Analysis
-
max time kernel
125s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 03:24
Behavioral task
behavioral1
Sample
de562345718da687c8db0feebea79450_NEIKI.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
de562345718da687c8db0feebea79450_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
de562345718da687c8db0feebea79450_NEIKI.exe
-
Size
1.5MB
-
MD5
de562345718da687c8db0feebea79450
-
SHA1
25befa2069c77df34c2ddf8adad4b159c46e903b
-
SHA256
e00d2fc361fcace63a761e8a9925eb513916a0ce8e63d9bce9a2b5f920896f48
-
SHA512
2e4033d7ca9245e9ba9ba799cd7d7ba88d93444e45a81d21730ec01a9ea88ce24e46e16fc4dafba51b0cda5593586f5de84c4855167206667ba4a5cc21ae8c11
-
SSDEEP
24576:uNDT4Ph2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2EvZHp3oWtec+fwv4cXce:CSbazR0vKLXZnec+Yv4cXcy6l6mFndwn
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjoppf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibaeen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onocomdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpaihooo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhnikc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahmjjoig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbnaeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbfmgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfolacnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aoalgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gejhef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhifomdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oldjcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgnbdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnlmhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eofgpikj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcnmin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffnknafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fngcmcfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amnlme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeelnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhpofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgqfdnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hiipmhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opclldhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhkdmlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekbjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onpjichj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fiodpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbjena32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfhgkmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgnffj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daeifj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lindkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpedeiff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eppjfgcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iepaaico.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddkbmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klpakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbkfbcpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oalipoiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coqncejg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lomjicei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkohaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfgipd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmcjpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamamcop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckggnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmimai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibfnqmpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khbiello.