Analysis
-
max time kernel
93s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 03:23
Behavioral task
behavioral1
Sample
ddde504c0583e4d311ee0dced160d840_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ddde504c0583e4d311ee0dced160d840_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
ddde504c0583e4d311ee0dced160d840_NEIKI.exe
-
Size
3.7MB
-
MD5
ddde504c0583e4d311ee0dced160d840
-
SHA1
320a3bd0584acc8fbc54ee1aa25e2346b65063bd
-
SHA256
e6b775bf08aba4cfc47f06eed48eea65937e609820e6ab72d1430567b3804bb9
-
SHA512
4f3becc97c06796613bfba81cb6aad38f88268bd25dea5c4179bac0cbcf93ae0259410a2b56d4fbfd5333715716a6c9e17728d09db70b7895759067ade018ba7
-
SSDEEP
24576:l6X1q5h3q5hkntq5S6X1q5h3q5htaSHFaZRBEYyqmaf2qwiHPKgRC4gvGZl6snA:l6Gnh6HaSHFaZRBEYyqmS2DiHPKQgm
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ampkof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmqmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gppcmeem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkndie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gihpkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdhmnlcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfklhhcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpqjglii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcpahpmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmdblp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edfdej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqbncb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaalblgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lepleocn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mchppmij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meiioonj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefedmil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadlbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmoohe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiobceef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqhafffk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoabad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dimenegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njmqnobn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opbean32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajkaii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhnlkfpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqmeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfogeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpjfgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoalgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoclopne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pccahbmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcjhkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jknfcofa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqmkae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeheqm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdaociml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qodeajbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fganqbgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqfbpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emaedo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jghabl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oekpkigo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldopb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbkml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpjfgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dggkipii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbeip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilccoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjlmclqa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bepmoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilnbicff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjoankoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkehkocf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggilil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipjedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laiipofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhahaiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbkamqmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnmepn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gacjadad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Milidebi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqimikfj.