Analysis
-
max time kernel
144s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 03:25
Behavioral task
behavioral1
Sample
de5adca6f1cc86fae3dd296977d10ea0_NEIKI.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
de5adca6f1cc86fae3dd296977d10ea0_NEIKI.exe
Resource
win10v2004-20240426-en
General
-
Target
de5adca6f1cc86fae3dd296977d10ea0_NEIKI.exe
-
Size
384KB
-
MD5
de5adca6f1cc86fae3dd296977d10ea0
-
SHA1
0b68ee67a079bcaa54eb973c1d8d7972b0c25c33
-
SHA256
a02640d9167e8a0a9e806f98f1c0c41bdcc4e9a4447f2b89797b376756eb169c
-
SHA512
b722cf3994f7fd33973bc3df9975a28b2c4e63557bfb989cd711ea8ca62f9fb6e6a2ce8296550e348260b980e3f4bb77b8daca6c26991151a590a68381ee4c52
-
SSDEEP
6144:FLowtcTbjAQzTYaT15f7o+STYaT15fsnoW6B1S6Kvw2fV9rU+Lw6gYviIajJsnI5:F3Mbj3TYapJoTYapbt1S3vwyjrU+LKYY
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bockjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chgoogfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cekohk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgidml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcnnaikp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikpaldog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmijbcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdedo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdcpcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liggbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gblngpbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilghlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpikgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfofbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdjfcecp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdcijcke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgmha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pimfep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dokjbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aackeqeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoocmoao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnapdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajiknpjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbaipkbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoifcnid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jibeql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiikak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cefemliq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dagiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dphifcoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdcpcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgphpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmccchkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbaemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klqcioba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofqpqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmficqpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcedaheh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkgdml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehimanbq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meiaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebnoikqb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chghdqbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdehlk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpladg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baaggo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcggpj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmfbjnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdjjckag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpljkdig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjcclf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idofhfmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmncnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfqlnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anfmjhmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmapha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkbchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mglack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhqcam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heocnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcpllo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgnnhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baocghgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boanecla.