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meepdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odoogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahgcjddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbagbebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdmoafdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nabfjpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekaapi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adkqoohc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilibdmgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jafdcbge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klekfinp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgehfkop.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0009000000023547-6.dat family_berbew behavioral2/files/0x000800000002354d-14.dat family_berbew behavioral2/files/0x000700000002354f-23.dat family_berbew behavioral2/files/0x0007000000023551-30.dat family_berbew behavioral2/files/0x0007000000023553-38.dat family_berbew behavioral2/files/0x0007000000023555-46.dat family_berbew behavioral2/files/0x000800000002354b-56.dat family_berbew behavioral2/files/0x0007000000023558-64.dat family_berbew behavioral2/files/0x000700000002355e-87.dat family_berbew behavioral2/files/0x0007000000023560-94.dat family_berbew behavioral2/files/0x000700000002355c-79.dat family_berbew behavioral2/files/0x0007000000023562-103.dat family_berbew behavioral2/files/0x000700000002356c-138.dat family_berbew behavioral2/files/0x0007000000023570-152.dat family_berbew behavioral2/files/0x000700000002357c-193.dat family_berbew behavioral2/files/0x0007000000023580-208.dat family_berbew behavioral2/files/0x0007000000023586-228.dat family_berbew behavioral2/files/0x0007000000023647-821.dat family_berbew behavioral2/files/0x0007000000023650-844.dat family_berbew behavioral2/files/0x00080000000232f4-852.dat family_berbew behavioral2/files/0x0007000000023657-869.dat family_berbew behavioral2/files/0x000700000002365b-881.dat family_berbew behavioral2/files/0x000700000002366b-928.dat family_berbew behavioral2/files/0x0007000000023675-959.dat family_berbew behavioral2/files/0x0007000000023681-995.dat family_berbew behavioral2/files/0x0007000000023685-1006.dat family_berbew behavioral2/files/0x0007000000023689-1020.dat family_berbew behavioral2/files/0x0007000000023697-1061.dat family_berbew behavioral2/files/0x000700000002369b-1072.dat family_berbew behavioral2/files/0x000700000002369d-1080.dat family_berbew behavioral2/files/0x0007000000023588-236.dat family_berbew behavioral2/files/0x0007000000023584-222.dat family_berbew behavioral2/files/0x0007000000023582-215.dat family_berbew behavioral2/files/0x000700000002357e-201.dat family_berbew behavioral2/files/0x000700000002357a-187.dat family_berbew behavioral2/files/0x0007000000023578-180.dat family_berbew behavioral2/files/0x0007000000023576-173.dat family_berbew behavioral2/files/0x0007000000023574-166.dat family_berbew behavioral2/files/0x0007000000023572-159.dat family_berbew behavioral2/files/0x000700000002356e-145.dat family_berbew behavioral2/files/0x000700000002356a-131.dat family_berbew behavioral2/files/0x0007000000023568-124.dat family_berbew behavioral2/files/0x0007000000023566-117.dat family_berbew behavioral2/files/0x0007000000023564-110.dat family_berbew behavioral2/files/0x000700000002355a-71.dat family_berbew behavioral2/files/0x000800000002354b-49.dat family_berbew behavioral2/files/0x00070000000236af-1134.dat family_berbew behavioral2/files/0x00070000000236b7-1157.dat family_berbew behavioral2/files/0x00070000000236c5-1199.dat family_berbew behavioral2/files/0x00070000000236c9-1211.dat family_berbew behavioral2/files/0x00070000000236d1-1238.dat family_berbew behavioral2/files/0x00070000000236d9-1266.dat family_berbew behavioral2/files/0x00070000000236df-1287.dat family_berbew behavioral2/files/0x00070000000236e3-1300.dat family_berbew behavioral2/files/0x00070000000236eb-1326.dat family_berbew behavioral2/files/0x00070000000236f9-1374.dat family_berbew behavioral2/files/0x0007000000023705-1415.dat family_berbew behavioral2/files/0x000700000002370b-1434.dat family_berbew behavioral2/files/0x0007000000023727-1528.dat family_berbew behavioral2/files/0x000700000002372f-1556.dat family_berbew behavioral2/files/0x000700000002373d-1603.dat family_berbew behavioral2/files/0x0007000000023745-1631.dat family_berbew behavioral2/files/0x0007000000023747-1639.dat family_berbew behavioral2/files/0x000700000002374b-1652.