Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 03:23
Behavioral task
behavioral1
Sample
de0cd03f3bef051e711f80491911d4d0_NEIKI.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
de0cd03f3bef051e711f80491911d4d0_NEIKI.exe
Resource
win10v2004-20240426-en
General
-
Target
de0cd03f3bef051e711f80491911d4d0_NEIKI.exe
-
Size
3.7MB
-
MD5
de0cd03f3bef051e711f80491911d4d0
-
SHA1
cdca03424f6f97fef661fa3c27ac57938f6d8f1d
-
SHA256
b3506e6760f5d376b1d5ecd79d29f36276e8947451f91567c68749fc5cbf4b41
-
SHA512
777e98d8b8379bd909036369854d42a8398027f9b68c8a3efe203dd85aec665350ec044a541602e720c3d894a5e857fe937518a49566b6d645f6ce3723e50033
-
SSDEEP
98304:IrTWVDBzcjgBNXcolMZ5nNxvM0oLoPKnllYUugyF:IXWVDBzcjgBNXcolMZ5nNxvM0oLo6Yb
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfdmggnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngkogj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ednpej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iompkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhehek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjnfniii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bppoqeja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifkacb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdjpeifj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkaiqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Biojif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boifga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eblelb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmceigep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meagci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackkppma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echfaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkjcplpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opialpld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpnbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coicfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfffnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnmgmbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apalea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgidao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jabponba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kemejc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcmjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncjqhmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhllob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjqhmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlljjjnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfnnha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Incpoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bifgdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mppepcfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdehon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcblan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpieengb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcbakpdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbfbgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbdallnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpfkqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkogj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dccagcgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocflgga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmlhchd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dknekeef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kegqdqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndemjoae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfahhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhfjjdjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpqdkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlngpjlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkklljmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcpimq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ciagojda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkeohhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipllekdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fggmldfp.