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0008000000022f51-7.dat family_berbew behavioral2/files/0x000800000002341c-15.dat family_berbew behavioral2/files/0x000700000002341e-23.dat family_berbew behavioral2/files/0x000800000002341a-31.dat family_berbew behavioral2/files/0x0007000000023421-39.dat family_berbew behavioral2/files/0x0008000000023423-47.dat family_berbew behavioral2/files/0x0007000000023426-55.dat family_berbew behavioral2/files/0x0004000000022ac3-63.dat family_berbew behavioral2/files/0x0007000000023429-71.dat family_berbew behavioral2/files/0x000700000002342b-79.dat family_berbew behavioral2/files/0x000700000002342d-87.dat family_berbew behavioral2/files/0x000700000002342f-95.dat family_berbew behavioral2/files/0x0007000000023431-103.dat family_berbew behavioral2/files/0x0007000000023433-111.dat family_berbew behavioral2/files/0x0007000000023435-119.dat family_berbew behavioral2/files/0x0007000000023437-127.dat family_berbew behavioral2/files/0x0007000000023439-135.dat family_berbew behavioral2/files/0x000700000002343b-143.dat family_berbew behavioral2/files/0x000700000002343d-150.dat family_berbew behavioral2/files/0x000700000002343f-159.dat family_berbew behavioral2/files/0x0007000000023441-167.dat family_berbew behavioral2/files/0x0007000000023443-175.dat family_berbew behavioral2/files/0x0007000000023445-183.dat family_berbew behavioral2/files/0x0007000000023447-191.dat family_berbew behavioral2/files/0x0007000000023449-199.dat family_berbew behavioral2/files/0x000700000002344b-207.dat family_berbew behavioral2/files/0x000700000002344d-215.dat family_berbew behavioral2/files/0x000700000002344f-223.dat family_berbew behavioral2/files/0x0007000000023451-231.dat family_berbew behavioral2/files/0x0007000000023453-239.dat family_berbew behavioral2/files/0x0007000000023455-247.dat family_berbew behavioral2/files/0x0007000000023457-255.dat family_berbew behavioral2/files/0x000700000002345b-264.dat family_berbew behavioral2/files/0x0007000000023461-282.dat family_berbew behavioral2/files/0x0007000000023463-289.dat family_berbew behavioral2/files/0x0007000000023467-299.dat family_berbew behavioral2/files/0x0007000000023475-342.dat family_berbew behavioral2/files/0x000700000002347b-360.dat family_berbew behavioral2/files/0x000700000002347d-367.dat family_berbew behavioral2/files/0x0007000000023481-378.dat family_berbew behavioral2/files/0x0007000000023497-444.dat family_berbew behavioral2/files/0x00070000000234a7-492.dat family_berbew behavioral2/files/0x00070000000234a9-499.dat family_berbew behavioral2/files/0x00070000000234ad-510.dat family_berbew behavioral2/files/0x00070000000234b1-522.dat family_berbew behavioral2/files/0x00070000000234bb-554.dat family_berbew behavioral2/files/0x00070000000234bf-568.dat family_berbew behavioral2/files/0x00070000000234e5-700.dat family_berbew behavioral2/files/0x00070000000234e9-714.dat family_berbew behavioral2/files/0x00070000000234fd-783.dat family_berbew behavioral2/files/0x0007000000023503-803.dat family_berbew behavioral2/files/0x0007000000023511-852.dat family_berbew behavioral2/files/0x000700000002352b-942.dat family_berbew behavioral2/files/0x000700000002352f-955.dat family_berbew behavioral2/files/0x0007000000023549-1046.dat family_berbew behavioral2/files/0x000700000002354f-1067.dat family_berbew behavioral2/files/0x0007000000023551-1075.dat family_berbew behavioral2/files/0x0007000000023559-1102.dat family_berbew behavioral2/files/0x000700000002355b-1110.dat family_berbew behavioral2/files/0x0007000000023563-1137.dat family_berbew behavioral2/files/0x000700000002356b-1166.dat family_berbew behavioral2/files/0x0007000000023571-1185.dat family_berbew behavioral2/files/0x000700000002357d-1227.dat family_berbew behavioral2/files/0x0007000000023585-1255.