Analysis
-
max time kernel
97s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 03:25
Behavioral task
behavioral1
Sample
de6a001e6a1277c5d6d77150a49d09f0_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
de6a001e6a1277c5d6d77150a49d09f0_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
de6a001e6a1277c5d6d77150a49d09f0_NEIKI.exe
-
Size
304KB
-
MD5
de6a001e6a1277c5d6d77150a49d09f0
-
SHA1
a20796b9e050c174bfa4bb7ae09c139334091422
-
SHA256
efb928150cad8391a9852f3b17524edc7e82deeb59fb06098d371c94956fc63b
-
SHA512
69cfd0ce8b79d517e51c471a5cb162149f1e9d10fb5576a75f874b5bc36e3b95c96fded83a401d2c43ea9e2a172028c45a45318579269f3e189d0426a7945c9b
-
SSDEEP
6144:1bVNBOp22fFeJLbnCBbC+nVLjOPj194oQAPJiduHyFfeoHiWmVlWaPxqZcNpCLh:XN0FeJLbnCN3xjOPj1Gg2uHyFfeoHHma
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cddecc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edihepnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcpllo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qchmagie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipbdmaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpappc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doqpak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkmchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hecmijim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnpemb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Andgoobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmmnjfnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjjppmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chdkoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnhmng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnbbbabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjbena32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgmpogj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fckajehi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agjhgngj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obdkma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfbploob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okloegjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hopnqdan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlampmdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnonbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqkgpedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kknafn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doeiljfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcefno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdcbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kibnhjgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmfddnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqiogp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncldnkae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncnadk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhikcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kknafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnakhkol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmkadgpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Febgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eolpmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcncpbmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Deokon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdainc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfbploob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jedeph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcccfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Angddopp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Deanodkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dojcgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eefhjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agjhgngj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdcbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldjhpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmoahijl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnepih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldkojb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eepjpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Febgea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffdpghg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjpiha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhhamgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldkojb32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000700000002328e-6.dat