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000023297-7.dat family_berbew behavioral2/files/0x0007000000023410-15.dat family_berbew behavioral2/files/0x0007000000023412-24.dat family_berbew behavioral2/files/0x0007000000023414-31.dat family_berbew behavioral2/files/0x0007000000023416-40.dat family_berbew behavioral2/files/0x0007000000023418-49.dat family_berbew behavioral2/files/0x000700000002341a-56.dat family_berbew behavioral2/files/0x000700000002341e-71.dat family_berbew behavioral2/files/0x0007000000023422-87.dat family_berbew behavioral2/files/0x0007000000023420-81.dat family_berbew behavioral2/files/0x0007000000023428-106.dat family_berbew behavioral2/files/0x0007000000023428-113.dat family_berbew behavioral2/files/0x000700000002342a-119.dat family_berbew behavioral2/files/0x000700000002342c-128.dat family_berbew behavioral2/files/0x0007000000023430-143.dat family_berbew behavioral2/files/0x0007000000023434-159.dat family_berbew behavioral2/files/0x0007000000023436-167.dat family_berbew behavioral2/files/0x0007000000023438-175.dat family_berbew behavioral2/files/0x0007000000023441-208.dat family_berbew behavioral2/files/0x0007000000023443-216.dat family_berbew behavioral2/files/0x0007000000023448-239.dat family_berbew behavioral2/files/0x000700000002344a-248.dat family_berbew behavioral2/files/0x0007000000023456-282.dat family_berbew behavioral2/files/0x000700000002346a-348.dat family_berbew behavioral2/files/0x0007000000023492-469.dat family_berbew behavioral2/files/0x00070000000234fa-805.dat family_berbew behavioral2/files/0x0007000000023522-936.dat family_berbew behavioral2/files/0x000700000002354a-1071.dat family_berbew behavioral2/files/0x0007000000023594-1314.dat family_berbew behavioral2/files/0x00070000000235a9-1380.dat family_berbew behavioral2/files/0x00070000000235cc-1545.dat family_berbew behavioral2/files/0x000700000002360f-1759.dat family_berbew behavioral2/files/0x000700000002362b-1846.dat family_berbew behavioral2/files/0x000700000002362f-1857.dat family_berbew behavioral2/files/0x0007000000023636-1890.dat family_berbew behavioral2/files/0x0007000000023625-1832.dat family_berbew behavioral2/files/0x000700000002363a-1904.dat family_berbew behavioral2/files/0x000700000002361f-1813.dat family_berbew behavioral2/files/0x0007000000023647-1957.dat family_berbew behavioral2/files/0x000700000002364b-1970.dat family_berbew behavioral2/files/0x0007000000023603-1728.dat family_berbew behavioral2/files/0x0007000000023651-1990.dat family_berbew behavioral2/files/0x00070000000235eb-1647.dat family_berbew behavioral2/files/0x0007000000023655-2003.dat family_berbew behavioral2/files/0x00070000000235e5-1627.dat family_berbew behavioral2/files/0x00070000000235d2-1565.dat family_berbew behavioral2/files/0x000700000002365d-2030.dat family_berbew behavioral2/files/0x0008000000023392-1527.dat family_berbew behavioral2/files/0x00070000000235c7-1481.dat family_berbew behavioral2/files/0x00070000000235b3-1410.dat family_berbew behavioral2/files/0x00070000000235af-1400.dat family_berbew behavioral2/files/0x00070000000235ad-1392.dat family_berbew behavioral2/files/0x0007000000023592-1306.dat family_berbew behavioral2/files/0x000700000002358c-1288.dat family_berbew behavioral2/files/0x0007000000023582-1257.dat family_berbew behavioral2/files/0x000700000002366f-2087.dat family_berbew behavioral2/files/0x000700000002357a-1232.dat family_berbew behavioral2/files/0x0007000000023578-1225.dat family_berbew behavioral2/files/0x0007000000023570-1198.dat family_berbew behavioral2/files/0x000700000002355c-1131.dat family_berbew behavioral2/files/0x0007000000023675-2106.dat family_berbew behavioral2/files/0x0007000000023556-1112.dat family_berbew behavioral2/files/0x0007000000023552-1097.dat family_berbew behavioral2/files/0x0007000000023544-1050.