Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 03:23
Behavioral task
behavioral1
Sample
de1c5b59010e912f48e8dc0086d7fad0_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
de1c5b59010e912f48e8dc0086d7fad0_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
de1c5b59010e912f48e8dc0086d7fad0_NEIKI.exe
-
Size
141KB
-
MD5
de1c5b59010e912f48e8dc0086d7fad0
-
SHA1
ea4df63ce5011519318991fb78e932f67a009830
-
SHA256
b521920c0526ca8450f75ec86916cb801110b2edca600be5f4ec0290d2b3a6bc
-
SHA512
9fef05d6d532cc0bb026f65c9a9314a22c594686cb6a6f9c5cd89ec169e741d4165a69f510cc28a1f7464e88562802bb59c53f298cb520d690f86eeff9595588
-
SSDEEP
3072:+llQ+n0A9aYFbwQ9bGCmBJFWpoPSkGFj/p7sW0l:+llQML9aYFbN9bGCKJFtE/JK
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpcmpijk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Affhncfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbfabp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dliijipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pndniaop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eajaoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkclhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdaoog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adpkee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbfdjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkjcplpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kegqdqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oghlgdgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajbdna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebinic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhjhkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnqqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnaocmmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gljnej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfgmhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejgcdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohjaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiomkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnaocmmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpfkqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckoilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlgldibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Modkfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmqdkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epdkli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnpnndgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlkdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpcmpijk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfknbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ailkjmpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lollckbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amndem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddeaalpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkmdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chpmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hakphqja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkhnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlekia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnpnndgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hicodd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cngcjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idklfpon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnhkcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooeggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdjpeifj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljmlbfhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bagpopmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndbcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nehmdhja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbelgood.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdjpeifj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbfhbeek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cngcjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaefjm32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000d000000012333-5.dat family_berbew behavioral1/files/0x0007000000015023-19.dat family_berbew behavioral1/files/0x0007000000015362-32.dat family_berbew behavioral1/files/0x0009000000015642-44.dat family_berbew behavioral1/files/0x0006000000015cdb-59.dat family_berbew behavioral1/files/0x0006000000015cf7-72.dat family_berbew behavioral1/files/0x0006000000015f1b-104.dat family_berbew behavioral1/files/0x0006000000016056-117.dat family_berbew behavioral1/files/0x0006000000016277-133.dat family_berbew behavioral1/files/0x0006000000016c2e-187.dat family_berbew behavioral1/files/0x0006000000016ce1-207.dat family_berbew behavioral1/files/0x0006000000016cf5-225.dat family_berbew behavioral1/files/0x0006000000016d06-234.dat family_berbew behavioral1/files/0x0006000000016d4b-278.dat family_berbew behavioral1/files/0x0006000000017185-297.dat family_berbew behavioral1/files/0x0009000000018648-332.dat family_berbew behavioral1/files/0x00050000000186c4-352.dat family_berbew behavioral1/files/0x0005000000018756-374.dat family_berbew behavioral1/files/0x0005000000019260-416.dat family_berbew behavioral1/files/0x000500000001942d-470.dat family_berbew behavioral1/files/0x00050000000195e2-494.dat family_berbew behavioral1/files/0x00050000000195e6-506.dat family_berbew behavioral1/files/0x00050000000195ea-517.dat family_berbew behavioral1/files/0x00050000000195f2-536.dat family_berbew behavioral1/files/0x00050000000195f5-549.dat family_berbew behavioral1/files/0x00050000000195fc-571.dat family_berbew behavioral1/files/0x0005000000019688-592.dat family_berbew behavioral1/files/0x00050000000198c6-613.dat family_berbew behavioral1/files/0x0005000000019c2b-625.dat family_berbew behavioral1/files/0x0005000000019d94-649.dat family_berbew behavioral1/files/0x000500000001a00b-668.dat family_berbew behavioral1/files/0x000500000001a0ac-688.dat family_berbew behavioral1/files/0x000500000001a430-708.dat family_berbew behavioral1/files/0x000500000001a471-727.dat family_berbew behavioral1/files/0x000500000001a4a0-749.dat family_berbew behavioral1/files/0x000500000001a4bc-801.dat family_berbew behavioral1/files/0x000500000001a4de-900.dat family_berbew behavioral1/files/0x000500000001a4e6-927.dat family_berbew behavioral1/files/0x000500000001a4ee-940.dat family_berbew behavioral1/files/0x000500000001a4f6-967.dat family_berbew behavioral1/files/0x000500000001ad8d-1018.dat family_berbew behavioral1/files/0x000500000001c859-1106.dat family_berbew behavioral1/files/0x000500000001c886-1133.dat family_berbew behavioral1/files/0x000500000001c88e-1156.dat family_berbew behavioral1/files/0x000500000001c8a7-1226.dat family_berbew behavioral1/files/0x000500000001c8b0-1251.dat family_berbew behavioral1/files/0x000500000001c8b4-1261.dat family_berbew behavioral1/files/0x000500000001c8bc-1282.dat family_berbew behavioral1/files/0x000500000001c8c8-1313.dat family_berbew behavioral1/files/0x000400000001c957-1343.dat family_berbew behavioral1/files/0x000400000001ca60-1362.dat family_berbew behavioral1/files/0x000400000001cb7b-1419.dat family_berbew behavioral1/files/0x000400000001cba5-1468.dat family_berbew behavioral1/files/0x000400000001cbc1-1493.dat family_berbew behavioral1/files/0x000400000001cc07-1543.dat family_berbew behavioral1/files/0x000400000001cc10-1551.dat family_berbew behavioral1/files/0x000400000001cc30-1576.dat family_berbew behavioral1/files/0x000400000001cc81-1583.dat family_berbew behavioral1/files/0x000400000001cc9b-1649.dat family_berbew behavioral1/files/0x000400000001cce8-1655.dat family_berbew behavioral1/files/0x000400000001cd5c-1672.dat family_berbew behavioral1/files/0x000400000001ce28-1688.dat family_berbew behavioral1/files/0x000400000001ce5c-1697.dat family_berbew behavioral1/files/0x000400000001cf64-1722.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2112 Ofdcjm32.exe 1756 Onphoo32.exe 2692 Odjpkihg.exe 2084 Oiellh32.exe 2500 Oghlgdgk.exe 2472 Ojficpfn.exe 3008 Obnqem32.exe 2836 Oelmai32.exe 2936 Okfencna.exe 884 Ojieip32.exe 2764 Omgaek32.exe 2520 Oenifh32.exe 824 Ogmfbd32.exe 1420 Ojkboo32.exe 2036 Ongnonkb.exe 1172 Paejki32.exe 560 Pgobhcac.exe 1492 Pfbccp32.exe 1868 Pipopl32.exe 1108 Pmlkpjpj.exe 2188 Pcfcmd32.exe 1660 Pfdpip32.exe 1040 Pmnhfjmg.exe 276 Plahag32.exe 2544 Pchpbded.exe 1804 Pfflopdh.exe 2868 Pmqdkj32.exe 3036 Plcdgfbo.exe 2288 Ppoqge32.exe 2576 Pbmmcq32.exe 632 Pelipl32.exe 2516 Phjelg32.exe 2768 Ppamme32.exe 304 Pndniaop.exe 2812 Penfelgm.exe 1624 Qhmbagfa.exe 2272 Qjknnbed.exe 2824 Qbbfopeg.exe 1296 Qaefjm32.exe 2788 Qeqbkkej.exe 1688 Qjmkcbcb.exe 2384 Qmlgonbe.exe 1996 Qecoqk32.exe 1300 Adeplhib.exe 1020 Ankdiqih.exe 2876 Amndem32.exe 1600 Aplpai32.exe 1228 Adhlaggp.exe 1676 Affhncfc.exe 1888 Ajbdna32.exe 2612 Aiedjneg.exe 676 Apomfh32.exe 760 Adjigg32.exe 2772 Abmibdlh.exe 776 Ajdadamj.exe 2900 Ambmpmln.exe 488 Apajlhka.exe 1964 Abpfhcje.exe 556 Afkbib32.exe 2968 Aiinen32.exe 1720 Amejeljk.exe 1884 Apcfahio.exe 2004 Abbbnchb.exe 2704 Aepojo32.exe -