family_berbew behavioral2/files/0x00080000000233f3-14.dat family_berbew behavioral2/files/0x00070000000233f5-22.dat family_berbew behavioral2/files/0x00070000000233f7-30.dat family_berbew behavioral2/files/0x00070000000233f9-38.dat family_berbew behavioral2/files/0x00070000000233fb-47.dat family_berbew behavioral2/files/0x00070000000233fd-54.dat family_berbew behavioral2/files/0x0007000000023401-70.dat family_berbew behavioral2/files/0x0007000000023403-79.dat family_berbew behavioral2/files/0x0007000000023405-86.dat family_berbew behavioral2/files/0x0007000000023407-92.dat family_berbew behavioral2/files/0x0007000000023409-99.dat family_berbew behavioral2/files/0x000700000002340d-114.dat family_berbew behavioral2/files/0x000700000002340f-121.dat family_berbew behavioral2/files/0x0007000000023413-135.dat family_berbew behavioral2/files/0x0007000000023421-184.dat family_berbew behavioral2/files/0x0007000000023427-205.dat family_berbew behavioral2/files/0x000700000002342b-219.dat family_berbew behavioral2/files/0x000700000002342f-233.dat family_berbew behavioral2/files/0x000700000002342d-226.dat family_berbew behavioral2/files/0x0007000000023429-212.dat family_berbew behavioral2/files/0x0007000000023425-198.dat family_berbew behavioral2/files/0x0007000000023423-191.dat family_berbew behavioral2/files/0x000700000002341f-177.dat family_berbew behavioral2/files/0x000700000002341d-170.dat family_berbew behavioral2/files/0x000700000002341b-163.dat family_berbew behavioral2/files/0x0007000000023419-156.dat family_berbew behavioral2/files/0x0007000000023417-149.dat family_berbew behavioral2/files/0x0007000000023415-142.dat family_berbew behavioral2/files/0x0007000000023411-128.dat family_berbew behavioral2/files/0x000700000002340b-107.dat family_berbew behavioral2/files/0x00070000000233ff-63.dat family_berbew behavioral2/files/0x000700000002348e-539.dat family_berbew behavioral2/files/0x0007000000023490-546.dat family_berbew behavioral2/files/0x0007000000023494-557.dat family_berbew behavioral2/files/0x000700000002349d-580.dat family_berbew behavioral2/files/0x00070000000234a3-599.dat family_berbew behavioral2/files/0x0008000000023380-761.dat family_berbew behavioral2/files/0x00070000000234d7-797.dat family_berbew behavioral2/files/0x00070000000234db-809.dat family_berbew behavioral2/files/0x00070000000234df-821.dat family_berbew behavioral2/files/0x00070000000234e8-845.dat family_berbew behavioral2/files/0x00070000000234fa-902.dat family_berbew behavioral2/files/0x0007000000023500-922.dat family_berbew behavioral2/files/0x000700000002350c-959.dat family_berbew behavioral2/files/0x0007000000023514-987.dat family_berbew behavioral2/files/0x0007000000023517-994.dat family_berbew behavioral2/files/0x0007000000023521-1017.dat family_berbew behavioral2/files/0x0007000000023543-1132.dat family_berbew behavioral2/files/0x0007000000023547-1145.dat family_berbew behavioral2/files/0x000700000002355a-1213.dat family_berbew behavioral2/files/0x0007000000023588-1364.dat family_berbew behavioral2/files/0x0007000000023596-1413.dat family_berbew behavioral2/files/0x00070000000235b6-1523.dat family_berbew behavioral2/files/0x00070000000235bc-1544.dat family_berbew behavioral2/files/0x00070000000235c0-1559.dat family_berbew behavioral2/files/0x00070000000235c4-1571.dat family_berbew behavioral2/files/0x00070000000235c8-1583.dat family_berbew behavioral2/files/0x00070000000235d0-1610.dat family_berbew behavioral2/files/0x00070000000235dc-1649.dat family_berbew behavioral2/files/0x0007000000023600-1768.dat family_berbew behavioral2/files/0x000700000002360c-1809.dat family_berbew behavioral2/files/0x0007000000023614-1836.dat family_berbew behavioral2/files/0x0007000000023620-1872.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4540 Jjpeepnb.exe 2652 Jdhine32.exe 2724 Jjbako32.exe 116 Jdjfcecp.exe 1392 Jkdnpo32.exe 2892 Jigollag.exe 868 Jdmcidam.exe 2064 Jbocea32.exe 3112 Jkfkfohj.exe 1980 Kmegbjgn.exe 1948 Kaqcbi32.exe 988 Kpccnefa.exe 216 Kdopod32.exe 232 Kgmlkp32.exe 4940 Kkihknfg.exe 4792 Kmgdgjek.exe 3644 Kacphh32.exe 3576 Kpepcedo.exe 3472 Kbdmpqcb.exe 2980 Kgphpo32.exe 4312 Kkkdan32.exe 4588 Kinemkko.exe 900 Kaemnhla.exe 1664 Kphmie32.exe 4388 Kdcijcke.exe 5028 Kbfiep32.exe 1068 Kgbefoji.exe 4456 Kknafn32.exe 4840 Kmlnbi32.exe 2248 Kagichjo.exe 1640 Kdffocib.exe 4560 Kcifkp32.exe 5108 Kgdbkohf.exe 2348 Kibnhjgj.exe 440 Kmnjhioc.exe 1724 Kajfig32.exe 4484 Kpmfddnf.exe 3996 Kckbqpnj.exe 4328 Kgfoan32.exe 4148 Lmqgnhmp.exe 5116 Lalcng32.exe 532 Ldkojb32.exe 1416 Lcmofolg.exe 3304 Lgikfn32.exe 2000 Lkdggmlj.exe 4168 Liggbi32.exe 4868 Lmccchkn.exe 