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2468 Nbhkac32.exe 3112 Ndidbn32.exe 876 Njfmke32.exe 2120 Pbkamqmd.exe 1820 Peljol32.exe 3684 Ajdbcano.exe 4208 Ajneip32.exe 4592 Bahmfj32.exe 4012 Blmacb32.exe 4748 Cecbmf32.exe 3156 Doqpak32.exe 2288 Deoaid32.exe 4536 Eefhjc32.exe 4996 Ekhjmiad.exe 856 Fhqcam32.exe 3812 Fooeif32.exe 5044 Ghlcnk32.exe 3936 Gdhmnlcj.exe 4164 Hckjacjg.exe 872 Hofdacke.exe 4112 Iehfdi32.exe 2020 Ildkgc32.exe 3696 Jedeph32.exe 2516 Jcioiood.exe 1904 Kfmepi32.exe 2688 Kfankifm.exe 1620 Ldjhpl32.exe 3648 Lebkhc32.exe 5108 Mchhggno.exe 4524 Mdmnlj32.exe 384 Ngpccdlj.exe 2168 Nckndeni.exe 4348 Ogkcpbam.exe 4492 Ocbddc32.exe 5000 Ofqpqo32.exe 1572 Odapnf32.exe 3576 Oddmdf32.exe 1852 Pfhfan32.exe 3888 Pmannhhj.exe 2456 Pmdkch32.exe 2772 Pgllfp32.exe 4976 Pqdqof32.exe 2372 Pjmehkqk.exe 4040 Qdbiedpa.exe 1296 Qjoankoi.exe 4056 Qddfkd32.exe 4204 Ampkof32.exe 1956 Aeiofcji.exe 2368 Ajfhnjhq.exe 592 Aeklkchg.exe 2004 Ajkaii32.exe 4856 Aadifclh.exe 1116 Bagflcje.exe 2936 Bjagjhnc.exe 1580 Beglgani.exe 2380 Bmbplc32.exe 1652 Bhhdil32.exe 2876 Bapiabak.exe 1856 Cjinkg32.exe 1940 Cenahpha.exe 3956 Cjkjpgfi.exe 1532 Chokikeb.exe 4632 Cmlcbbcj.exe 4328 Cfdhkhjj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dakikoom.exe Dgeenfog.exe File created C:\Windows\SysWOW64\Nlhego32.dll Njjmni32.exe File created C:\Windows\SysWOW64\Hofdacke.exe Hckjacjg.exe File created C:\Windows\SysWOW64\Jpkphjeb.exe Jiaglp32.exe File created C:\Windows\SysWOW64\Afkicf32.dll Mfcmmp32.exe File created C:\Windows\SysWOW64\Mjdebfnd.exe Megljppl.exe File created C:\Windows\SysWOW64\Aoalgn32.exe Adkgje32.exe File created C:\Windows\SysWOW64\Blqhpg32.dll Ojomcopk.exe File opened for modification C:\Windows\SysWOW64\Lpbopfag.exe Lemkcnaa.exe File opened for modification C:\Windows\SysWOW64\Kndojobi.exe Kelkaj32.exe File created C:\Windows\SysWOW64\Maggnali.exe Mkjnfkma.exe File created C:\Windows\SysWOW64\Ifolcq32.dll Mgloefco.exe File created C:\Windows\SysWOW64\Amcehdod.exe Agimkk32.exe File created C:\Windows\SysWOW64\Beglgani.exe Bjagjhnc.exe File created C:\Windows\SysWOW64\Micfao32.dll Kndojobi.exe File created C:\Windows\SysWOW64\Fgibng32.dll Lgkpdcmi.exe File opened for modification C:\Windows\SysWOW64\Fligqhga.exe Fflohaij.exe File created C:\Windows\SysWOW64\Dpinoh32.dll Ollnhb32.exe File created C:\Windows\SysWOW64\Mkkgmlcm.dll Gaefgd32.exe File opened for modification C:\Windows\SysWOW64\Fmhdkknd.exe Fbbpmb32.exe File created C:\Windows\SysWOW64\Ipaooi32.dll Dggbcf32.exe File created C:\Windows\SysWOW64\Iflbnkbi.dll Hfningai.exe File created C:\Windows\SysWOW64\Oklmii32.dll Keakgpko.exe File created C:\Windows\SysWOW64\Jkghalnb.dll Djklmo32.exe File opened for modification C:\Windows\SysWOW64\Efpomccg.exe Ekkkoj32.exe File created C:\Windows\SysWOW64\Nbdfqocb.dll Hlnjbedi.exe File opened for modification C:\Windows\SysWOW64\Ekiohclf.exe Eglgbdep.exe File created C:\Windows\SysWOW64\Akejpg32.dll Jiokfpph.exe File opened for modification C:\Windows\SysWOW64\Lgffic32.exe Lajagj32.exe File created C:\Windows\SysWOW64\Ljeffhcd.dll Hgkkkcbc.exe File opened for modification C:\Windows\SysWOW64\Pehngkcg.exe Pkbjjbda.exe File created C:\Windows\SysWOW64\Hkajlm32.dll Aeaanjkl.exe File created C:\Windows\SysWOW64\Foclgq32.exe Fgjhpcmo.exe File created C:\Windows\SysWOW64\Jgefkimp.dll Mchhggno.exe File created C:\Windows\SysWOW64\Lpcncmnn.dll Iinjhh32.exe File created C:\Windows\SysWOW64\Idefqiag.dll Lqhdbm32.exe File created C:\Windows\SysWOW64\Lqppgj32.dll Bgnffj32.exe File opened for modification C:\Windows\SysWOW64\Bgpcliao.exe Bacjdbch.exe File created C:\Windows\SysWOW64\Ppkjigdd.dll Fjeplijj.exe File created C:\Windows\SysWOW64\Fonnop32.exe Fefjfked.exe File created C:\Windows\SysWOW64\Gacjadad.exe Gdoihpbk.exe File opened for modification C:\Windows\SysWOW64\Lajagj32.exe Kgamnded.exe File opened for modification C:\Windows\SysWOW64\Jikoopij.exe Joekag32.exe File created C:\Windows\SysWOW64\Glokko32.dll Gkaopp32.exe File opened for modification C:\Windows\SysWOW64\Ljkifn32.exe Lgkpdcmi.exe File created C:\Windows\SysWOW64\Lnangaoa.exe Lckiihok.exe File opened for modification C:\Windows\SysWOW64\Haodle32.exe Hhdcmp32.exe File opened for modification C:\Windows\SysWOW64\Pidlqb32.exe Pcegclgp.exe File created C:\Windows\SysWOW64\Fjinnekj.dll Fdkdibjp.exe File created C:\Windows\SysWOW64\Afnnnd32.exe Acnemi32.exe File created C:\Windows\SysWOW64\Hkjmbk32.dll Piijno32.exe File opened for modification C:\Windows\SysWOW64\Kqmkae32.exe Kjccdkki.exe