Loads dropped DLL 64 IoCs
pid Process 2420 de1c5b59010e912f48e8dc0086d7fad0_NEIKI.exe 2420 de1c5b59010e912f48e8dc0086d7fad0_NEIKI.exe 2112 Ofdcjm32.exe 2112 Ofdcjm32.exe 1756 Onphoo32.exe 1756 Onphoo32.exe 2692 Odjpkihg.exe 2692 Odjpkihg.exe 2084 Oiellh32.exe 2084 Oiellh32.exe 2500 Oghlgdgk.exe 2500 Oghlgdgk.exe 2472 Ojficpfn.exe 2472 Ojficpfn.exe 3008 Obnqem32.exe 3008 Obnqem32.exe 2836 Oelmai32.exe 2836 Oelmai32.exe 2936 Okfencna.exe 2936 Okfencna.exe 884 Ojieip32.exe 884 Ojieip32.exe 2764 Omgaek32.exe 2764 Omgaek32.exe 2520 Oenifh32.exe 2520 Oenifh32.exe 824 Ogmfbd32.exe 824 Ogmfbd32.exe 1420 Ojkboo32.exe 1420 Ojkboo32.exe 2036 Ongnonkb.exe 2036 Ongnonkb.exe 1172 Paejki32.exe 1172 Paejki32.exe 560 Pgobhcac.exe 560 Pgobhcac.exe 1492 Pfbccp32.exe 1492 Pfbccp32.exe 1868 Pipopl32.exe 1868 Pipopl32.exe 1108 Pmlkpjpj.exe 1108 Pmlkpjpj.exe 2188 Pcfcmd32.exe 2188 Pcfcmd32.exe 1660 Pfdpip32.exe 1660 Pfdpip32.exe 1040 Pmnhfjmg.exe 1040 Pmnhfjmg.exe 276 Plahag32.exe 276 Plahag32.exe 2544 Pchpbded.exe 2544 Pchpbded.exe 1804 Pfflopdh.exe 1804 Pfflopdh.exe 2868 Pmqdkj32.exe 2868 Pmqdkj32.exe 3036 Plcdgfbo.exe 3036 Plcdgfbo.exe 2288 Ppoqge32.exe 2288 Ppoqge32.exe 2576 Pbmmcq32.exe 2576 Pbmmcq32.exe 632 Pelipl32.exe 632 Pelipl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ebgacddo.exe Enkece32.exe File opened for modification C:\Windows\SysWOW64\Fglipi32.exe Fiihdlpc.exe File created C:\Windows\SysWOW64\Higeofeq.dll Gffoldhp.exe File created C:\Windows\SysWOW64\Jkjfah32.exe Jhljdm32.exe File created C:\Windows\SysWOW64\Pienahqb.dll Afkbib32.exe File created C:\Windows\SysWOW64\Pmddhkao.dll Bagpopmj.exe File created C:\Windows\SysWOW64\Ealffeej.dll Pbmmcq32.exe File created C:\Windows\SysWOW64\Aiinen32.exe Afkbib32.exe File opened for modification C:\Windows\SysWOW64\Ngnbgplj.exe Ndpfkdmf.exe File opened for modification C:\Windows\SysWOW64\Ekhhadmk.exe Egllae32.exe File opened for modification C:\Windows\SysWOW64\Ilcmjl32.exe Ihgainbg.exe File opened for modification C:\Windows\SysWOW64\Mmldme32.exe Moidahcn.exe File created C:\Windows\SysWOW64\Dnilobkm.exe Djnpnc32.exe File created C:\Windows\SysWOW64\Ollfnfje.dll Jiondcpk.exe File created C:\Windows\SysWOW64\Knlafm32.dll Omdneebf.exe File created C:\Windows\SysWOW64\Jejinjob.dll Pjadmnic.exe File opened for modification C:\Windows\SysWOW64\Dggcffhg.exe Ddigjkid.exe File created C:\Windows\SysWOW64\Ngfflj32.exe Ndhipoob.exe File created C:\Windows\SysWOW64\Imhjppim.dll Cgpgce32.exe File created C:\Windows\SysWOW64\Glpjaf32.dll Ekholjqg.exe File created C:\Windows\SysWOW64\Bmkmdk32.exe Bioqclil.exe File created C:\Windows\SysWOW64\Eimofi32.dll Gdniqh32.exe File created C:\Windows\SysWOW64\Lnpbep32.dll Jqdipqbp.exe File created C:\Windows\SysWOW64\Cddaphkn.exe Cnkicn32.exe File created C:\Windows\SysWOW64\Befkmkob.dll Abhimnma.exe File opened for modification C:\Windows\SysWOW64\Bioqclil.exe Bfadgq32.exe File opened for modification C:\Windows\SysWOW64\Gbaileio.exe Gdniqh32.exe File created C:\Windows\SysWOW64\Cngcjo32.exe Cjlgiqbk.exe File opened for modification C:\Windows\SysWOW64\Nacgdhlp.exe Nnhkcj32.exe File created C:\Windows\SysWOW64\Kpeliikc.dll Abbbnchb.exe File created C:\Windows\SysWOW64\Egqdeaqb.dll Dhpiojfb.exe File created C:\Windows\SysWOW64\Eeieql32.dll Kgcpjmcb.exe File created C:\Windows\SysWOW64\Kifjcn32.dll Fbgmbg32.exe File opened for modification C:\Windows\SysWOW64\Bblogakg.exe Boqbfb32.exe File created C:\Windows\SysWOW64\Alegac32.exe Adnopfoj.exe File created C:\Windows\SysWOW64\Ampehe32.dll Ejmebq32.exe File created C:\Windows\SysWOW64\Lkebie32.dll Beehencq.exe File created C:\Windows\SysWOW64\Fpcqaf32.exe Fglipi32.exe File created C:\Windows\SysWOW64\Aedeic32.dll Ikfmfi32.exe File opened for modification C:\Windows\SysWOW64\Eqonkmdh.exe Emcbkn32.exe File created C:\Windows\SysWOW64\Blgpef32.exe Bhkdeggl.exe File opened for modification C:\Windows\SysWOW64\Hpefdl32.exe Hmfjha32.exe File created C:\Windows\SysWOW64\Ipjcbn32.dll Ljmlbfhi.exe File created C:\Windows\SysWOW64\Lbeknj32.exe Llkbap32.exe File opened for modification C:\Windows\SysWOW64\Dogefd32.exe Dpeekh32.exe File created C:\Windows\SysWOW64\Fljdpbcc.dll Nglfapnl.exe File created C:\Windows\SysWOW64\Enfenplo.exe Ekhhadmk.exe File opened for modification C:\Windows\SysWOW64\Eplkpgnh.exe Eqijej32.exe File created C:\Windows\SysWOW64\Hhehek32.exe Hdildlie.exe File created C:\Windows\SysWOW64\Mocaac32.dll