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4492 Opkoflco.exe 2668 Obikbgbb.exe 4988 Oehgnbbf.exe 448 Ogfcjnaj.exe 4268 Opmllk32.exe 1188 Pejddb32.exe 4472 Piepdahl.exe 4996 Pldlqlgp.exe 3512 Pnbimhfd.exe 4476 Paaeiceg.exe 5004 Plfiflen.exe 3320 Pbpacfmj.exe 632 Pijjpp32.exe 3124 Plifll32.exe 3076 Pngbhg32.exe 336 Paendb32.exe 832 Pimfep32.exe 1656 Phpfqmio.exe 3244 Pbekne32.exe 1012 Phbcfl32.exe 2196 Qpikgj32.exe 4808 Qajhobmm.exe 2324 Qiappono.exe 3172 Qpkhmi32.exe 3724 Qbjdiedp.exe 3996 Qiclfo32.exe 3028 Albibj32.exe 2932 Ablaodbm.exe 4932 Aifiko32.exe 4840 Appahiag.exe 2924 Abnnddpj.exe 4696 Aemjpp32.exe 2704 Ahkflk32.exe 3004 Aackeqeb.exe 4744 Aikbfnfd.exe 2476 Apekch32.exe 4300 Aafgkpcp.exe 1608 Aimoln32.exe 1412 Alkkhi32.exe 1504 Apggihko.exe 3928 Abedecjb.exe 3840 Aiolam32.exe 2132 Blnhni32.exe 3092 Boldjd32.exe 3228 Bakqfp32.exe 1540 Bibigmpl.exe 2084 Bhdibj32.exe 2448 Bpladg32.exe 2188 Bammlomg.exe 2372 Bhgehi32.exe 2044 Bpnnig32.exe 1928 Boanecla.exe 1600 Baojaoke.exe 1848 Bifbbllg.exe 980 Blennh32.exe 4984 Bockjc32.exe 3460 Baaggo32.exe 3176 Blgkdg32.exe 1980 Bbacqape.exe 2260 Badcln32.exe 696 Bikkml32.exe 3156 Chnlihnl.exe 4920 Cpedjf32.exe 1192 Cohdebfi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lmoejkpj.dll Aafgkpcp.exe File created C:\Windows\SysWOW64\Dkljak32.exe Ddbbeade.exe File opened for modification C:\Windows\SysWOW64\Hcpclbfa.exe Heocnk32.exe File created C:\Windows\SysWOW64\Mgbpghdn.dll Anfmjhmd.exe File opened for modification C:\Windows\SysWOW64\Haidklda.exe Hibljoco.exe File created C:\Windows\SysWOW64\Ldmlpbbj.exe Laopdgcg.exe File created C:\Windows\SysWOW64\Egdmkp32.dll Cddecc32.exe File created C:\Windows\SysWOW64\Meiaib32.exe Mlampmdo.exe File created C:\Windows\SysWOW64\Obikbgbb.exe Opkoflco.exe File created C:\Windows\SysWOW64\Ggmlbfpm.dll Domfgpca.exe File created C:\Windows\SysWOW64\Gkillp32.dll Ijdeiaio.exe File created C:\Windows\SysWOW64\Ijkljp32.exe Ifopiajn.exe File created C:\Windows\SysWOW64\Cmgjgcgo.exe Cjinkg32.exe File created C:\Windows\SysWOW64\Kinemkko.exe Kgphpo32.exe File created C:\Windows\SysWOW64\Mgghhlhq.exe Mdiklqhm.exe File opened for modification C:\Windows\SysWOW64\Ajkhdp32.exe Adapgfqj.exe File opened for modification C:\Windows\SysWOW64\Hfqlnm32.exe Hmhhehlb.exe File opened for modification C:\Windows\SysWOW64\Aiolam32.exe Abedecjb.exe File opened for modification C:\Windows\SysWOW64\Blpnib32.exe Blmacb32.exe File opened for modification C:\Windows\SysWOW64\Dbaemi32.exe Dlgmpogj.exe File created C:\Windows\SysWOW64\Icifbang.exe Ikbnacmd.exe File opened for modification C:\Windows\SysWOW64\Nnlhfn32.exe Ncfdie32.exe File opened for modification C:\Windows\SysWOW64\Bhhdil32.exe Bmbplc32.exe File created C:\Windows\SysWOW64\Jffggf32.dll Cmlcbbcj.exe File created C:\Windows\SysWOW64\Bapiabak.exe Bmemac32.exe File created C:\Windows\SysWOW64\Opmllk32.exe Ogfcjnaj.exe File created C:\Windows\SysWOW64\Hmfbjnbp.exe Hikfip32.exe File created C:\Windows\SysWOW64\Jfpbkoql.dll Olmeci32.exe File opened for modification C:\Windows\SysWOW64\Qdbiedpa.exe Pjmehkqk.exe File opened for modification C:\Windows\SysWOW64\Ncfdie32.exe Nnjlpo32.exe File created C:\Windows\SysWOW64\Pnfmmb32.dll Giofnacd.exe File created C:\Windows\SysWOW64\Hpenfjad.exe Hmfbjnbp.exe File created C:\Windows\SysWOW64\Behbag32.exe Blpnib32.exe File opened for modification C:\Windows\SysWOW64\Djgjlelk.exe Ddmaok32.exe File created C:\Windows\SysWOW64\Baojaoke.exe Boanecla.exe File created C:\Windows\SysWOW64\Gmkbnp32.exe Giofnacd.exe File created C:\Windows\SysWOW64\Jibeql32.exe Jjpeepnb.exe File created C:\Windows\SysWOW64\Pjhbgb32.exe Pqpnombl.exe File created C:\Windows\SysWOW64\Jidpnp32.dll Cogmkl32.exe File created C:\Windows\SysWOW64\Echknh32.exe Dceohhja.exe File created C:\Windows\SysWOW64\Gpklpkio.exe Gqikdn32.exe File opened for modification C:\Windows\SysWOW64\Flqimk32.exe Fomhdg32.exe File created