File created C:\Windows\SysWOW64\Bdpaeehj.exe Bnfihkqm.exe File created C:\Windows\SysWOW64\Cncnob32.exe Chfegk32.exe File created C:\Windows\SysWOW64\Khgbqkhj.exe Kcjjhdjb.exe File created C:\Windows\SysWOW64\Ingpmmgm.exe Hgmgqc32.exe File created C:\Windows\SysWOW64\Kedlip32.exe Jpgdai32.exe File created C:\Windows\SysWOW64\Jgadgf32.exe Jbdlop32.exe File created C:\Windows\SysWOW64\Nodiqp32.exe Njgqhicg.exe File opened for modification C:\Windows\SysWOW64\Peljol32.exe Pbkamqmd.exe File created C:\Windows\SysWOW64\Aoohalad.dll Jcioiood.exe File created C:\Windows\SysWOW64\Gefklj32.dll Hoaojp32.exe File created C:\Windows\SysWOW64\Icpjna32.dll Ckggnp32.exe File created C:\Windows\SysWOW64\Fdaleh32.dll Enhifi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9928 9844 WerFault.exe 775 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinclj32.dll" Dgeenfog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmnhcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibhkfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjmjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memfnodb.dll" Cfcjfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpkdfd32.dll" Ojhiogdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqdoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kelkaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqmiic32.dll" Ibaeen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khnhommq.dll" Jpgdai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ampkof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nenbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoepebho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeheqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dddllkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll" Dmefhako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjepjkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodoah32.dll" Nlhkgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfaajnfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ildkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdinljnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deqcbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll" Fjocbhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleoiomo.dll" Kqmkae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichqihli.dll" Adfgdpmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loighj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bildbk32.dll" Gdoihpbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odhifjkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fligqhga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biiobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnakbdid.dll" Dgbanq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqhdbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhenai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boplohfa.dll" Bmggingc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajggomog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jipegn32.dll" Ekaapi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll" Dopigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginlmijp.dll" Lpekef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjdiliki.dll" Aoabad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baegibae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nofefp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cndepccb.dll" Pkbjjbda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoalgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeipof32.dll" Acnemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eibfck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqhblk32.dll" Phodcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpgdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll" Odapnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpieqeko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnaaib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oafcqcea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeaanjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Domdjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kamqij32.dll" Dfjgaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgnffj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knqepc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfbhcl32.dll" Dcnlnaom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklgfgfg.dll" Bhblllfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmlmkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dggbcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jihbip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jedeph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akejpg32.dll" Jiokfpph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibclmgdb.dll" Cobkhb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4912 wrote to memory of 2468 4912 ddde504c0583e4d311ee0dced160d840_NEIKI.exe 81 PID 4912 wrote to memory of 2468 4912 ddde504c0583e4d311ee0dced160d840_NEIKI.exe 81 PID 4912 wrote to memory of 2468 4912 ddde504c0583e4d311ee0dced160d840_NEIKI.exe 81 PID 2468 wrote to memory of 3112 2468 Nbhkac32.exe 84 PID 2468 wrote to memory of 3112 2468 Nbhkac32.exe 84 PID 2468 wrote to memory of 3112 2468 Nbhkac32.exe 84 PID 3112 wrote to memory of 876 3112 Ndidbn32.exe 85 PID 3112 wrote to memory of 876 3112 Ndidbn32.exe 85 PID 3112 wrote to memory of 876 3112 Ndidbn32.exe 85 PID 876 wrote to memory of 2120 876 Njfmke32.exe 86 PID 876 wrote to memory of 2120 876 Njfmke32.exe 86 PID 876 wrote to memory of 2120 876 Njfmke32.exe 86 PID 2120 wrote to memory of 1820 2120 Pbkamqmd.exe 87 PID 2120 wrote to memory of 1820 2120 Pbkamqmd.exe 87 PID 2120 wrote to memory of 1820 2120 Pbkamqmd.exe 87 PID 1820 wrote to memory of 3684 1820 Peljol32.exe 88 PID 1820 wrote to memory of 3684 1820 Peljol32.exe 88 PID 1820 wrote to memory of 3684 1820 Peljol32.exe 88 PID 3684 wrote to memory of 4208 3684 Ajdbcano.exe 89 PID 3684 wrote to memory of 4208 3684 Ajdbcano.exe 89 PID 3684 wrote to memory of 4208 3684 Ajdbcano.exe 89 PID 4208 wrote to memory of 4592 4208 Ajneip32.exe 90 PID 4208 wrote to memory of 4592 4208 Ajneip32.exe 90 PID 4208 wrote to memory of 4592 4208 Ajneip32.exe 90 PID 4592 wrote to memory of 4012 4592 Bahmfj32.exe 91 PID 4592 wrote to memory of 4012 4592 Bahmfj32.exe 91 PID 4592 wrote to memory of 4012 4592 Bahmfj32.exe 91 PID 4012 wrote to memory of 4748 4012 Blmacb32.exe 92 PID 4012 wrote to memory of 4748 4012 Blmacb32.exe 92 PID 4012 wrote to memory of 4748 4012 Blmacb32.exe 92 PID 4748 wrote to memory of 3156 4748 Cecbmf32.exe 93 PID 4748 wrote to memory of 3156 4748 Cecbmf32.exe 93 PID 4748 wrote to memory of 3156 4748 Cecbmf32.exe 93 PID 3156 wrote to memory of 2288 3156 Doqpak32.exe 94 PID 3156 wrote to memory of 2288 3156 Doqpak32.exe 94 PID 3156 wrote to memory of 2288 3156 Doqpak32.exe 94 PID 2288 wrote to memory of 4536 2288 Deoaid32.exe 95 PID 2288 wrote to memory of 4536 2288 Deoaid32.exe 95 PID 2288 wrote to memory of 4536 2288 Deoaid32.exe 95 PID 4536 wrote to memory of 4996 4536 Eefhjc32.exe 96 PID 4536 wrote to memory of 4996 4536 Eefhjc32.exe 96 PID 4536 wrote to memory of 4996 4536 Eefhjc32.exe 96 PID 4996 wrote to memory of 856 4996 Ekhjmiad.exe 97 PID 4996 wrote to memory of 856 4996 Ekhjmiad.exe 97 PID 4996 wrote to memory of 856 4996 Ekhjmiad.exe 97 PID 856 wrote to memory of 3812 856 Fhqcam32.exe 98 PID 856 wrote to memory of 3812 856 Fhqcam32.exe 98 PID 856 wrote to memory of 3812 856 Fhqcam32.exe 98 PID 3812 wrote to memory of 5044 3812 Fooeif32.exe 99 PID 3812 wrote to memory of 5044 3812 Fooeif32.exe 99 PID 3812 wrote to memory of 5044 3812 Fooeif32.exe 99 PID 5044 wrote to memory of 3936 5044 Ghlcnk32.exe 100 PID 5044 wrote to memory of 3936 5044 Ghlcnk32.exe 100 PID 5044 wrote to memory of 3936 5044 Ghlcnk32.exe 100 PID 3936 wrote to memory of 4164 3936 Gdhmnlcj.exe 101 PID 3936 wrote to memory of 4164 3936 Gdhmnlcj.exe 101 PID 3936 wrote to memory of 4164 3936 Gdhmnlcj.exe 101 PID 4164 wrote to memory of 872 4164 Hckjacjg.exe 102 PID 4164 wrote to memory of 872 4164 Hckjacjg.exe 102 PID 4164 wrote to memory of 872 4164 Hckjacjg.exe 102 PID 872 wrote to memory of 4112 872 Hofdacke.exe 103 PID 872 wrote to memory of 4112 872 Hofdacke.exe 103 PID 872 wrote to memory of 4112 872 Hofdacke.exe 103 PID 4112 wrote to memory of 2020 4112 Iehfdi32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddde504c0583e4d311ee0dced160d840_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\ddde504c0583e4d311ee0dced160d840_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Eefhjc32.exeC:\Windows\system32\Eefhjc32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Ekhjmiad.exeC:\Windows\system32\Ekhjmiad.