcdimopp.exe105⤵PID:5764
-
C:\Windows\SysWOW64\Debeijoc.exeC:\Windows\system32\Debeijoc.exe106⤵PID:5812
-
C:\Windows\SysWOW64\Dllmfd32.exeC:\Windows\system32\Dllmfd32.exe107⤵
- Modifies registry class
PID:5856 -
C:\Windows\SysWOW64\Dphifcoi.exeC:\Windows\system32\Dphifcoi.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5900 -
C:\Windows\SysWOW64\Daifnk32.exeC:\Windows\system32\Daifnk32.exe109⤵
- Drops file in System32 directory
PID:5940 -
C:\Windows\SysWOW64\Dfdbojmq.exeC:\Windows\system32\Dfdbojmq.exe110⤵PID:5976
-
C:\Windows\SysWOW64\Dhcnke32.exeC:\Windows\system32\Dhcnke32.exe111⤵
- Drops file in System32 directory
PID:6028 -
C:\Windows\SysWOW64\Domfgpca.exeC:\Windows\system32\Domfgpca.exe112⤵PID:6072
-
C:\Windows\SysWOW64\Dchbhn32.exeC:\Windows\system32\Dchbhn32.exe113⤵PID:6108
-
C:\Windows\SysWOW64\Efgodj32.exeC:\Windows\system32\Efgodj32.exe114⤵PID:5136
-
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe115⤵PID:5164
-
C:\Windows\SysWOW64\Elagacbk.exeC:\Windows\system32\Elagacbk.exe116⤵PID:5268
-
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe117⤵PID:5352
-
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe118⤵PID:5400
-
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe119⤵PID:5464
-
C:\Windows\SysWOW64\Elccfc32.exeC:\Windows\system32\Elccfc32.exe120⤵PID:5540
-
C:\Windows\SysWOW64\Eoapbo32.exeC:\Windows\system32\Eoapbo32.exe121⤵PID:5596
-
C:\Windows\SysWOW64\Ecmlcmhe.exeC:\Windows\system32\Ecmlcmhe.exe122⤵PID:5716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-