C:\Windows\SysWOW64\Nphlemjl.dll Gcggpj32.exe File opened for modification C:\Windows\SysWOW64\Chbnia32.exe Cecbmf32.exe File opened for modification C:\Windows\SysWOW64\Ifefimom.exe Ikpaldog.exe File created C:\Windows\SysWOW64\Nodfmh32.dll Mlampmdo.exe File created C:\Windows\SysWOW64\Beeppfin.dll Ddmaok32.exe File opened for modification C:\Windows\SysWOW64\Gjclbc32.exe Gfhqbe32.exe File created C:\Windows\SysWOW64\Jiejmbkl.dll Ojopad32.exe File created C:\Windows\SysWOW64\Dhcbhjlp.dll Dkgqfl32.exe File opened for modification C:\Windows\SysWOW64\Ddmaok32.exe Ddjejl32.exe File created C:\Windows\SysWOW64\Gcjdcc32.dll Bbacqape.exe File opened for modification C:\Windows\SysWOW64\Efpajh32.exe Ebeejijj.exe File opened for modification C:\Windows\SysWOW64\Hfachc32.exe Hccglh32.exe File created C:\Windows\SysWOW64\Qknpkqim.dll Jfhbppbc.exe File opened for modification C:\Windows\SysWOW64\Kdopod32.exe Kpccnefa.exe File created C:\Windows\SysWOW64\Ncmlocln.dll Lbjlfi32.exe File created C:\Windows\SysWOW64\Onliio32.dll Migjoaaf.exe File created C:\Windows\SysWOW64\Neahbi32.dll Fqhbmqqg.exe File created C:\Windows\SysWOW64\Hionfema.dll Haggelfd.exe File opened for modification C:\Windows\SysWOW64\Ajiknpjj.exe Aaqgek32.exe File created C:\Windows\SysWOW64\Blpnib32.exe Blmacb32.exe File created C:\Windows\SysWOW64\Ifjodl32.exe Ickchq32.exe File created C:\Windows\SysWOW64\Pnbimhfd.exe Pldlqlgp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13812 13728 WerFault.exe 690 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leedqpci.dll" Leihbeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bamagp32.dll" Dlegeemh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eofinnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chebighd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laalifad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll" Aqkgpedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll" Daconoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll" Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iihqganf.dll" Lenamdem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njefqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plfiflen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiffen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpbaqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjhbgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdolhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkblkg32.dll" Ibqpimpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cefemliq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dllmfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbenqg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqkhjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll" Jdhine32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbgbgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmapha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Andqdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplmmdoj.dll" Lpcfkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" de5adca6f1cc86fae3dd296977d10ea0_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfkoeppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjcgohig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaqgek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfckahdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhoholen.dll" Ehimanbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jplfcpin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Migjoaaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlegeemh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekppcpp.dll" Haidklda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acbmpm32.dll" Eekaebcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcedaheh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdmaef32.dll" Dlgmpogj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpcomb.dll" Lmdina32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgdbkohf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