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Fooeif32.exeC:\Windows\system32\Fooeif32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\Ghlcnk32.exeC:\Windows\system32\Ghlcnk32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Gdhmnlcj.exeC:\Windows\system32\Gdhmnlcj.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Iehfdi32.exeC:\Windows\system32\Iehfdi32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Ildkgc32.exeC:\Windows\system32\Ildkgc32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Jedeph32.exeC:\Windows\system32\Jedeph32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:3696 -
C:\Windows\SysWOW64\Jcioiood.exeC:\Windows\system32\Jcioiood.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Kfmepi32.exeC:\Windows\system32\Kfmepi32.exe26⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Kfankifm.exeC:\Windows\system32\Kfankifm.exe27⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Ldjhpl32.exeC:\Windows\system32\Ldjhpl32.exe28⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Lebkhc32.exeC:\Windows\system32\Lebkhc32.exe29⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Mchhggno.exeC:\Windows\system32\Mchhggno.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5108 -
C:\Windows\SysWOW64\Mdmnlj32.exeC:\Windows\system32\Mdmnlj32.exe31⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Ngpccdlj.exeC:\Windows\system32\Ngpccdlj.exe32⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe33⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Ogkcpbam.exeC:\Windows\system32\Ogkcpbam.exe34⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Ocbddc32.exeC:\Windows\system32\Ocbddc32.exe35⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Ofqpqo32.exeC:\Windows\system32\Ofqpqo32.exe36⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Odapnf32.exeC:\Windows\system32\Odapnf32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Oddmdf32.exeC:\Windows\system32\Oddmdf32.exe38⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Pfhfan32.exeC:\Windows\system32\Pfhfan32.exe39⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe40⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe41⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe42⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe43⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Pjmehkqk.exeC:\Windows\system32\Pjmehkqk.exe44⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Qdbiedpa.exeC:\Windows\system32\Qdbiedpa.exe45⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Qjoankoi.exeC:\Windows\system32\Qjoankoi.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Qddfkd32.exeC:\Windows\system32\Qddfkd32.exe47⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4204 -
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe49⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Ajfhnjhq.exeC:\Windows\system32\Ajfhnjhq.exe50⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe51⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Ajkaii32.exeC:\Windows\system32\Ajkaii32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe53⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe54⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe56⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Bmbplc32.exeC:\Windows\system32\Bmbplc32.exe57⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe58⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe59⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe60⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe61⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe62⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe63⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Cmlcbbcj.exeC:\Windows\system32\Cmlcbbcj.exe64⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe65⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:208 -
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe67⤵
- Modifies registry class
PID:4796 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe68⤵PID:1184
-