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000f000000012272-5.dat family_berbew behavioral1/files/0x0009000000015cf3-18.dat family_berbew behavioral1/files/0x0009000000015cbf-32.dat family_berbew behavioral1/files/0x0007000000015d13-52.dat family_berbew behavioral1/files/0x00070000000165d4-60.dat family_berbew behavioral1/files/0x0006000000016a7d-82.dat family_berbew behavioral1/files/0x0006000000016c5d-89.dat family_berbew behavioral1/files/0x0006000000016caf-110.dat family_berbew behavioral1/files/0x0006000000016d05-117.dat family_berbew behavioral1/files/0x0006000000016d22-138.dat family_berbew behavioral1/files/0x0006000000016d33-150.dat family_berbew behavioral1/files/0x0006000000016d44-164.dat family_berbew behavioral1/files/0x0006000000016d55-175.dat family_berbew behavioral1/files/0x0006000000016d78-195.dat family_berbew behavioral1/files/0x0006000000016db2-215.dat family_berbew behavioral1/files/0x00060000000175f4-265.dat family_berbew behavioral1/files/0x000500000001a53e-903.dat family_berbew behavioral1/files/0x000500000001c748-973.dat family_berbew behavioral1/files/0x000500000001c89f-1028.dat family_berbew behavioral1/files/0x000500000001c8dd-1122.dat family_berbew behavioral1/files/0x000400000001cabb-1301.dat family_berbew behavioral1/files/0x000400000001cbbf-1363.dat family_berbew behavioral1/files/0x000400000001cc48-1514.dat family_berbew behavioral1/files/0x000400000001ccc2-1588.dat family_berbew behavioral1/files/0x000400000001d217-1901.dat family_berbew behavioral1/files/0x000400000001d41f-2045.dat family_berbew behavioral1/files/0x000400000001d835-2189.dat family_berbew behavioral1/files/0x000400000001dae8-2598.dat family_berbew behavioral1/files/0x000400000001dbd5-2694.dat family_berbew behavioral1/files/0x000400000001dc45-2791.dat family_berbew behavioral1/files/0x000400000001de49-3119.dat family_berbew behavioral1/files/0x000400000001de85-3168.dat family_berbew behavioral1/files/0x000400000001de81-3160.dat family_berbew behavioral1/files/0x000400000001de75-3152.dat family_berbew behavioral1/files/0x000400000001de6b-3144.dat family_berbew behavioral1/files/0x000400000001de61-3136.dat family_berbew behavioral1/files/0x000400000001de59-3128.dat family_berbew behavioral1/files/0x000400000001de45-3111.dat family_berbew behavioral1/files/0x000400000001de35-3103.dat family_berbew behavioral1/files/0x000400000001de33-3095.dat family_berbew behavioral1/files/0x000400000001de30-3087.dat family_berbew behavioral1/files/0x000400000001de2c-3079.dat family_berbew behavioral1/files/0x000400000001de28-3071.dat family_berbew behavioral1/files/0x000400000001de91-3220.dat family_berbew behavioral1/files/0x000400000001de9a-3232.dat family_berbew behavioral1/files/0x000400000001de23-3063.dat family_berbew behavioral1/files/0x000400000001de1f-3055.dat family_berbew behavioral1/files/0x000400000001de1b-3047.dat family_berbew behavioral1/files/0x000400000001de17-3039.dat family_berbew behavioral1/files/0x000400000001de13-3031.dat family_berbew behavioral1/files/0x000400000001ddef-3023.dat family_berbew behavioral1/files/0x000400000001dddb-3015.dat family_berbew behavioral1/files/0x000400000001dd82-3009.dat family_berbew behavioral1/files/0x000400000001dd7b-2999.dat family_berbew behavioral1/files/0x000400000001dd76-2991.dat family_berbew behavioral1/files/0x000400000001dd6c-2983.dat family_berbew behavioral1/files/0x000400000001dd5b-2975.dat family_berbew behavioral1/files/0x000400000001dd52-2967.dat family_berbew behavioral1/files/0x000400000001dd4a-2959.dat family_berbew behavioral1/files/0x000400000001dd35-2951.dat family_berbew behavioral1/files/0x000400000001dd26-2943.dat family_berbew behavioral1/files/0x000400000001dd18-2935.dat family_berbew behavioral1/files/0x000400000001dd0a-2927.dat family_berbew behavioral1/files/0x000400000001dcf2-2919.