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4804 Jnlbojee.exe 2012 Kggcnoic.exe 3212 Kqphfe32.exe 5044 Kcbnnpka.exe 3408 Lgqfdnah.exe 3292 Lmmolepp.exe 1392 Ldipha32.exe 868 Lkchelci.exe 4752 Lmdemd32.exe 4200 Lcnmin32.exe 2220 Ljhefhha.exe 4632 Lenicahg.exe 3068 Mnfnlf32.exe 2416 Mgobel32.exe 4836 Mjmoag32.exe 4676 Mmkkmc32.exe 4424 Mebcop32.exe 2076 Mgaokl32.exe 1920 Mjokgg32.exe 3112 Mmnhcb32.exe 3064 Meepdp32.exe 4580 Mgclpkac.exe 3648 Mkohaj32.exe 2124 Mmpdhboj.exe 3816 Megljppl.exe 1344 Mgehfkop.exe 1756 Mjdebfnd.exe 3592 Mmbanbmg.exe 3320 Nclikl32.exe 2384 Nlcalieg.exe 1168 Nnbnhedj.exe 1012 Nelfeo32.exe 4376 Nlfnaicd.exe 1720 Nndjndbh.exe 3524 Nabfjpak.exe 2036 Ncabfkqo.exe 1692 Nlhkgi32.exe 3940 Nnfgcd32.exe 3848 Naecop32.exe 2948 Nccokk32.exe 3040 Nlkgmh32.exe 4060 Nmlddqem.exe 3228 Neclenfo.exe 2372 Nhahaiec.exe 2516 Njpdnedf.exe 2768 Nmnqjp32.exe 3504 Odhifjkg.exe 3544 Oloahhki.exe 4092 Onnmdcjm.exe 880 Oalipoiq.exe 888 Odjeljhd.exe 4308 Olanmgig.exe 2368 Onpjichj.exe 5152 Oanfen32.exe 5188 Odmbaj32.exe 5224 Oldjcg32.exe 5260 Oobfob32.exe 5300 Oaqbkn32.exe 5332 Odoogi32.exe 5368 Olfghg32.exe 5408 Oodcdb32.exe 5444 Oacoqnci.exe 5476 Odalmibl.exe 5512 Olicnfco.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qaalblgi.exe Pkgcea32.exe File created C:\Windows\SysWOW64\Bkjiao32.exe Bhkmec32.exe File created C:\Windows\SysWOW64\Dnmhpg32.exe Dmlkhofd.exe File created C:\Windows\SysWOW64\Ckcdlpbd.dll Fbdehlip.exe File created C:\Windows\SysWOW64\Aanfno32.dll Ihdldn32.exe File opened for modification C:\Windows\SysWOW64\Qbonoghb.exe Pmbegqjk.exe File opened for modification C:\Windows\SysWOW64\Kggcnoic.exe Jnlbojee.exe File opened for modification C:\Windows\SysWOW64\Gidnkkpc.exe Fbjena32.exe File opened for modification C:\Windows\SysWOW64\Jpaekqhh.exe Jghpbk32.exe File opened for modification C:\Windows\SysWOW64\Knqepc32.exe Keimof32.exe File created C:\Windows\SysWOW64\Geoapenf.exe Gpaihooo.exe File created C:\Windows\SysWOW64\Ilibdmgp.exe Ibqnkh32.exe File created C:\Windows\SysWOW64\Qbonoghb.exe Pmbegqjk.exe File created C:\Windows\SysWOW64\Nmcpoedn.exe Nfihbk32.exe File created C:\Windows\SysWOW64\Cpdfhgmd.dll Mgehfkop.exe File opened for modification C:\Windows\SysWOW64\Bhkmec32.exe Baadiiif.exe File created C:\Windows\SysWOW64\Ljqhkckn.exe Lqhdbm32.exe File created C:\Windows\SysWOW64\Npldbgic.dll Mqdcnl32.exe File created C:\Windows\SysWOW64\Ffeifdjo.dll Fganqbgg.exe File opened for modification C:\Windows\SysWOW64\Koajmepf.exe Klbnajqc.exe File created C:\Windows\SysWOW64\Likhem32.exe Kofdhd32.exe File opened for modification C:\Windows\SysWOW64\Cdmoafdb.exe Cdjblf32.exe File opened for modification C:\Windows\SysWOW64\Kqphfe32.exe Kggcnoic.exe File created C:\Windows\SysWOW64\Pfkbfh32.dll Aefjii32.exe File created C:\Windows\SysWOW64\Mhjmpfcl.dll Dmennnni.exe File created C:\Windows\SysWOW64\Hiaafn32.dll Gfjkjo32.exe File created C:\Windows\SysWOW64\Iooogokm.dll Kgnbdh32.exe File opened for modification C:\Windows\SysWOW64\Lomjicei.exe Lhcali32.exe File created C:\Windows\SysWOW64\Nlfcoqpl.dll Megljppl.exe File created C:\Windows\SysWOW64\Dnpdegjp.exe Dhclmp32.exe File created C:\Windows\SysWOW64\Hjcakafa.dll Lakfeodm.exe File created C:\Windows\SysWOW64\Fohhdm32.dll Ccblbb32.exe File created C:\Windows\SysWOW64\Mgehfkop.exe Megljppl.exe File opened for modification C:\Windows\SysWOW64\Oalipoiq.exe Onnmdcjm.exe File created C:\Windows\SysWOW64\Ddjmba32.exe Dnpdegjp.exe File created C:\Windows\SysWOW64\Coegoe32.exe Cnfkdb32.exe File created C:\Windows\SysWOW64\Plgdqf32.dll Fofilp32.exe File created C:\Windows\SysWOW64\Dcoffg32.dll Paelfmaf.exe File created C:\Windows\SysWOW64\Bjqlnnkp.dll Emhkdmlg.exe File created C:\Windows\SysWOW64\Amdcghbo.dll Jepjhg32.exe File created C:\Windows\SysWOW64\Lcclncbh.exe Likhem32.exe File created C:\Windows\SysWOW64\Fegbnohh.dll Lpochfji.exe File opened for modification C:\Windows\SysWOW64\Ekaapi32.exe Eehicoel.exe File created C:\Windows\SysWOW64\Gkjcgjio.dll Jpaekqhh.exe File created C:\Windows\SysWOW64\Gddedlaq.dll Kjlopc32.exe File created C:\Windows\SysWOW64\Hioflcbj.exe Hahokfag.exe