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe69⤵
- Modifies registry class
PID:4716 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe70⤵PID:4704
-
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe71⤵PID:1396
-
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe72⤵PID:4684
-
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe73⤵PID:4144
-
C:\Windows\SysWOW64\Edfdej32.exeC:\Windows\system32\Edfdej32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3708 -
C:\Windows\SysWOW64\Eajeon32.exeC:\Windows\system32\Eajeon32.exe75⤵PID:4028
-
C:\Windows\SysWOW64\Emaedo32.exeC:\Windows\system32\Emaedo32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4628 -
C:\Windows\SysWOW64\Egijmegb.exeC:\Windows\system32\Egijmegb.exe77⤵PID:800
-
C:\Windows\SysWOW64\Eglgbdep.exeC:\Windows\system32\Eglgbdep.exe78⤵
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Ekiohclf.exeC:\Windows\system32\Ekiohclf.exe79⤵PID:1448
-
C:\Windows\SysWOW64\Fhmpagkp.exeC:\Windows\system32\Fhmpagkp.exe80⤵PID:3188
-
C:\Windows\SysWOW64\Foghnabl.exeC:\Windows\system32\Foghnabl.exe81⤵PID:2232
-
C:\Windows\SysWOW64\Fhpmgg32.exeC:\Windows\system32\Fhpmgg32.exe82⤵PID:1764
-
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4356 -
C:\Windows\SysWOW64\Fefjfked.exeC:\Windows\system32\Fefjfked.exe84⤵
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Fonnop32.exeC:\Windows\system32\Fonnop32.exe85⤵PID:2808
-
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe86⤵PID:1828
-
C:\Windows\SysWOW64\Gaadfkgc.exeC:\Windows\system32\Gaadfkgc.exe87⤵PID:2592
-
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe88⤵PID:3456
-
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe89⤵PID:4468
-
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe90⤵PID:2476
-
C:\Windows\SysWOW64\Gddinf32.exeC:\Windows\system32\Gddinf32.exe91⤵PID:1932
-
C:\Windows\SysWOW64\Gkobjpin.exeC:\Windows\system32\Gkobjpin.exe92⤵PID:740
-
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe93⤵PID:3412
-
C:\Windows\SysWOW64\Gkaopp32.exeC:\Windows\system32\Gkaopp32.exe94⤵
- Drops file in System32 directory
PID:4032 -
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe95⤵PID:2912
-
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe96⤵PID:3720
-
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1732 -
C:\Windows\SysWOW64\Hfklhhcl.exeC:\Windows\system32\Hfklhhcl.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3880 -
C:\Windows\SysWOW64\Hkhdqoac.exeC:\Windows\system32\Hkhdqoac.exe99⤵PID:2524
-
C:\Windows\SysWOW64\Hfningai.exeC:\Windows\system32\Hfningai.exe100⤵
- Drops file in System32 directory
PID:3740 -
C:\Windows\SysWOW64\Hofmfmhj.exeC:\Windows\system32\Hofmfmhj.exe101⤵PID:1616
-
C:\Windows\SysWOW64\Hhnbpb32.exeC:\Windows\system32\Hhnbpb32.exe102⤵PID:3756
-
C:\Windows\SysWOW64\Inkjhi32.exeC:\Windows\system32\Inkjhi32.exe103⤵PID:4932
-
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe104⤵PID:1624
-
C:\Windows\SysWOW64\Ikaggmii.exeC:\Windows\system32\Ikaggmii.exe105⤵PID:4108
-
C:\Windows\SysWOW64\Idjlpc32.exeC:\Windows\system32\Idjlpc32.exe106⤵PID:3236
-
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe107⤵PID:1012
-
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe108⤵PID:2268
-
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe109⤵PID:4340
-
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe110⤵PID:1544
-
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe111⤵PID:4200
-
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe112⤵PID:4584
-
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:5148 -
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe114⤵PID:5192
-
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe115⤵
- Drops file in System32 directory
PID:5236 -
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe116⤵PID:5276
-
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe117⤵PID:5316
-
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5360 -
C:\Windows\SysWOW64\Kfjapcii.exeC:\Windows\system32\Kfjapcii.exe119⤵PID:5404
-
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe120⤵PID:5444
-
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe121⤵PID:5488
-
C:\Windows\SysWOW64\Keakgpko.exeC:\Windows\system32\Keakgpko.exe122⤵
- Drops file in System32 directory
PID:5532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-