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2188 Affhncfc.exe 1760 Bbdocc32.exe 2076 Baqbenep.exe 2760 Cdlnkmha.exe 2552 Ckffgg32.exe 2564 Ebedndfa.exe 2636 Goddhg32.exe 1100 Hiqbndpb.exe 1244 Ihankokm.exe 1008 Iokfhi32.exe 2184 Idhopq32.exe 1660 Ikbgmj32.exe 2716 Idklfpon.exe 2156 Incpoe32.exe 2292 Icpigm32.exe 484 Jqdipqbp.exe 1480 Jfcnngnd.exe 1872 Jkpgfn32.exe 2480 Jehkodcm.exe 844 Jkbcln32.exe 2280 Jfghif32.exe 792 Jgidao32.exe 1256 Jnclnihj.exe 1676 Kemejc32.exe 2152 Kkgmgmfd.exe 900 Kaceodek.exe 1604 Kcbakpdo.exe 2264 Kngfih32.exe 1460 Kcdnao32.exe 2824 Kjnfniii.exe 2104 Kahojc32.exe 2816 Kfegbj32.exe 2516 Kaklpcoc.exe 2800 Kblhgk32.exe 2352 Kifpdelo.exe 2720 Lpphap32.exe 1948 Lfjqnjkh.exe 1248 Lmcijcbe.exe 2752 Lbqabkql.exe 2988 Lijjoe32.exe 1488 Lpdbloof.exe 444 Lafndg32.exe 1548 Lhpfqama.exe 796 Lojomkdn.exe 1516 Ldfgebbe.exe 1200 Lkppbl32.exe 2356 Lefdpe32.exe 2456 Mggpgmof.exe 2896 Mppepcfg.exe 2856 Mhgmapfi.exe 2560 Mmceigep.exe 2036 Mdmmfa32.exe 1304 Mijfnh32.exe 1424 Mpdnkb32.exe 1544 Meagci32.exe 2308 Mpfkqb32.exe 2276 Mgqcmlgl.exe 2164 Mhbped32.exe 1084 Ncgdbmmp.exe 2080 Nhdlkdkg.exe 2204 Ncjqhmkm.exe 2120 Nhfipcid.exe 2812 Noqamn32.exe 1380 Nejiih32.exe -
Loads dropped DLL 64 IoCs
pid Process 1736 de0cd03f3bef051e711f80491911d4d0_NEIKI.exe 1736 de0cd03f3bef051e711f80491911d4d0_NEIKI.exe 2188 Affhncfc.exe 2188 Affhncfc.exe 1760 Bbdocc32.exe 1760 Bbdocc32.exe 2076 Baqbenep.exe 2076 Baqbenep.exe 2760 Cdlnkmha.exe 2760 Cdlnkmha.exe 2552 Ckffgg32.exe 2552 Ckffgg32.exe 2564 Ebedndfa.exe 2564 Ebedndfa.exe 2636 Goddhg32.exe 2636 Goddhg32.exe 1100 Hiqbndpb.exe 1100 Hiqbndpb.exe 1244 Ihankokm.exe 1244 Ihankokm.exe 1008 Iokfhi32.exe 1008 Iokfhi32.exe 2184 Idhopq32.exe 2184 Idhopq32.exe 1660 Ikbgmj32.exe 1660 Ikbgmj32.exe 2716 Idklfpon.exe 2716 Idklfpon.exe 2156 Incpoe32.exe 2156 Incpoe32.exe 2292 Icpigm32.exe 2292 Icpigm32.exe 484 Jqdipqbp.exe 484 Jqdipqbp.exe 1480 Jfcnngnd.exe 1480 Jfcnngnd.exe 1872 Jkpgfn32.exe 1872 Jkpgfn32.exe 2480 Jehkodcm.exe 2480 Jehkodcm.exe 844 Jkbcln32.exe 844 Jkbcln32.exe 2280 Jfghif32.exe 2280 Jfghif32.exe 792 Jgidao32.exe 792 Jgidao32.exe 1256 Jnclnihj.exe 1256 Jnclnihj.exe 1676 Kemejc32.exe 1676 Kemejc32.exe 2152 Kkgmgmfd.exe 2152 Kkgmgmfd.exe 900 Kaceodek.exe 900 Kaceodek.exe 1604 Kcbakpdo.exe 1604 Kcbakpdo.exe 2264 Kngfih32.exe 2264 Kngfih32.exe 1460 Kcdnao32.exe 1460 Kcdnao32.exe 2824 Kjnfniii.exe 2824 Kjnfniii.exe 2104 Kahojc32.exe 2104 Kahojc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pfoocjfd.exe Okikfagn.exe File created C:\Windows\SysWOW64\Cnmehnan.exe Cgcmlcja.exe File created C:\Windows\SysWOW64\Cjdfmo32.exe Chbjffad.exe File created C:\Windows\SysWOW64\Mmjale32.dll Ednpej32.exe File created C:\Windows\SysWOW64\Bdacap32.dll Enhacojl.exe File created C:\Windows\SysWOW64\Pmjaohol.exe Pjleclph.exe File created C:\Windows\SysWOW64\Ccnifd32.exe Bfcodkcb.exe File created C:\Windows\SysWOW64\Lplbjm32.exe Llpfjomf.exe File opened for modification C:\Windows\SysWOW64\Nhfipcid.exe Ncjqhmkm.exe File opened for modification C:\Windows\SysWOW64\Fidoim32.exe Echfaf32.exe File created C:\Windows\SysWOW64\Gbcfadgl.exe Gljnej32.exe File opened for modification C:\Windows\SysWOW64\Lpdbloof.exe Lijjoe32.exe File opened for modification C:\Windows\SysWOW64\Pjcabmga.exe Pciifc32.exe File opened for modification C:\Windows\SysWOW64\Bbjbaa32.exe Blpjegfm.exe File opened for modification C:\Windows\SysWOW64\Bifgdk32.exe Bblogakg.exe File created C:\Windows\SysWOW64\Cgjcijfp.dll Cnmehnan.exe File created C:\Windows\SysWOW64\Hlngpjlj.exe Hipkdnmf.exe File opened for modification C:\Windows\SysWOW64\Kegqdqbl.exe Knmhgf32.exe File opened for modification C:\Windows\SysWOW64\Cmmcpi32.exe Ciagojda.exe File created C:\Windows\SysWOW64\Nkiogn32.exe Ndpfkdmf.exe File created C:\Windows\SysWOW64\Milokblc.dll Pciifc32.exe File created C:\Windows\SysWOW64\Mncfoa32.dll Giieco32.exe File opened for modification C:\Windows\SysWOW64\Jnclnihj.exe Jgidao32.exe File created C:\Windows\SysWOW64\Noqamn32.exe Nhfipcid.exe File opened for modification C:\Windows\SysWOW64\Afohaa32.exe Amfcikek.exe File opened for modification C:\Windows\SysWOW64\Gbcfadgl.exe Gljnej32.exe File created C:\Windows\SysWOW64\Hloopaak.dll Kfbcbd32.exe File created C:\Windows\SysWOW64\Eebghjja.dll Okfgfl32.exe File created