epkajgee.dll" Pejddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjcpe32.dll" Camfbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qecppkdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pngbhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgenhgdd.dll" Fodeolof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll" Kgbefoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpamgn32.dll" Oqbamo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmncnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lepncd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijlad32.dll" Mdehlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caimgncj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chbedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hionfema.dll" Haggelfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljnnch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcjdcc32.dll" Bbacqape.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcbnejem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpjjod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll" Aqncedbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbbf32.dll" Aikbfnfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdjjckag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahkflk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icljbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibagcc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1532 wrote to memory of 4492 1532 de5adca6f1cc86fae3dd296977d10ea0_NEIKI.exe 82 PID 1532 wrote to memory of 4492 1532 de5adca6f1cc86fae3dd296977d10ea0_NEIKI.exe 82 PID 1532 wrote to memory of 4492 1532 de5adca6f1cc86fae3dd296977d10ea0_NEIKI.exe 82 PID 4492 wrote to memory of 2668 4492 Opkoflco.exe 83 PID 4492 wrote to memory of 2668 4492 Opkoflco.exe 83 PID 4492 wrote to memory of 2668 4492 Opkoflco.exe 83 PID 2668 wrote to memory of 4988 2668 Obikbgbb.exe 84 PID 2668 wrote to memory of 4988 2668 Obikbgbb.exe 84 PID 2668 wrote to memory of 4988 2668 Obikbgbb.exe 84 PID 4988 wrote to memory of 448 4988 Oehgnbbf.exe 85 PID 4988 wrote to memory of 448 4988 Oehgnbbf.exe 85 PID 4988 wrote to memory of 448 4988 Oehgnbbf.exe 85 PID 448 wrote to memory of 4268 448 Ogfcjnaj.exe 86 PID 448 wrote to memory of 4268 448 Ogfcjnaj.exe 86 PID 448 wrote to memory of 4268 448 Ogfcjnaj.exe 86 PID 4268 wrote to memory of 1188 4268 Opmllk32.exe 87 PID 4268 wrote to memory of 1188 4268 Opmllk32.exe 87 PID 4268 wrote to memory of 1188 4268 Opmllk32.exe 87 PID 1188 wrote to memory of 4472 1188 Pejddb32.exe 88 PID 1188 wrote to memory of 4472 1188 Pejddb32.exe 88 PID 1188 wrote to memory of 4472 1188 Pejddb32.exe 88 PID 4472 wrote to memory of 4996 4472 Piepdahl.exe 89 PID 4472 wrote to memory of 4996 4472 Piepdahl.exe 89 PID 4472 wrote to memory of 4996 4472 Piepdahl.exe 89 PID 4996 wrote to memory of 3512 4996 Pldlqlgp.exe 90 PID 4996 wrote to memory of 3512 4996 Pldlqlgp.exe 90 PID 4996 wrote to memory of 3512 4996 Pldlqlgp.exe 90 PID 3512 wrote to memory of 4476 3512 Pnbimhfd.exe 92 PID 3512 wrote to memory of 4476 3512 Pnbimhfd.exe 92 PID 3512 wrote to memory of 4476 3512 Pnbimhfd.exe 92 PID 4476 wrote to memory of 5004 4476 Paaeiceg.exe 93 PID 4476 wrote to memory of 5004 4476 Paaeiceg.exe 93 PID 4476 wrote to memory of 5004 4476 Paaeiceg.exe 93 PID 5004 wrote to memory of 3320 5004 Plfiflen.exe 95 PID 5004 wrote to memory of 3320 5004 Plfiflen.exe 95 PID 5004 wrote to memory of 3320 5004 Plfiflen.exe 95 PID 3320 wrote to memory of 632 3320 Pbpacfmj.exe 96 PID 3320 wrote to memory of 632 3320 Pbpacfmj.exe 96 PID 3320 wrote to memory of 632 3320 Pbpacfmj.exe 96 PID 632 wrote to memory of 3124 632 Pijjpp32.exe 97 PID 632 wrote to memory of 3124 632 Pijjpp32.exe 97 PID 632 wrote to memory of 3124 632 Pijjpp32.exe 97 PID 3124 wrote to memory of 3076 3124 Plifll32.exe 98 PID 3124 wrote to memory of 3076 3124 Plifll32.exe 98 PID 3124 wrote to memory of 3076 3124 Plifll32.exe 98 PID 3076 wrote to memory of 336 3076 Pngbhg32.exe 99 PID 3076 wrote to memory of 336 3076 Pngbhg32.exe 99 PID 3076 