Bopicc32.exe File opened for modification C:\Windows\SysWOW64\Fmhheqje.exe Ffnphf32.exe File created C:\Windows\SysWOW64\Hiekid32.exe Hdhbam32.exe File created C:\Windows\SysWOW64\Apbfblll.dll Lfmffhde.exe File created C:\Windows\SysWOW64\Maedhd32.exe Mmihhelk.exe File created C:\Windows\SysWOW64\Ipghqomc.dll Ankdiqih.exe File opened for modification C:\Windows\SysWOW64\Ebedndfa.exe Enihne32.exe File created C:\Windows\SysWOW64\Mledlaqd.dll Dfffnn32.exe File opened for modification C:\Windows\SysWOW64\Ednpej32.exe Eqbddk32.exe File created C:\Windows\SysWOW64\Jfoagoic.dll Kjfjbdle.exe File created C:\Windows\SysWOW64\Dchali32.exe Ddeaalpg.exe File created C:\Windows\SysWOW64\Naoniipe.exe Noqamn32.exe File created C:\Windows\SysWOW64\Ipllekdl.exe Iheddndj.exe File created C:\Windows\SysWOW64\Qocjhb32.dll Kmefooki.exe File created C:\Windows\SysWOW64\Jmbckb32.dll Ndjfeo32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mppepcfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjadmnic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kckmmp32.dll" Aehboi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmikibio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oenifh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibmmd32.dll" Hipkdnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhhaff32.dll" Pfflopdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iklefg32.dll" Abmibdlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdphdj.dll" Claifkkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhmcfkme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnajilng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edkcojga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eojnkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qecoqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofhick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdgmd32.dll" Eqdajkkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eplkpgnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cciemedf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpjiajeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epaogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aghcamqb.dll" Fjmaaddo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adjigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncjqhmkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhiffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejmmiihp.dll" Cnmehnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll" Hcplhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgmglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdeced32.dll" Djnpnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeqdep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbllihbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adpkee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefmambf.dll" Dqjepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hicodd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ombapedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhneehek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmaqpohl.dll" Ganpomec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nekbmgcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dngoibmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebgacddo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcgogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbkameaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nenobfak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiellh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epaogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkakief.dll" Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinekb32.dll" Iipgcaob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombhbhel.dll" Mieeibkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnnkng32.dll" Bkommo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olkbjhpi.dll" Chnqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfknbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chemfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diaagb32.dll" Mpmapm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naimccpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmlnoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpgfki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpdcnhnl.dll" Jjbpgd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2112 2420 de1c5b59010e912f48e8dc0086d7fad0_NEIKI.exe 