C:\Windows\SysWOW64\Hkkdneid.dll Lijjoe32.exe File created C:\Windows\SysWOW64\Pbmnie32.dll Mdmmfa32.exe File created C:\Windows\SysWOW64\Bmpfojmp.exe Bbjbaa32.exe File opened for modification C:\Windows\SysWOW64\Acicla32.exe Aeoijidl.exe File created C:\Windows\SysWOW64\Hccadd32.dll Cncmcm32.exe File opened for modification C:\Windows\SysWOW64\Hjfnnajl.exe Hclfag32.exe File opened for modification C:\Windows\SysWOW64\Hiqbndpb.exe Goddhg32.exe File opened for modification C:\Windows\SysWOW64\Ginnnooi.exe Gbcfadgl.exe File created C:\Windows\SysWOW64\Abphal32.exe Apalea32.exe File created C:\Windows\SysWOW64\Aodcbn32.dll Mkipao32.exe File created C:\Windows\SysWOW64\Bmkmdk32.exe Bfadgq32.exe File created C:\Windows\SysWOW64\Eddpkh32.dll Bifgdk32.exe File created C:\Windows\SysWOW64\Ckjpacfp.exe Bemgilhh.exe File created C:\Windows\SysWOW64\Nfolbbmp.dll Blaopqpo.exe File created C:\Windows\SysWOW64\Hkabadei.dll Ckffgg32.exe File created C:\Windows\SysWOW64\Jjpdcc32.dll Jgidao32.exe File opened for modification C:\Windows\SysWOW64\Kahojc32.exe Kjnfniii.exe File created C:\Windows\SysWOW64\Nneloe32.dll Nceclqan.exe File created C:\Windows\SysWOW64\Jmbiipml.exe Jfiale32.exe File opened for modification C:\Windows\SysWOW64\Pdlkiepd.exe Pckoam32.exe File created C:\Windows\SysWOW64\Afgkfl32.exe Aeenochi.exe File created C:\Windows\SysWOW64\Noockemb.dll Kokmmkcm.exe File created C:\Windows\SysWOW64\Kbjlonii.dll Kcdnao32.exe File created C:\Windows\SysWOW64\Ncdbcl32.dll Afohaa32.exe File opened for modification C:\Windows\SysWOW64\Chbjffad.exe Cnmehnan.exe File created C:\Windows\SysWOW64\Godgob32.dll Ginnnooi.exe File created C:\Windows\SysWOW64\Llcohjcg.dll Mkhofjoj.exe File created C:\Windows\SysWOW64\Dncibp32.exe Cmmcpi32.exe File opened for modification C:\Windows\SysWOW64\Lefdpe32.exe Lkppbl32.exe File opened for modification C:\Windows\SysWOW64\Abmbhn32.exe Ahgnke32.exe File created C:\Windows\SysWOW64\Agmceh32.dll Kbdklf32.exe File created C:\Windows\SysWOW64\Cophek32.dll Aeenochi.exe File created C:\Windows\SysWOW64\Dadfhdil.dll Eblelb32.exe File created C:\Windows\SysWOW64\Icpigm32.exe Incpoe32.exe File created C:\Windows\SysWOW64\Ampehe32.dll Eccmffjf.exe File created C:\Windows\SysWOW64\Fbamma32.exe Flgeqgog.exe -
Program crash 1 IoCs
pid pid_target Process 6056 6008 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbdocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmkmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgalqkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alnqqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enakbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jijokbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gajqbakc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckjpacfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfjnod32.dll" Cafecmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hibeif32.dll" Oagmmgdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mblbnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daoiajfm.dll" Lbqabkql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pciifc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhbfdjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcopbn32.dll" Lnbbbffj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alhmjbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmkonce.dll" Fnhnbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbdklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnlnhm32.dll" Gajqbakc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaaldl32.dll" Fbamma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjphijco.dll" Abphal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfcodkcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmqmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Affhncfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfjcc32.dll" Iamimc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icmegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeghkck.dll" Mkklljmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qngmgjeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmldme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klfjpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjacko32.dll" Kfegbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpdbloof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pklhlael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpioaoic.dll" Qfokbnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qfokbnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkemkhcd.dll" Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdfhjik.dll" Moanaiie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgjjad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfbpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmkjbfe.dll" Nekbmgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjpnbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kocpbfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbmfll32.dll" Ldfgebbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbhomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjmmbcg.dll" Pmagdbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccnnibig.dll" Ahgnke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpjdjmfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcblan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqbijmn.dll" Npbklabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cncmcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhgmapfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgjcijfp.dll" Cnmehnan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djmicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iodahd32.dll" Hdqbekcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpjdjmfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjfnnajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndpfkdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amkoie32.dll" Okikfagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgaqoq32.dll" Hkcdafqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpmmfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acicla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjleclph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghlpli32.dll" Hiqbndpb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1736 wrote to memory of 2188 1736 de0cd03f3bef051e711f80491911d4d0_NEIKI.exe 28 PID 1736 wrote to memory of 2188 1736 de0cd03f3bef051e711f80491911d4d0_NEIKI.exe 28 PID 1736 wrote to memory of 2188 1736 de0cd03f3bef051e711f80491911d4d0_NEIKI.exe 28 PID 1736 wrote to memory of 2188 1736 de0cd03f3bef051e711f80491911d4d0_NEIKI.exe 28 PID 2188 wrote to memory of 1760 2188 Affhncfc.exe 29 PID 2188 wrote to memory of 1760 2188 Affhncfc.exe 29 PID 2188 wrote to memory of 1760 2188 Affhncfc.exe 29 PID 2188 wrote to memory of 1760 2188 Affhncfc.exe 29 PID 1760 wrote to memory of 2076 1760 Bbdocc32.exe 30 PID 1760 wrote to memory of 2076 1760 Bbdocc32.exe 30 PID 1760 wrote to memory of 2076 1760 Bbdocc32.exe 30 PID 1760 wrote to memory of 2076 1760 Bbdocc32.exe 30 PID 2076 wrote to memory of 2760 2076 Baqbenep.exe 31 PID 2076 wrote to memory of 2760 2076 Baqbenep.exe 31 PID 2076 wrote to memory of 2760 2076 Baqbenep.exe 31 PID 2076 wrote to memory of 2760 2076 Baqbenep.exe 31 PID 2760 wrote to memory of 2552 2760 Cdlnkmha.exe 32 PID 2760 wrote to memory of 2552 2760 Cdlnkmha.exe 32 PID 2760 wrote to memory of 2552 2760 Cdlnkmha.exe 32 PID 2760 wrote to memory of 2552 2760 Cdlnkmha.exe 32 PID 2552 wrote to memory of 2564 2552 Ckffgg32.exe 33 PID 2552 wrote to memory of 2564 2552 Ckffgg32.exe 33 PID 2552 wrote to memory of 2564 2552 Ckffgg32.exe 33 PID 2552 wrote to memory of 2564 2552 Ckffgg32.exe 33 PID 2564 wrote to memory of 2636 2564 Ebedndfa.exe 34 PID 2564 wrote to memory of 2636 2564 Ebedndfa.exe 34 PID 2564 wrote to memory of 2636 2564 Ebedndfa.exe 34 PID 2564 wrote to memory of 2636 2564 Ebedndfa.exe 34 PID 2636 wrote to memory of 1100 2636 Goddhg32.exe 35 PID 2636 wrote to memory of 1100 2636 Goddhg32.exe 35 PID 2636 wrote to memory of 1100 2636 Goddhg32.exe 35 PID 2636 wrote to memory of 1100 2636 Goddhg32.exe 35 PID 1100 wrote to memory of 1244 