File opened for modification C:\Windows\SysWOW64\Mcoljagj.exe Mjggal32.exe File created C:\Windows\SysWOW64\Ilnjmilq.dll Mpeiie32.exe File created C:\Windows\SysWOW64\Holpib32.dll Oqklkbbi.exe File created C:\Windows\SysWOW64\Pajeam32.exe Poliea32.exe File opened for modification C:\Windows\SysWOW64\Bepmoh32.exe Bnhenj32.exe File opened for modification C:\Windows\SysWOW64\Mqimikfj.exe Mcelpggq.exe File created C:\Windows\SysWOW64\Biklho32.exe Bbaclegm.exe File created C:\Windows\SysWOW64\Kqkplq32.dll Omfekbdh.exe File created C:\Windows\SysWOW64\Paelfmaf.exe Oogpjbbb.exe File opened for modification C:\Windows\SysWOW64\Alnfpcag.exe Adfnofpd.exe File opened for modification C:\Windows\SysWOW64\Aolblopj.exe Alnfpcag.exe File opened for modification C:\Windows\SysWOW64\Bebjdgmj.exe Bnkbcj32.exe File created C:\Windows\SysWOW64\Eiokinbk.exe Ebdcld32.exe File opened for modification C:\Windows\SysWOW64\Fmmmfj32.exe Fnlmhc32.exe File created C:\Windows\SysWOW64\Dllfqd32.dll Dddllkbf.exe File opened for modification C:\Windows\SysWOW64\Qeodhjmo.exe Qoelkp32.exe File created C:\Windows\SysWOW64\Ocdnln32.exe Nmjfodne.exe File opened for modification C:\Windows\SysWOW64\Ocdnln32.exe Nmjfodne.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10716 10560 WerFault.exe 513 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njgqhicg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omfekbdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhcmcm32.dll" Ddjmba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebgpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mqkiok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgiiiidd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcfimfi.dll" Phajna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lenicahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmkgk32.dll" Alnfpcag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmlkhofd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Likhem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Piocecgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocmhlca.dll" Bapgdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbnnhndk.dll" Pdhbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnojho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eqiibjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkgcea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polalahi.dll" Jghpbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jghpbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klhnfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfipab32.dll" Eiokinbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjcohke.dll" Jojdlfeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbkfbcpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhahaiec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odalmibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmigpf32.dll" Qlgpod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbdehlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hapfpelh.dll" Klekfinp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njbgmjgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pakdbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abmjqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oacoqnci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmcgolla.dll" Gnqfcbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjaei32.dll" Dnonkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lckggdbo.dll" Iahgad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjffpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgaokl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flmqlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cggimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ondljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjokgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmaffnce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bakgoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apjkcadp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcmodajm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qaalblgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpenfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahmjjoig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khblgpag.dll" Dnmhpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjjfdfbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nppbddqg.dll" Caqpkjcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnqfcbnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Holfoqcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omalpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abhqefpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Paelfmaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bahkih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddjmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajihlijd.dll" Lenicahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilchfdgp.dll" Dmcain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lakfeodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekaapi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID de562345718da687c8db0feebea79450_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkohaj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5032 wrote to memory of 4804 5032 de562345718da687c8db0feebea79450_NEIKI.exe 87 PID 5032 wrote to memory of 4804 5032 de562345718da687c8db0feebea79450_NEIKI.exe 87 PID 5032 wrote to memory of 4804 5032 de562345718da687c8db0feebea79450_NEIKI.exe 87 PID 4804 wrote to memory of 2012 4804 Jnlbojee.exe 88 PID 4804 wrote to memory of 2012 4804 Jnlbojee.exe 88 PID 4804 wrote to memory of 2012 4804 Jnlbojee.exe 88 PID 2012 wrote to memory of 3212 2012 Kggcnoic.exe 89 PID 2012 wrote to memory of 3212 2012 Kggcnoic.exe 89 PID 2012 wrote to memory of 3212 2012 Kggcnoic.exe 89 PID 3212 wrote to memory of 5044 3212 Kqphfe32.exe 92 PID 3212 wrote to memory of 5044 3212 Kqphfe32.exe 92 PID 3212 wrote to memory of 5044 3212 Kqphfe32.exe 92 PID 5044 wrote to memory of 3408 5044 Kcbnnpka.exe 93 PID 5044 wrote to memory of 3408 5044 Kcbnnpka.exe 93 PID 5044 wrote to memory of 3408 5044 Kcbnnpka.exe 93 PID 3408 wrote to memory of 3292 3408 Lgqfdnah.exe 95 PID 3408 wrote to memory of 3292 3408 Lgqfdnah.exe 95 PID 3408 wrote to memory of 3292 3408 Lgqfdnah.exe 95 PID 3292 wrote to memory of 1392 3292 Lmmolepp.exe 96 PID 3292 wrote to memory of 1392 3292 Lmmolepp.exe 96 PID 3292 wrote to memory of 1392 3292 Lmmolepp.exe 96 PID 1392 wrote to memory of 868 1392 Ldipha32.exe 97 PID 1392 wrote to memory of 868 1392 Ldipha32.exe 97 PID 1392 wrote to memory of 868 1392 Ldipha32.exe 97 PID 868 wrote to memory of 4752 868 Lkchelci.exe 98 PID 868 wrote to memory of 4752 868 Lkchelci.exe 98 PID 868 wrote to memory of 4752 868 Lkchelci.exe 98 PID 4752 wrote to memory of 4200 4752 Lmdemd32.exe 99 PID 4752 wrote to memory of 4200 4752 Lmdemd32.exe 99 PID 4752 wrote to memory of 4200 4752 Lmdemd32.exe 99 PID 4200 wrote to memory of 2220 4200 Lcnmin32.exe 100 PID 4200 wrote to memory of 2220 4200 Lcnmin32.exe 100 PID 4200 wrote to memory of 2220 4200 Lcnmin32.exe 100 PID 2220 wrote to memory of 4632 2220 Ljhefhha.exe 101 PID 2220 wrote to memory of 4632 2220 Ljhefhha.exe 101 PID 2220 wrote to memory of 4632 2220 Ljhefhha.exe 101 PID 4632 wrote to memory of 3068 4632 Lenicahg.exe 102 PID 4632 wrote to memory of 3068 4632 Lenicahg.exe 102 PID 4632 wrote to memory of 3068 4632 Lenicahg.exe 102 PID 3068 wrote to memory of 2416 3068 Mnfnlf32.exe 103 PID 3068 wrote to memory of 2416 3068 Mnfnlf32.exe 103 PID 3068 wrote to memory of 2416 3068 Mnfnlf32.exe 103 PID 2416 wrote to memory of 4836 2416 Mgobel32.exe 104 PID 2416 wrote to memory of 4836 2416 Mgobel32.exe 104 PID 2416 wrote to memory of 4836 2416 Mgobel32.exe 104 PID 4836 wrote to memory of 4676 4836 Mjmoag32.exe 105 PID 4836 wrote to memory of 4676 4836 Mjmoag32.exe 105 PID 4836 wrote to memory of 4676 4836 Mjmoag32.exe 105 PID 4676 wrote to memory of 4424 4676 Mmkkmc32.exe 106 PID 4676 wrote to memory of 4424 4676 Mmkkmc32.exe 106 PID 4676 wrote to memory of 4424 4676 Mmkkmc32.exe 106 PID 4424 wrote to memory of 2076 4424 Mebcop32.exe 107 PID 4424 