28 PID 2420 wrote to memory of 2112 2420 de1c5b59010e912f48e8dc0086d7fad0_NEIKI.exe 28 PID 2420 wrote to memory of 2112 2420 de1c5b59010e912f48e8dc0086d7fad0_NEIKI.exe 28 PID 2420 wrote to memory of 2112 2420 de1c5b59010e912f48e8dc0086d7fad0_NEIKI.exe 28 PID 2112 wrote to memory of 1756 2112 Ofdcjm32.exe 29 PID 2112 wrote to memory of 1756 2112 Ofdcjm32.exe 29 PID 2112 wrote to memory of 1756 2112 Ofdcjm32.exe 29 PID 2112 wrote to memory of 1756 2112 Ofdcjm32.exe 29 PID 1756 wrote to memory of 2692 1756 Onphoo32.exe 30 PID 1756 wrote to memory of 2692 1756 Onphoo32.exe 30 PID 1756 wrote to memory of 2692 1756 Onphoo32.exe 30 PID 1756 wrote to memory of 2692 1756 Onphoo32.exe 30 PID 2692 wrote to memory of 2084 2692 Odjpkihg.exe 31 PID 2692 wrote to memory of 2084 2692 Odjpkihg.exe 31 PID 2692 wrote to memory of 2084 2692 Odjpkihg.exe 31 PID 2692 wrote to memory of 2084 2692 Odjpkihg.exe 31 PID 2084 wrote to memory of 2500 2084 Oiellh32.exe 32 PID 2084 wrote to memory of 2500 2084 Oiellh32.exe 32 PID 2084 wrote to memory of 2500 2084 Oiellh32.exe 32 PID 2084 wrote to memory of 2500 2084 Oiellh32.exe 32 PID 2500 wrote to memory of 2472 2500 Oghlgdgk.exe 33 PID 2500 wrote to memory of 2472 2500 Oghlgdgk.exe 33 PID 2500 wrote to memory of 2472 2500 Oghlgdgk.exe 33 PID 2500 wrote to memory of 2472 2500 Oghlgdgk.exe 33 PID 2472 wrote to memory of 3008 2472 Ojficpfn.exe 34 PID 2472 wrote to memory of 3008 2472 Ojficpfn.exe 34 PID 2472 wrote to memory of 3008 2472 Ojficpfn.exe 34 PID 2472 wrote to memory of 3008 2472 Ojficpfn.exe 34 PID 3008 wrote to memory of 2836 3008 Obnqem32.exe 35 PID 3008 wrote to memory of 2836 3008 Obnqem32.exe 35 PID 3008 wrote to memory of 2836 3008 Obnqem32.exe 35 PID 3008 wrote to memory of 2836 3008 Obnqem32.exe 35 PID 2836 wrote to memory of 2936 2836 Oelmai32.exe 36 PID 2836 wrote to memory of 2936 2836 Oelmai32.exe 36 PID 2836 wrote to memory of 2936 2836 Oelmai32.exe 36 PID 2836 wrote to memory of 2936 2836 Oelmai32.exe 36 PID 2936 wrote to memory of 884 2936 Okfencna.exe 37 PID 2936 wrote to memory of 884 2936 Okfencna.exe 37 PID 2936 wrote to memory of 884 2936 Okfencna.exe 37 PID 2936 wrote to memory of 884 2936 Okfencna.exe 37 PID 884 wrote to memory of 2764 884 Ojieip32.exe 38 PID 884 wrote to memory of 2764 884 Ojieip32.exe 38 PID 884 wrote to memory of 2764 884 Ojieip32.exe 38 PID 884 wrote to memory of 2764 884 Ojieip32.exe 38 PID 2764 wrote to memory of 2520 2764 Omgaek32.exe 39 PID 2764 wrote to memory of 2520 2764 Omgaek32.exe 39 PID 2764 wrote to memory of 2520 2764 Omgaek32.exe 39 PID 2764 wrote to memory of 2520 2764 Omgaek32.exe 39 PID 2520 wrote to memory of 824 2520 Oenifh32.exe 40 PID 2520 wrote to memory of 824 2520 Oenifh32.exe 40 PID 2520 wrote to memory of 824 2520 Oenifh32.exe 40 PID 2520 wrote to memory of 824 2520 Oenifh32.exe 40 PID 824 wrote to memory of 1420 824 Ogmfbd32.exe 41 PID 824 wrote to memory of 1420 824 Ogmfbd32.exe 41 PID 824 wrote to memory of 1420 824 Ogmfbd32.exe 41 PID 824 wrote to memory of 1420 824 Ogmfbd32.exe 41 PID 1420 wrote to memory of 2036 1420 Ojkboo32.exe 42 PID 1420 wrote to memory of 2036 1420 Ojkboo32.exe 42 PID 1420 wrote to memory of 2036 1420 Ojkboo32.exe 42 PID 1420 wrote to memory of 2036 1420 Ojkboo32.exe 42 PID 2036 wrote to memory of 1172 2036 Ongnonkb.exe 43 PID 2036 wrote to memory of 1172 2036 Ongnonkb.exe 43 PID 2036 wrote to memory of 1172 2036 Ongnonkb.exe 43 PID 2036 wrote to memory of 1172 2036 Ongnonkb.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\de1c5b59010e912f48e8dc0086d7fad0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\de1c5b59010e912f48e8dc0086d7fad0_NEIKI.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1172 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:560 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1868 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1108 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:276 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:632 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe33⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe34⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe36⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe37⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe38⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe39⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe41⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe42⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe45⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1020 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe48⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe49⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe52⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe53⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe56⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe58⤵