1100 Hiqbndpb.exe 36 PID 1100 wrote to memory of 1244 1100 Hiqbndpb.exe 36 PID 1100 wrote to memory of 1244 1100 Hiqbndpb.exe 36 PID 1100 wrote to memory of 1244 1100 Hiqbndpb.exe 36 PID 1244 wrote to memory of 1008 1244 Ihankokm.exe 37 PID 1244 wrote to memory of 1008 1244 Ihankokm.exe 37 PID 1244 wrote to memory of 1008 1244 Ihankokm.exe 37 PID 1244 wrote to memory of 1008 1244 Ihankokm.exe 37 PID 1008 wrote to memory of 2184 1008 Iokfhi32.exe 38 PID 1008 wrote to memory of 2184 1008 Iokfhi32.exe 38 PID 1008 wrote to memory of 2184 1008 Iokfhi32.exe 38 PID 1008 wrote to memory of 2184 1008 Iokfhi32.exe 38 PID 2184 wrote to memory of 1660 2184 Idhopq32.exe 39 PID 2184 wrote to memory of 1660 2184 Idhopq32.exe 39 PID 2184 wrote to memory of 1660 2184 Idhopq32.exe 39 PID 2184 wrote to memory of 1660 2184 Idhopq32.exe 39 PID 1660 wrote to memory of 2716 1660 Ikbgmj32.exe 40 PID 1660 wrote to memory of 2716 1660 Ikbgmj32.exe 40 PID 1660 wrote to memory of 2716 1660 Ikbgmj32.exe 40 PID 1660 wrote to memory of 2716 1660 Ikbgmj32.exe 40 PID 2716 wrote to memory of 2156 2716 Idklfpon.exe 41 PID 2716 wrote to memory of 2156 2716 Idklfpon.exe 41 PID 2716 wrote to memory of 2156 2716 Idklfpon.exe 41 PID 2716 wrote to memory of 2156 2716 Idklfpon.exe 41 PID 2156 wrote to memory of 2292 2156 Incpoe32.exe 42 PID 2156 wrote to memory of 2292 2156 Incpoe32.exe 42 PID 2156 wrote to memory of 2292 2156 Incpoe32.exe 42 PID 2156 wrote to memory of 2292 2156 Incpoe32.exe 42 PID 2292 wrote to memory of 484 2292 Icpigm32.exe 43 PID 2292 wrote to memory of 484 2292 Icpigm32.exe 43 PID 2292 wrote to memory of 484 2292 Icpigm32.exe 43 PID 2292 wrote to memory of 484 2292 Icpigm32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\de0cd03f3bef051e711f80491911d4d0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\de0cd03f3bef051e711f80491911d4d0_NEIKI.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:484 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2480 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:792 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1256 -
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1460 -
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe34⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe35⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe36⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe37⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe38⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Lmcijcbe.exeC:\Windows\system32\Lmcijcbe.exe39⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe43⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe44⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe45⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Lkppbl32.exeC:\Windows\system32\Lkppbl32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1200 -
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe48⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe49⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe54⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe55⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe58⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe59⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe60⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe61⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe64⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe65⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe66⤵PID:2840
-
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe67⤵PID:2368
-
C:\Windows\SysWOW64\Ndpfkdmf.exeC:\Windows\system32\Ndpfkdmf.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe69⤵PID:2556
-
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe70⤵PID:3104
-
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe71⤵
- Drops file in System32 directory
PID:3168 -
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe72⤵PID:3224
-
C:\Windows\SysWOW64\Oqideepg.exeC:\Windows\system32\Oqideepg.exe73⤵PID:3288
-
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe74⤵PID:3360
-
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe75⤵PID:3420