wrote to memory of 336 3076 Pngbhg32.exe 99 PID 336 wrote to memory of 832 336 Paendb32.exe 100 PID 336 wrote to memory of 832 336 Paendb32.exe 100 PID 336 wrote to memory of 832 336 Paendb32.exe 100 PID 832 wrote to memory of 1656 832 Pimfep32.exe 102 PID 832 wrote to memory of 1656 832 Pimfep32.exe 102 PID 832 wrote to memory of 1656 832 Pimfep32.exe 102 PID 1656 wrote to memory of 3244 1656 Phpfqmio.exe 103 PID 1656 wrote to memory of 3244 1656 Phpfqmio.exe 103 PID 1656 wrote to memory of 3244 1656 Phpfqmio.exe 103 PID 3244 wrote to memory of 1012 3244 Pbekne32.exe 104 PID 3244 wrote to memory of 1012 3244 Pbekne32.exe 104 PID 3244 wrote to memory of 1012 3244 Pbekne32.exe 104 PID 1012 wrote to memory of 2196 1012 Phbcfl32.exe 105 PID 1012 wrote to memory of 2196 1012 Phbcfl32.exe 105 PID 1012 wrote to memory of 2196 1012 Phbcfl32.exe 105 PID 2196 wrote to memory of 4808 2196 Qpikgj32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\de5adca6f1cc86fae3dd296977d10ea0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\de5adca6f1cc86fae3dd296977d10ea0_NEIKI.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Opkoflco.exeC:\Windows\system32\Opkoflco.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\Obikbgbb.exeC:\Windows\system32\Obikbgbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Oehgnbbf.exeC:\Windows\system32\Oehgnbbf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Ogfcjnaj.exeC:\Windows\system32\Ogfcjnaj.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Opmllk32.exeC:\Windows\system32\Opmllk32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Pejddb32.exeC:\Windows\system32\Pejddb32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Piepdahl.exeC:\Windows\system32\Piepdahl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Pldlqlgp.exeC:\Windows\system32\Pldlqlgp.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Pnbimhfd.exeC:\Windows\system32\Pnbimhfd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Paaeiceg.exeC:\Windows\system32\Paaeiceg.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Plfiflen.exeC:\Windows\system32\Plfiflen.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Pbpacfmj.exeC:\Windows\system32\Pbpacfmj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\Pijjpp32.exeC:\Windows\system32\Pijjpp32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Plifll32.exeC:\Windows\system32\Plifll32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\Pngbhg32.exeC:\Windows\system32\Pngbhg32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Paendb32.exeC:\Windows\system32\Paendb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\Pimfep32.exeC:\Windows\system32\Pimfep32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Phpfqmio.exeC:\Windows\system32\Phpfqmio.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Pbekne32.exeC:\Windows\system32\Pbekne32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\Phbcfl32.exeC:\Windows\system32\Phbcfl32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Qpikgj32.exeC:\Windows\system32\Qpikgj32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Qajhobmm.exeC:\Windows\system32\Qajhobmm.exe23⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Qiappono.exeC:\Windows\system32\Qiappono.exe24⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Qpkhmi32.exeC:\Windows\system32\Qpkhmi32.exe25⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Qbjdiedp.exeC:\Windows\system32\Qbjdiedp.exe26⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Qiclfo32.exeC:\Windows\system32\Qiclfo32.exe27⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Albibj32.exeC:\Windows\system32\Albibj32.exe28⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Ablaodbm.exeC:\Windows\system32\Ablaodbm.exe29⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Aifiko32.exeC:\Windows\system32\Aifiko32.exe30⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Appahiag.exeC:\Windows\system32\Appahiag.exe31⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Abnnddpj.exeC:\Windows\system32\Abnnddpj.exe32⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Aemjpp32.exeC:\Windows\system32\Aemjpp32.exe33⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Ahkflk32.exeC:\Windows\system32\Ahkflk32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Aackeqeb.exeC:\Windows\system32\Aackeqeb.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Aikbfnfd.exeC:\Windows\system32\Aikbfnfd.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4744 -