2336 Lpappc32.exe 1808 Ldmlpbbj.exe 384 Lcpllo32.exe 3932 Lgkhlnbn.exe 2456 Lkgdml32.exe 3000 Lijdhiaa.exe 3520 Lnepih32.exe 4596 Laalifad.exe 3480 Lpcmec32.exe 3724 Lcbiao32.exe 5096 Lgneampk.exe 3256 Lkiqbl32.exe 4412 Lilanioo.exe 1364 Lnhmng32.exe 4932 Lpfijcfl.exe 1072 Lcdegnep.exe 4904 Ljnnch32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Eocenh32.exe Eleiam32.exe File created C:\Windows\SysWOW64\Npjebj32.exe Ncfdie32.exe File created C:\Windows\SysWOW64\Lfjhbihm.dll Cfpnph32.exe File created C:\Windows\SysWOW64\Kgphpo32.exe Kbdmpqcb.exe File created C:\Windows\SysWOW64\Ldkojb32.exe Lalcng32.exe File created C:\Windows\SysWOW64\Lpfijcfl.exe Lnhmng32.exe File created C:\Windows\SysWOW64\Ngpjnkpf.exe Ndbnboqb.exe File created C:\Windows\SysWOW64\Eimmfkfe.dll Qgallfcq.exe File created C:\Windows\SysWOW64\Dkljak32.exe Dlijfneg.exe File opened for modification C:\Windows\SysWOW64\Dhpjkojk.exe Deanodkh.exe File created C:\Windows\SysWOW64\Ojaelm32.exe Ocgmpccl.exe File created C:\Windows\SysWOW64\Afjlnk32.exe Aqncedbp.exe File opened for modification C:\Windows\SysWOW64\Onklabip.exe Okloegjl.exe File created C:\Windows\SysWOW64\Ifjodl32.exe Ildkgc32.exe File created C:\Windows\SysWOW64\Ieolehop.exe Ipbdmaah.exe File opened for modification C:\Windows\SysWOW64\Lpqiemge.exe Lfhdlh32.exe File created C:\Windows\SysWOW64\Ldamee32.dll Ocgmpccl.exe File opened for modification C:\Windows\SysWOW64\Cbcilkjg.exe Cogmkl32.exe File created C:\Windows\SysWOW64\Ceaehfjj.exe Cbcilkjg.exe File created C:\Windows\SysWOW64\Ijhkffjm.dll Ckcgkldl.exe File created C:\Windows\SysWOW64\Npfkgjdn.exe Ndokbi32.exe File created C:\Windows\SysWOW64\Halpnqlq.dll Pmoahijl.exe File created C:\Windows\SysWOW64\Laalifad.exe Lnepih32.exe File created C:\Windows\SysWOW64\Gefncbmc.dll Lcdegnep.exe File opened for modification C:\Windows\SysWOW64\Mdiklqhm.exe Mpkbebbf.exe File opened for modification C:\Windows\SysWOW64\Edihepnm.exe Eefhjc32.exe File opened for modification C:\Windows\SysWOW64\Mdjagjco.exe Miemjaci.exe File opened for modification C:\Windows\SysWOW64\Cdainc32.exe Cacmah32.exe File created C:\Windows\SysWOW64\Dhbgqohi.exe Ddgkpp32.exe File created C:\Windows\SysWOW64\Pnonbk32.exe Pjcbbmif.exe File created C:\Windows\SysWOW64\Legdcg32.dll Njljefql.exe File created C:\Windows\SysWOW64\Paadnmaq.dll Nbhkac32.exe File created C:\Windows\SysWOW64\Hnicfelf.dll Pbddcoei.exe File created C:\Windows\SysWOW64\Oehldcbk.dll Bjdkjo32.exe File opened for modification C:\Windows\SysWOW64\Qcgffqei.exe Qmmnjfnl.exe File created C:\Windows\SysWOW64\Okolkg32.exe Ocgdji32.exe File created C:\Windows\SysWOW64\Pacghh32.dll Ifjodl32.exe File created C:\Windows\SysWOW64\Pmidog32.exe Pjjhbl32.exe File opened for modification C:\Windows\SysWOW64\Afhohlbj.exe Acjclpcf.exe File created C:\Windows\SysWOW64\Ffcnippo.dll Acnlgp32.exe File created C:\Windows\SysWOW64\Cogflbdn.dll Dejacond.exe File created C:\Windows\SysWOW64\Obangb32.exe Ojjffddl.exe File opened for modification C:\Windows\SysWOW64\Kdcbom32.exe Kimnbd32.exe File created C:\Windows\SysWOW64\Nqjfoc32.dll Kbdmpqcb.exe File opened for modification C:\Windows\SysWOW64\Lpappc32.exe Lmccchkn.exe File opened for modification C:\Windows\SysWOW64\Ldmlpbbj.exe Lpappc32.exe File opened for modification C:\Windows\SysWOW64\Pjjhbl32.exe Pgllfp32.exe File opened for modification C:\Windows\SysWOW64\Pnihcq32.exe Pkjlge32.exe File created C:\Windows\SysWOW64\Dlijfneg.exe Ddbbeade.exe File opened for modification C:\Windows\SysWOW64\Eamhodmf.exe Eoolbinc.exe File created C:\Windows\SysWOW64\Cajcbgml.exe Cbgbgj32.exe File created C:\Windows\SysWOW64\Hecmijim.exe Hofdacke.exe File created C:\Windows\SysWOW64\Iicbehnq.exe Ipknlb32.exe File created C:\Windows\SysWOW64\Fhccdhqf.dll Kdcbom32.exe File opened for modification C:\Windows\SysWOW64\Fdgdgnbm.exe Faihkbci.exe File opened for modification C:\Windows\SysWOW64\Fbpnkama.exe Flceckoj.exe File created C:\Windows\SysWOW64\Bjmnoi32.exe Accfbokl.exe File created C:\Windows\SysWOW64\Bhgejlhj.dll Behbag32.exe File opened for modification C:\Windows\SysWOW64\Ncdgcf32.exe Npfkgjdn.exe File created C:\Windows\SysWOW64\Hfligghk.dll Nfgmjqop.exe File created C:\Windows\SysWOW64\Occkojkm.exe Obangb32.exe File opened for modification C:\Windows\SysWOW64\Cfpnph32.exe Cenahpha.exe File opened for modification C:\Windows\SysWOW64\Dfnjafap.exe Delnin32.exe File created C:\Windows\SysWOW64\Eodpoobg.dll Abemjmgg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10072 9928 WerFault.exe 478 