wrote to memory of 2076 4424 Mebcop32.exe 107 PID 4424 wrote to memory of 2076 4424 Mebcop32.exe 107 PID 2076 wrote to memory of 1920 2076 Mgaokl32.exe 108 PID 2076 wrote to memory of 1920 2076 Mgaokl32.exe 108 PID 2076 wrote to memory of 1920 2076 Mgaokl32.exe 108 PID 1920 wrote to memory of 3112 1920 Mjokgg32.exe 109 PID 1920 wrote to memory of 3112 1920 Mjokgg32.exe 109 PID 1920 wrote to memory of 3112 1920 Mjokgg32.exe 109 PID 3112 wrote to memory of 3064 3112 Mmnhcb32.exe 110 PID 3112 wrote to memory of 3064 3112 Mmnhcb32.exe 110 PID 3112 wrote to memory of 3064 3112 Mmnhcb32.exe 110 PID 3064 wrote to memory of 4580 3064 Meepdp32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\de562345718da687c8db0feebea79450_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\de562345718da687c8db0feebea79450_NEIKI.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Kggcnoic.exeC:\Windows\system32\Kggcnoic.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Kqphfe32.exeC:\Windows\system32\Kqphfe32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Kcbnnpka.exeC:\Windows\system32\Kcbnnpka.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Lgqfdnah.exeC:\Windows\system32\Lgqfdnah.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\Lmmolepp.exeC:\Windows\system32\Lmmolepp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\Ldipha32.exeC:\Windows\system32\Ldipha32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Lkchelci.exeC:\Windows\system32\Lkchelci.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Lmdemd32.exeC:\Windows\system32\Lmdemd32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Lcnmin32.exeC:\Windows\system32\Lcnmin32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\Ljhefhha.exeC:\Windows\system32\Ljhefhha.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Lenicahg.exeC:\Windows\system32\Lenicahg.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Mnfnlf32.exeC:\Windows\system32\Mnfnlf32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Mgobel32.exeC:\Windows\system32\Mgobel32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Mjmoag32.exeC:\Windows\system32\Mjmoag32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Mmkkmc32.exeC:\Windows\system32\Mmkkmc32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Mebcop32.exeC:\Windows\system32\Mebcop32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Mgaokl32.exeC:\Windows\system32\Mgaokl32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Mjokgg32.exeC:\Windows\system32\Mjokgg32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Mmnhcb32.exeC:\Windows\system32\Mmnhcb32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Meepdp32.exeC:\Windows\system32\Meepdp32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Mgclpkac.exeC:\Windows\system32\Mgclpkac.exe23⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Mkohaj32.exeC:\Windows\system32\Mkohaj32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3648 -
C:\Windows\SysWOW64\Mmpdhboj.exeC:\Windows\system32\Mmpdhboj.exe25⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Megljppl.exeC:\Windows\system32\Megljppl.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3816 -
C:\Windows\SysWOW64\Mgehfkop.exeC:\Windows\system32\Mgehfkop.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1344 -
C:\Windows\SysWOW64\Mjdebfnd.exeC:\Windows\system32\Mjdebfnd.exe28⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Mmbanbmg.exeC:\Windows\system32\Mmbanbmg.exe29⤵
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\Nclikl32.exeC:\Windows\system32\Nclikl32.exe30⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Nlcalieg.exeC:\Windows\system32\Nlcalieg.exe31⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Nnbnhedj.exeC:\Windows\system32\Nnbnhedj.exe32⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Nelfeo32.exeC:\Windows\system32\Nelfeo32.exe33⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Nlfnaicd.exeC:\Windows\system32\Nlfnaicd.exe34⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Nndjndbh.exeC:\Windows\system32\Nndjndbh.exe35⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Nabfjpak.exeC:\Windows\system32\Nabfjpak.