C:\Windows\SysWOW64\Apekch32.exeC:\Windows\system32\Apekch32.exe37⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Aafgkpcp.exeC:\Windows\system32\Aafgkpcp.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4300 -
C:\Windows\SysWOW64\Aimoln32.exeC:\Windows\system32\Aimoln32.exe39⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Alkkhi32.exeC:\Windows\system32\Alkkhi32.exe40⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Apggihko.exeC:\Windows\system32\Apggihko.exe41⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Abedecjb.exeC:\Windows\system32\Abedecjb.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3928 -
C:\Windows\SysWOW64\Aiolam32.exeC:\Windows\system32\Aiolam32.exe43⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Blnhni32.exeC:\Windows\system32\Blnhni32.exe44⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Boldjd32.exeC:\Windows\system32\Boldjd32.exe45⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Bakqfp32.exeC:\Windows\system32\Bakqfp32.exe46⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\Bibigmpl.exeC:\Windows\system32\Bibigmpl.exe47⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Bhdibj32.exeC:\Windows\system32\Bhdibj32.exe48⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Bpladg32.exeC:\Windows\system32\Bpladg32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Bammlomg.exeC:\Windows\system32\Bammlomg.exe50⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Bhgehi32.exeC:\Windows\system32\Bhgehi32.exe51⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Bpnnig32.exeC:\Windows\system32\Bpnnig32.exe52⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Boanecla.exeC:\Windows\system32\Boanecla.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Baojaoke.exeC:\Windows\system32\Baojaoke.exe54⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Bifbbllg.exeC:\Windows\system32\Bifbbllg.exe55⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Blennh32.exeC:\Windows\system32\Blennh32.exe56⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Bockjc32.exeC:\Windows\system32\Bockjc32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Baaggo32.exeC:\Windows\system32\Baaggo32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Blgkdg32.exeC:\Windows\system32\Blgkdg32.exe59⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Bbacqape.exeC:\Windows\system32\Bbacqape.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Badcln32.exeC:\Windows\system32\Badcln32.exe61⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Bikkml32.exeC:\Windows\system32\Bikkml32.exe62⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Chnlihnl.exeC:\Windows\system32\Chnlihnl.exe63⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Cpedjf32.exeC:\Windows\system32\Cpedjf32.exe64⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Cohdebfi.exeC:\Windows\system32\Cohdebfi.exe65⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Cafpanem.exeC:\Windows\system32\Cafpanem.exe66⤵PID:3872
-
C:\Windows\SysWOW64\Ceblbm32.exeC:\Windows\system32\Ceblbm32.exe67⤵PID:3520
-
C:\Windows\SysWOW64\Chphoh32.exeC:\Windows\system32\Chphoh32.exe68⤵PID:1396
-
C:\Windows\SysWOW64\Cpgqpe32.exeC:\Windows\system32\Cpgqpe32.exe69⤵PID:3232
-
C:\Windows\SysWOW64\Ccfmla32.exeC:\Windows\system32\Ccfmla32.exe70⤵PID:412
-
C:\Windows\SysWOW64\Caimgncj.exeC:\Windows\system32\Caimgncj.exe71⤵
- Modifies registry class
PID:4524 -
C:\Windows\SysWOW64\Chbedh32.exeC:\Windows\system32\Chbedh32.exe72⤵
- Modifies registry class
PID:4700 -
C:\Windows\SysWOW64\Clnadfbp.exeC:\Windows\system32\Clnadfbp.exe73⤵PID:4892
-
C:\Windows\SysWOW64\Commqb32.exeC:\Windows\system32\Commqb32.exe74⤵PID:644
-