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmnjhioc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfhlejnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmoahijl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kagichjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceipnc32.dll" Qjpiha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fckajehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmenjlfh.dll" Hbpgbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcccfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aldomc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcbdco32.dll" Cahfmgoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eefhjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijcoimpn.dll" Glhonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll" Lnhmng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odnnnnfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iclnemml.dll" Aegikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaqgek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cojjqlpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldggoeb.dll" Fllpbldb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll" Afhohlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgphpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll" Lkdggmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnicfelf.dll" Pbddcoei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kihgme32.dll" Ahoimd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddmhja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmppcbjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afhohlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hipnbb32.dll" Nqpego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cffdpghg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnlfigcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmkhg32.dll" Ojalgcnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hecmijim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klngdpdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID de6a001e6a1277c5d6d77150a49d09f0_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll" Lmqgnhmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bejogg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fckajehi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlkagbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjmnoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcifkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjbena32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Angddopp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clnjjpod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edihepnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngknngal.dll" Glebhjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jedeph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcijeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anadoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kknafn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldmlpbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neiigifj.dll" Dedkdcie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll" Menjdbgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocgmpccl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibcmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjbena32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkmlofol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbcdnbb.dll" Gcfqfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcllonma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gebgohck.dll" Leihbeib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ceqnmpfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Deokon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdffocib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clpgpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edkdkplj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3824 wrote to memory of 4540 3824 de6a001e6a1277c5d6d77150a49d09f0_NEIKI.exe 80 PID 3824 wrote to memory of 4540 3824 de6a001e6a1277c5d6d77150a49d09f0_NEIKI.exe 80 PID 3824 wrote to memory of 4540 3824 de6a001e6a1277c5d6d77150a49d09f0_NEIKI.exe 80 PID 4540 wrote to memory of 2652 4540 Jjpeepnb.exe 82 PID 4540 wrote to memory of 2652 4540 Jjpeepnb.exe 82 PID 4540 wrote to memory of 2652 4540 Jjpeepnb.exe 82 PID 2652 wrote to memory of 2724 2652 Jdhine32.exe 83 PID 2652 wrote to memory of 2724 2652 Jdhine32.exe 83 PID 2652 wrote to memory of 2724 2652 Jdhine32.exe 83 PID 2724 wrote to memory of 116 2724 Jjbako32.exe 85 PID 2724 wrote to memory of 116 2724 Jjbako32.exe 85 PID 2724 