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Ncabfkqo.exeC:\Windows\system32\Ncabfkqo.exe37⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Nlhkgi32.exeC:\Windows\system32\Nlhkgi32.exe38⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Nnfgcd32.exeC:\Windows\system32\Nnfgcd32.exe39⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Naecop32.exeC:\Windows\system32\Naecop32.exe40⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Nccokk32.exeC:\Windows\system32\Nccokk32.exe41⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Nlkgmh32.exeC:\Windows\system32\Nlkgmh32.exe42⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Nmlddqem.exeC:\Windows\system32\Nmlddqem.exe43⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Neclenfo.exeC:\Windows\system32\Neclenfo.exe44⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\Nhahaiec.exeC:\Windows\system32\Nhahaiec.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Njpdnedf.exeC:\Windows\system32\Njpdnedf.exe46⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Nmnqjp32.exeC:\Windows\system32\Nmnqjp32.exe47⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Odhifjkg.exeC:\Windows\system32\Odhifjkg.exe48⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Oloahhki.exeC:\Windows\system32\Oloahhki.exe49⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Onnmdcjm.exeC:\Windows\system32\Onnmdcjm.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4092 -
C:\Windows\SysWOW64\Oalipoiq.exeC:\Windows\system32\Oalipoiq.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Odjeljhd.exeC:\Windows\system32\Odjeljhd.exe52⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Olanmgig.exeC:\Windows\system32\Olanmgig.exe53⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Onpjichj.exeC:\Windows\system32\Onpjichj.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Oanfen32.exeC:\Windows\system32\Oanfen32.exe55⤵
- Executes dropped EXE
PID:5152 -
C:\Windows\SysWOW64\Odmbaj32.exeC:\Windows\system32\Odmbaj32.exe56⤵
- Executes dropped EXE
PID:5188 -
C:\Windows\SysWOW64\Oldjcg32.exeC:\Windows\system32\Oldjcg32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5224 -
C:\Windows\SysWOW64\Oobfob32.exeC:\Windows\system32\Oobfob32.exe58⤵
- Executes dropped EXE
PID:5260 -
C:\Windows\SysWOW64\Oaqbkn32.exeC:\Windows\system32\Oaqbkn32.exe59⤵
- Executes dropped EXE
PID:5300 -
C:\Windows\SysWOW64\Odoogi32.exeC:\Windows\system32\Odoogi32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5332 -
C:\Windows\SysWOW64\Olfghg32.exeC:\Windows\system32\Olfghg32.exe61⤵
- Executes dropped EXE
PID:5368 -
C:\Windows\SysWOW64\Oodcdb32.exeC:\Windows\system32\Oodcdb32.exe62⤵
- Executes dropped EXE
PID:5408 -
C:\Windows\SysWOW64\Oacoqnci.exeC:\Windows\system32\Oacoqnci.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:5444 -
C:\Windows\SysWOW64\Odalmibl.exeC:\Windows\system32\Odalmibl.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:5476 -
C:\Windows\SysWOW64\Olicnfco.exeC:\Windows\system32\Olicnfco.exe65⤵
- Executes dropped EXE
PID:5512 -
C:\Windows\SysWOW64\Oogpjbbb.exeC:\Windows\system32\Oogpjbbb.exe66⤵
- Drops file in System32 directory
PID:5548 -
C:\Windows\SysWOW64\Paelfmaf.exeC:\Windows\system32\Paelfmaf.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:5588 -
C:\Windows\SysWOW64\Pddhbipj.exeC:\Windows\system32\Pddhbipj.exe68⤵PID:5620
-
C:\Windows\SysWOW64\Plkpcfal.exeC:\Windows\system32\Plkpcfal.exe69⤵PID:5660
-
C:\Windows\SysWOW64\Poimpapp.exeC:\Windows\system32\Poimpapp.exe70⤵PID:5696
-
C:\Windows\SysWOW64\Pahilmoc.exeC:\Windows\system32\Pahilmoc.exe71⤵PID:5728
-
C:\Windows\SysWOW64\Pdfehh32.exeC:\Windows\system32\Pdfehh32.exe72⤵PID:5764
-
C:\Windows\SysWOW64\Plmmif32.exeC:\Windows\system32\Plmmif32.exe73⤵PID:5804
-
C:\Windows\SysWOW64\Poliea32.exeC:\Windows\system32\Poliea32.exe74⤵
- Drops file in System32 directory
PID:5836 -
C:\Windows\SysWOW64\Pajeam32.exeC:\Windows\system32\Pajeam32.exe75⤵PID:5872
-
C:\Windows\SysWOW64\Pdhbmh32.exeC:\Windows\system32\Pdhbmh32.exe76⤵
- Modifies registry class
PID:5908 -
C:\Windows\SysWOW64\Plpjoe32.exeC:\Windows\system32\Plpjoe32.exe77⤵PID:5944
-