C:\Windows\SysWOW64\Cchiaqjm.exeC:\Windows\system32\Cchiaqjm.exe75⤵PID:3024
-
C:\Windows\SysWOW64\Cefemliq.exeC:\Windows\system32\Cefemliq.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Chebighd.exeC:\Windows\system32\Chebighd.exe77⤵
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Cpljkdig.exeC:\Windows\system32\Cpljkdig.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4844 -
C:\Windows\SysWOW64\Ccjfgphj.exeC:\Windows\system32\Ccjfgphj.exe79⤵PID:2772
-
C:\Windows\SysWOW64\Camfbm32.exeC:\Windows\system32\Camfbm32.exe80⤵
- Modifies registry class
PID:1228 -
C:\Windows\SysWOW64\Cidncj32.exeC:\Windows\system32\Cidncj32.exe81⤵PID:3088
-
C:\Windows\SysWOW64\Chgoogfa.exeC:\Windows\system32\Chgoogfa.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1040 -
C:\Windows\SysWOW64\Cpofpdgd.exeC:\Windows\system32\Cpofpdgd.exe83⤵PID:2200
-
C:\Windows\SysWOW64\Ccmclp32.exeC:\Windows\system32\Ccmclp32.exe84⤵PID:1172
-
C:\Windows\SysWOW64\Cekohk32.exeC:\Windows\system32\Cekohk32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3492 -
C:\Windows\SysWOW64\Digkijmd.exeC:\Windows\system32\Digkijmd.exe86⤵PID:5104
-
C:\Windows\SysWOW64\Dlegeemh.exeC:\Windows\system32\Dlegeemh.exe87⤵
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Doccaall.exeC:\Windows\system32\Doccaall.exe88⤵PID:4900
-
C:\Windows\SysWOW64\Dcopbp32.exeC:\Windows\system32\Dcopbp32.exe89⤵PID:5144
-
C:\Windows\SysWOW64\Diihojkb.exeC:\Windows\system32\Diihojkb.exe90⤵PID:5192
-
C:\Windows\SysWOW64\Dhlhjf32.exeC:\Windows\system32\Dhlhjf32.exe91⤵PID:5232
-
C:\Windows\SysWOW64\Dpcpkc32.exeC:\Windows\system32\Dpcpkc32.exe92⤵PID:5276
-
C:\Windows\SysWOW64\Dofpgqji.exeC:\Windows\system32\Dofpgqji.exe93⤵PID:5316
-
C:\Windows\SysWOW64\Dljqpd32.exeC:\Windows\system32\Dljqpd32.exe94⤵PID:5364
-
C:\Windows\SysWOW64\Dcdimopp.exeC:\Windows\system32\Dcdimopp.exe95⤵PID:5408
-
C:\Windows\SysWOW64\Dagiil32.exeC:\Windows\system32\Dagiil32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5452 -
C:\Windows\SysWOW64\Djnaji32.exeC:\Windows\system32\Djnaji32.exe97⤵PID:5496
-
C:\Windows\SysWOW64\Dllmfd32.exeC:\Windows\system32\Dllmfd32.exe98⤵
- Modifies registry class
PID:5532 -
C:\Windows\SysWOW64\Dphifcoi.exeC:\Windows\system32\Dphifcoi.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5580 -
C:\Windows\SysWOW64\Dokjbp32.exeC:\Windows\system32\Dokjbp32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5616 -
C:\Windows\SysWOW64\Dcfebonm.exeC:\Windows\system32\Dcfebonm.exe101⤵PID:5664
-
C:\Windows\SysWOW64\Dfdbojmq.exeC:\Windows\system32\Dfdbojmq.exe102⤵PID:5708
-
C:\Windows\SysWOW64\Djpnohej.exeC:\Windows\system32\Djpnohej.exe103⤵PID:5752
-
C:\Windows\SysWOW64\Dhcnke32.exeC:\Windows\system32\Dhcnke32.exe104⤵PID:5792
-
C:\Windows\SysWOW64\Dpjflb32.exeC:\Windows\system32\Dpjflb32.exe105⤵PID:5832
-
C:\Windows\SysWOW64\Domfgpca.exeC:\Windows\system32\Domfgpca.exe106⤵
- Drops file in System32 directory
PID:5868 -
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe107⤵PID:5916
-
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe108⤵PID:5960
-
C:\Windows\SysWOW64\Elagacbk.exeC:\Windows\system32\Elagacbk.exe109⤵PID:6000
-
C:\Windows\SysWOW64\Epmcab32.exeC:\Windows\system32\Epmcab32.exe110⤵PID:6036
-
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6084 -
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6128 -
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe113⤵PID:5176
-
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe114⤵PID:5252
-
C:\Windows\SysWOW64\Epopgbia.exeC:\Windows\system32\Epopgbia.exe115⤵PID:5312
-
C:\Windows\SysWOW64\Ecmlcmhe.exeC:\Windows\system32\Ecmlcmhe.exe116⤵PID:5356
-
C:\Windows\SysWOW64\Ebploj32.exeC:\Windows\system32\Ebploj32.exe117⤵PID:5416
-
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe118⤵PID:860
-
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe119⤵PID:5168
-
C:\Windows\SysWOW64\Eodlho32.exeC:\Windows\system32\Eodlho32.exe120⤵PID:5556
-
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe121⤵PID:5612
-
C:\Windows\SysWOW64\Ejjqeg32.exeC:\Windows\system32\Ejjqeg32.exe122⤵PID:5692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-