wrote to memory of 116 2724 Jjbako32.exe 85 PID 116 wrote to memory of 1392 116 Jdjfcecp.exe 87 PID 116 wrote to memory of 1392 116 Jdjfcecp.exe 87 PID 116 wrote to memory of 1392 116 Jdjfcecp.exe 87 PID 1392 wrote to memory of 2892 1392 Jkdnpo32.exe 88 PID 1392 wrote to memory of 2892 1392 Jkdnpo32.exe 88 PID 1392 wrote to memory of 2892 1392 Jkdnpo32.exe 88 PID 2892 wrote to memory of 868 2892 Jigollag.exe 89 PID 2892 wrote to memory of 868 2892 Jigollag.exe 89 PID 2892 wrote to memory of 868 2892 Jigollag.exe 89 PID 868 wrote to memory of 2064 868 Jdmcidam.exe 90 PID 868 wrote to memory of 2064 868 Jdmcidam.exe 90 PID 868 wrote to memory of 2064 868 Jdmcidam.exe 90 PID 2064 wrote to memory of 3112 2064 Jbocea32.exe 91 PID 2064 wrote to memory of 3112 2064 Jbocea32.exe 91 PID 2064 wrote to memory of 3112 2064 Jbocea32.exe 91 PID 3112 wrote to memory of 1980 3112 Jkfkfohj.exe 92 PID 3112 wrote to memory of 1980 3112 Jkfkfohj.exe 92 PID 3112 wrote to memory of 1980 3112 Jkfkfohj.exe 92 PID 1980 wrote to memory of 1948 1980 Kmegbjgn.exe 93 PID 1980 wrote to memory of 1948 1980 Kmegbjgn.exe 93 PID 1980 wrote to memory of 1948 1980 Kmegbjgn.exe 93 PID 1948 wrote to memory of 988 1948 Kaqcbi32.exe 94 PID 1948 wrote to memory of 988 1948 Kaqcbi32.exe 94 PID 1948 wrote to memory of 988 1948 Kaqcbi32.exe 94 PID 988 wrote to memory of 216 988 Kpccnefa.exe 95 PID 988 wrote to memory of 216 988 Kpccnefa.exe 95 PID 988 wrote to memory of 216 988 Kpccnefa.exe 95 PID 216 wrote to memory of 232 216 Kdopod32.exe 96 PID 216 wrote to memory of 232 216 Kdopod32.exe 96 PID 216 wrote to memory of 232 216 Kdopod32.exe 96 PID 232 wrote to memory of 4940 232 Kgmlkp32.exe 97 PID 232 wrote to memory of 4940 232 Kgmlkp32.exe 97 PID 232 wrote to memory of 4940 232 Kgmlkp32.exe 97 PID 4940 wrote to memory of 4792 4940 Kkihknfg.exe 98 PID 4940 wrote to memory of 4792 4940 Kkihknfg.exe 98 PID 4940 wrote to memory of 4792 4940 Kkihknfg.exe 98 PID 4792 wrote to memory of 3644 4792 Kmgdgjek.exe 99 PID 4792 wrote to memory of 3644 4792 Kmgdgjek.exe 99 PID 4792 wrote to memory of 3644 4792 Kmgdgjek.exe 99 PID 3644 wrote to memory of 3576 3644 Kacphh32.exe 100 PID 3644 wrote to memory of 3576 3644 Kacphh32.exe 100 PID 3644 wrote to memory of 3576 3644 Kacphh32.exe 100 PID 3576 wrote to memory of 3472 3576 Kpepcedo.exe 101 PID 3576 wrote to memory of 3472 3576 Kpepcedo.exe 101 PID 3576 wrote to memory of 3472 3576 Kpepcedo.exe 101 PID 3472 wrote to memory of 2980 3472 Kbdmpqcb.exe 102 PID 3472 wrote to memory of 2980 3472 Kbdmpqcb.exe 102 PID 3472 wrote to memory of 2980 3472 Kbdmpqcb.exe 102 PID 2980 wrote to memory of 4312 2980 Kgphpo32.exe 103 PID 2980 wrote to memory of 4312 2980 Kgphpo32.exe 103 PID 2980 wrote to memory of 4312 2980 Kgphpo32.exe 103 PID 4312 wrote to memory of 4588 4312 Kkkdan32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\de6a001e6a1277c5d6d77150a49d09f0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\de6a001e6a1277c5d6d77150a49d09f0_NEIKI.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Jdhine32.exeC:\Windows\system32\Jdhine32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Kacphh32.exeC:\Windows\system32\Kacphh32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\Kgphpo32.exeC:\Windows\system32\Kgphpo32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe23⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe24⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe25⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe26⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe27⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe28⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4456 -
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe30⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:4560 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe34⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:440 -
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe37⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe39⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe40⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:4148 -
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5116 -
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe44⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe45⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe47⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4868 -
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe52⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe53⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe54⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3520 -