C:\Windows\SysWOW64\Pmaffnce.exeC:\Windows\system32\Pmaffnce.exe78⤵
- Modifies registry class
PID:5980 -
C:\Windows\SysWOW64\Palbgl32.exeC:\Windows\system32\Palbgl32.exe79⤵PID:6016
-
C:\Windows\SysWOW64\Phfjcf32.exeC:\Windows\system32\Phfjcf32.exe80⤵PID:6052
-
C:\Windows\SysWOW64\Pkegpb32.exeC:\Windows\system32\Pkegpb32.exe81⤵PID:6088
-
C:\Windows\SysWOW64\Paoollik.exeC:\Windows\system32\Paoollik.exe82⤵PID:6124
-
C:\Windows\SysWOW64\Phigif32.exeC:\Windows\system32\Phigif32.exe83⤵PID:2080
-
C:\Windows\SysWOW64\Pkgcea32.exeC:\Windows\system32\Pkgcea32.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:1412 -
C:\Windows\SysWOW64\Qaalblgi.exeC:\Windows\system32\Qaalblgi.exe85⤵
- Modifies registry class
PID:1288 -
C:\Windows\SysWOW64\Qdphngfl.exeC:\Windows\system32\Qdphngfl.exe86⤵PID:896
-
C:\Windows\SysWOW64\Qlgpod32.exeC:\Windows\system32\Qlgpod32.exe87⤵
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Qoelkp32.exeC:\Windows\system32\Qoelkp32.exe88⤵
- Drops file in System32 directory
PID:5128 -
C:\Windows\SysWOW64\Qeodhjmo.exeC:\Windows\system32\Qeodhjmo.exe89⤵PID:5184
-
C:\Windows\SysWOW64\Qhmqdemc.exeC:\Windows\system32\Qhmqdemc.exe90⤵PID:5252
-
C:\Windows\SysWOW64\Aogiap32.exeC:\Windows\system32\Aogiap32.exe91⤵PID:5320
-
C:\Windows\SysWOW64\Aeaanjkl.exeC:\Windows\system32\Aeaanjkl.exe92⤵PID:4660
-
C:\Windows\SysWOW64\Ahpmjejp.exeC:\Windows\system32\Ahpmjejp.exe93⤵PID:5452
-
C:\Windows\SysWOW64\Aknifq32.exeC:\Windows\system32\Aknifq32.exe94⤵PID:5496
-
C:\Windows\SysWOW64\Anmfbl32.exeC:\Windows\system32\Anmfbl32.exe95⤵PID:5568
-
C:\Windows\SysWOW64\Adfnofpd.exeC:\Windows\system32\Adfnofpd.exe96⤵
- Drops file in System32 directory
PID:5616 -
C:\Windows\SysWOW64\Alnfpcag.exeC:\Windows\system32\Alnfpcag.exe97⤵
- Drops file in System32 directory
- Modifies registry class
PID:5680 -
C:\Windows\SysWOW64\Aolblopj.exeC:\Windows\system32\Aolblopj.exe98⤵PID:5756
-
C:\Windows\SysWOW64\Aefjii32.exeC:\Windows\system32\Aefjii32.exe99⤵
- Drops file in System32 directory
PID:5812 -
C:\Windows\SysWOW64\Ahdged32.exeC:\Windows\system32\Ahdged32.exe100⤵PID:5860
-
C:\Windows\SysWOW64\Akccap32.exeC:\Windows\system32\Akccap32.exe101⤵PID:5928
-
C:\Windows\SysWOW64\Anaomkdb.exeC:\Windows\system32\Anaomkdb.exe102⤵PID:5976
-
C:\Windows\SysWOW64\Aehgnied.exeC:\Windows\system32\Aehgnied.exe103⤵PID:6040
-
C:\Windows\SysWOW64\Ahgcjddh.exeC:\Windows\system32\Ahgcjddh.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6108 -
C:\Windows\SysWOW64\Aoalgn32.exeC:\Windows\system32\Aoalgn32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4980 -
C:\Windows\SysWOW64\Aaohcj32.exeC:\Windows\system32\Aaohcj32.exe106⤵PID:1940
-
C:\Windows\SysWOW64\Alelqb32.exeC:\Windows\system32\Alelqb32.exe107⤵PID:5288
-
C:\Windows\SysWOW64\Baadiiif.exeC:\Windows\system32\Baadiiif.exe108⤵
- Drops file in System32 directory
PID:5580 -
C:\Windows\SysWOW64\Bhkmec32.exeC:\Windows\system32\Bhkmec32.exe109⤵
- Drops file in System32 directory
PID:5712 -
C:\Windows\SysWOW64\Bkjiao32.exeC:\Windows\system32\Bkjiao32.exe110⤵PID:5796
-
C:\Windows\SysWOW64\Bnhenj32.exeC:\Windows\system32\Bnhenj32.exe111⤵
- Drops file in System32 directory
PID:5920 -
C:\Windows\SysWOW64\Bepmoh32.exeC:\Windows\system32\Bepmoh32.exe112⤵PID:6012
-
C:\Windows\SysWOW64\Bhnikc32.exeC:\Windows\system32\Bhnikc32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6120 -
C:\Windows\SysWOW64\Bklfgo32.exeC:\Windows\system32\Bklfgo32.exe114⤵PID:1864
-
C:\Windows\SysWOW64\Bnkbcj32.exeC:\Windows\system32\Bnkbcj32.exe115⤵
- Drops file in System32 directory
PID:6180 -
C:\Windows\SysWOW64\Bebjdgmj.exeC:\Windows\system32\Bebjdgmj.exe116⤵PID:6216
-
C:\Windows\SysWOW64\Bhpfqcln.exeC:\Windows\system32\Bhpfqcln.exe117⤵PID:6252
-
C:\Windows\SysWOW64\Bkobmnka.exeC:\Windows\system32\Bkobmnka.exe118⤵PID:6288
-
C:\Windows\SysWOW64\Bahkih32.exeC:\Windows\system32\Bahkih32.exe119⤵
- Modifies registry class
PID:6324 -
C:\Windows\SysWOW64\Bdgged32.exeC:\Windows\system32\Bdgged32.exe120⤵PID:6360
-
C:\Windows\SysWOW64\Blnoga32.exeC:\Windows\system32\Blnoga32.exe121⤵PID:6396
-
C:\Windows\SysWOW64\Bomkcm32.exeC:\Windows\system32\Bomkcm32.exe122⤵PID:6432
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-