-
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe76⤵PID:3492
-
C:\Windows\SysWOW64\Ojcecjee.exeC:\Windows\system32\Ojcecjee.exe77⤵PID:3552
-
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe78⤵PID:3616
-
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe79⤵PID:3672
-
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe80⤵PID:3736
-
C:\Windows\SysWOW64\Ofmbnkhg.exeC:\Windows\system32\Ofmbnkhg.exe81⤵PID:3796
-
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:3860 -
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe83⤵PID:3924
-
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe84⤵
- Modifies registry class
PID:3988 -
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe85⤵PID:4052
-
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe86⤵PID:3028
-
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe87⤵
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Pciifc32.exeC:\Windows\system32\Pciifc32.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe89⤵PID:2588
-
C:\Windows\SysWOW64\Pamiog32.exeC:\Windows\system32\Pamiog32.exe90⤵PID:2540
-
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe91⤵PID:2052
-
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe92⤵PID:876
-
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe93⤵PID:2028
-
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1352 -
C:\Windows\SysWOW64\Qabcjgkh.exeC:\Windows\system32\Qabcjgkh.exe95⤵PID:1612
-
C:\Windows\SysWOW64\Qfokbnip.exeC:\Windows\system32\Qfokbnip.exe96⤵
- Modifies registry class
PID:3128 -
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe97⤵PID:2532
-
C:\Windows\SysWOW64\Qfahhm32.exeC:\Windows\system32\Qfahhm32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3284 -
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe99⤵
- Modifies registry class
PID:3208 -
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe100⤵PID:3320
-
C:\Windows\SysWOW64\Ahgnke32.exeC:\Windows\system32\Ahgnke32.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:3412 -
C:\Windows\SysWOW64\Abmbhn32.exeC:\Windows\system32\Abmbhn32.exe102⤵PID:3512
-
C:\Windows\SysWOW64\Adnopfoj.exeC:\Windows\system32\Adnopfoj.exe103⤵PID:3460
-
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe104⤵
- Drops file in System32 directory
PID:3576 -
C:\Windows\SysWOW64\Afohaa32.exeC:\Windows\system32\Afohaa32.exe105⤵
- Drops file in System32 directory
PID:3648 -
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe106⤵PID:3680
-
C:\Windows\SysWOW64\Bfadgq32.exeC:\Windows\system32\Bfadgq32.exe107⤵
- Drops file in System32 directory
PID:3752 -
C:\Windows\SysWOW64\Bmkmdk32.exeC:\Windows\system32\Bmkmdk32.exe108⤵
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Bbhela32.exeC:\Windows\system32\Bbhela32.exe109⤵PID:3856
-
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe110⤵
- Drops file in System32 directory
PID:3916 -
C:\Windows\SysWOW64\Bbjbaa32.exeC:\Windows\system32\Bbjbaa32.exe111⤵
- Drops file in System32 directory
PID:3964 -
C:\Windows\SysWOW64\Bmpfojmp.exeC:\Windows\system32\Bmpfojmp.exe112⤵PID:4048
-
C:\Windows\SysWOW64\Bblogakg.exeC:\Windows\system32\Bblogakg.exe113⤵
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Bifgdk32.exeC:\Windows\system32\Bifgdk32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Bppoqeja.exeC:\Windows\system32\Bppoqeja.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2992 -
C:\Windows\SysWOW64\Bemgilhh.exeC:\Windows\system32\Bemgilhh.exe116⤵
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Ckjpacfp.exeC:\Windows\system32\Ckjpacfp.exe117⤵
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe118⤵PID:3060
-
C:\Windows\SysWOW64\Clilkfnb.exeC:\Windows\system32\Clilkfnb.exe119⤵PID:1020
-
C:\Windows\SysWOW64\Cafecmlj.exeC:\Windows\system32\Cafecmlj.exe120⤵
- Modifies registry class
PID:3092 -
C:\Windows\SysWOW64\Cgcmlcja.exeC:\Windows\system32\Cgcmlcja.exe121⤵
- Drops file in System32 directory
PID:3236 -
C:\Windows\SysWOW64\Cnmehnan.exeC:\Windows\system32\Cnmehnan.exe122⤵
- Drops file in System32 directory
- Modifies registry class
PID:3212
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-