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe56⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe57⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe58⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe59⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe60⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe61⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe63⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1072 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe65⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe66⤵
- Modifies registry class
PID:4336 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe67⤵
- Drops file in System32 directory
PID:3464 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe68⤵PID:4452
-
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe69⤵PID:3252
-
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe70⤵PID:4536
-
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe71⤵PID:1736
-
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe72⤵
- Drops file in System32 directory
PID:3812 -
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe73⤵PID:4636
-
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe74⤵
- Drops file in System32 directory
PID:4428 -
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe75⤵PID:2820
-
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe76⤵PID:1896
-
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe77⤵PID:964
-
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1908 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe79⤵PID:1652
-
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe80⤵PID:1040
-
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe81⤵
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe82⤵PID:1492
-
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe83⤵PID:1628
-
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4644 -
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe85⤵PID:4064
-
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe86⤵
- Modifies registry class
PID:3340 -
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2340 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe88⤵PID:1456
-
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe89⤵
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe90⤵PID:4028
-
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe91⤵
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe92⤵
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe93⤵PID:3180
-
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe94⤵PID:1484
-
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe95⤵PID:1788
-
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3616 -
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe97⤵PID:4680
-
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4856 -
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe99⤵PID:3504
-
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe100⤵PID:2508
-
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe101⤵
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe102⤵PID:5136
-
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe103⤵
- Modifies registry class
PID:5184 -
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe104⤵PID:5248
-
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe105⤵PID:5304
-
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe106⤵PID:5344
-
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe107⤵PID:5392
-
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5432 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe109⤵PID:5476
-
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe110⤵PID:5512
-
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe111⤵PID:5560
-
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe112⤵PID:5596
-
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5640 -
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe114⤵PID:5680
-
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe115⤵PID:5720
-
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe116⤵PID:5764
-
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe117⤵PID:5804
-
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe118⤵PID:5844
-
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe119⤵PID:5884
-
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe120⤵PID:5920
-
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5964 -
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe122⤵
- Drops file in System32 directory
PID:6036
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-