- Executes dropped EXE
PID:488 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe59⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:556 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe61⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe62⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe63⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe65⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2140 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe67⤵PID:548
-
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe68⤵PID:2672
-
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe69⤵PID:2844
-
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe71⤵PID:1080
-
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe72⤵PID:2296
-
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe73⤵PID:2808
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe74⤵PID:1656
-
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe75⤵PID:788
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe76⤵
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe77⤵PID:2640
-
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe78⤵PID:2300
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe79⤵PID:2668
-
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe80⤵PID:2244
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe81⤵PID:1356
-
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe82⤵PID:2600
-
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe83⤵PID:2624
-
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe84⤵
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe85⤵PID:2664
-
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe86⤵PID:2436
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe87⤵PID:344
-
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe88⤵PID:2292
-
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe89⤵PID:2116
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe90⤵PID:1084
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe91⤵PID:1288
-
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe92⤵PID:2688
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe93⤵PID:2908
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:924 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe95⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1628 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe97⤵PID:2340
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe98⤵
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe99⤵
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe100⤵PID:2684
-
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe101⤵PID:2736
-
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe102⤵PID:2444
-
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe103⤵PID:3000
-
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe104⤵PID:1076
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe105⤵PID:2700
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe106⤵PID:2896
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe107⤵PID:2984
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe108⤵PID:3004
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe109⤵
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe110⤵PID:2508
-
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe111⤵
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe112⤵PID:2728
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe113⤵PID:324
-
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe114⤵
- Modifies registry class
PID:448 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe115⤵
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe116⤵PID:2136
-
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe117⤵PID:1976
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe118⤵PID:2108
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe119⤵PID:1424
-
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe120⤵PID:2132
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe121⤵PID:2820
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe122⤵PID:2476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-