Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 03:27
Behavioral task
behavioral1
Sample
ded952b0b66d55b160d2379721ae5360_NEIKI.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ded952b0b66d55b160d2379721ae5360_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
ded952b0b66d55b160d2379721ae5360_NEIKI.exe
-
Size
115KB
-
MD5
ded952b0b66d55b160d2379721ae5360
-
SHA1
3225faacbe3e360aeeda4eac2ea3ef1d999a6db0
-
SHA256
87248c093e75a7a9cca250332568aebaecd9171ee439e1ee0d130887b50524d5
-
SHA512
9ea9ac9a460152190fe2ebc7890cfccf9e698a63d09cb5835b0bc76ea0d509165935adb8dfea8f047a6ddaabc142c18f66fe1b104e53d4611cb6202ad3e4d764
-
SSDEEP
3072:uNQqADYuvLsZdbrIR/SoQUP5u30KqTKr4:QQqaeZhrIooQUPoDqTKE
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkpgck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdmpje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjmnoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klngdpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdmegp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojjffddl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjpiha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imoneg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehokgge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Likjcbkc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlopkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkgmcjld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncldnkae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obdkma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdnidn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aglemn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpccdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmmnjfnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldmlpbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edkdkplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hofdacke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmmjgejj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clbceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoaihhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifjodl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilghlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnfdcjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chmndlge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdhdajea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndokbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfjcgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdkcde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcioiood.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlcifmbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olhlhjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Belebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgciaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhjfhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkdbpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifjodl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbhoqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kefkme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deokon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkcge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odmgcgbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbbkaako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcimkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kikame32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdialn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llcpoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmdkch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkbkamnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmoeoidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oponmilc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqfdnhfk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfajjoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbjoljdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdcdbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmjlcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdmga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cddecc32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0008000000022f51-7.dat family_berbew behavioral2/files/0x0008000000023409-15.dat family_berbew behavioral2/files/0x000700000002340b-23.dat family_berbew behavioral2/files/0x000700000002340d-31.dat family_berbew behavioral2/files/0x000700000002340f-39.dat family_berbew behavioral2/files/0x0007000000023411-47.dat family_berbew behavioral2/files/0x0007000000023413-55.dat family_berbew behavioral2/files/0x0007000000023415-63.dat family_berbew behavioral2/files/0x0007000000023417-72.dat family_berbew behavioral2/files/0x0007000000023419-79.dat family_berbew behavioral2/files/0x000700000002341b-87.dat family_berbew behavioral2/files/0x000700000002341d-95.dat family_berbew behavioral2/files/0x000700000002341f-103.dat family_berbew behavioral2/files/0x0007000000023421-111.dat family_berbew behavioral2/files/0x0007000000023423-119.dat family_berbew behavioral2/files/0x0007000000023425-127.dat family_berbew behavioral2/files/0x0007000000023427-135.dat family_berbew behavioral2/files/0x0007000000023429-143.dat family_berbew behavioral2/files/0x000700000002342b-151.dat family_berbew behavioral2/files/0x000700000002342d-159.dat family_berbew behavioral2/files/0x0008000000023407-167.dat family_berbew behavioral2/files/0x0007000000023430-175.dat family_berbew behavioral2/files/0x0007000000023432-183.dat family_berbew behavioral2/files/0x0008000000023434-191.dat family_berbew behavioral2/files/0x0007000000023437-199.dat family_berbew behavioral2/files/0x0007000000023439-207.dat family_berbew behavioral2/files/0x0005000000022abb-215.dat family_berbew behavioral2/files/0x000700000002343c-223.dat family_berbew behavioral2/files/0x000700000002343e-231.dat family_berbew behavioral2/files/0x0007000000023440-234.dat family_berbew behavioral2/files/0x0007000000023442-247.dat family_berbew behavioral2/files/0x0007000000023444-255.dat family_berbew behavioral2/files/0x000700000002344a-270.dat family_berbew behavioral2/files/0x0007000000023450-283.dat family_berbew behavioral2/files/0x0007000000023454-295.dat family_berbew behavioral2/files/0x0007000000023458-307.dat family_berbew behavioral2/files/0x0007000000023464-343.dat family_berbew behavioral2/files/0x000700000002346e-373.dat family_berbew behavioral2/files/0x0007000000023478-403.dat family_berbew behavioral2/files/0x0007000000023480-427.dat family_berbew behavioral2/files/0x0007000000023486-445.dat family_berbew behavioral2/files/0x0007000000023490-475.dat family_berbew behavioral2/files/0x0007000000023494-487.dat family_berbew behavioral2/files/0x0007000000023498-499.dat family_berbew behavioral2/files/0x00070000000234a4-536.dat family_berbew behavioral2/files/0x00070000000234ae-568.dat family_berbew behavioral2/files/0x00070000000234bc-617.dat family_berbew behavioral2/files/0x00070000000234c8-659.dat family_berbew behavioral2/files/0x00070000000234d6-708.dat family_berbew behavioral2/files/0x00070000000234de-736.dat family_berbew behavioral2/files/0x00070000000234ea-778.dat family_berbew behavioral2/files/0x00070000000234f8-827.dat family_berbew behavioral2/files/0x00070000000234fe-847.dat family_berbew behavioral2/files/0x0007000000023508-882.dat family_berbew behavioral2/files/0x0007000000023512-917.dat family_berbew behavioral2/files/0x0007000000023518-937.dat family_berbew behavioral2/files/0x0007000000023520-965.dat family_berbew behavioral2/files/0x0007000000023526-986.dat family_berbew behavioral2/files/0x000700000002352a-1000.dat family_berbew behavioral2/files/0x000700000002353a-1055.dat family_berbew behavioral2/files/0x000700000002353e-1068.dat family_berbew behavioral2/files/0x0007000000023542-1082.dat family_berbew behavioral2/files/0x000700000002354e-1124.dat family_berbew behavioral2/files/0x0007000000023552-1139.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4252 Kcifkp32.exe 2280 Kkpnlm32.exe 2920 Kpmfddnf.exe 2980 Kckbqpnj.exe 3144 Kkbkamnl.exe 756 Lalcng32.exe 2248 Lpocjdld.exe 4952 Lmccchkn.exe 4664 Ldmlpbbj.exe 1220 Lkgdml32.exe 496 Laalifad.exe 4440 Lcbiao32.exe 5016 Lilanioo.exe 2984 Ldaeka32.exe 5024 Lklnhlfb.exe 4576 Laefdf32.exe 4772 Lcgblncm.exe 376 Mjqjih32.exe 2032 Mpkbebbf.exe 1768 Mkpgck32.exe 4076 Mdiklqhm.exe 1832 Mnapdf32.exe 1580 Mcnhmm32.exe 3556 Mncmjfmk.exe 3356 Mdmegp32.exe 2580 Mkgmcjld.exe 2544 Maaepd32.exe 4840 Mdpalp32.exe 3308 Nkjjij32.exe 3600 Nnhfee32.exe 3832 Ndbnboqb.exe 1556 Nklfoi32.exe 824 Nddkgonp.exe 4200 Njacpf32.exe 3212 Ngedij32.exe 2588 Ncldnkae.exe 1604 Njfmke32.exe 3708 Nqpego32.exe 3300 Ojhiqefo.exe 624 Odnnnnfe.exe 1688 Ojjffddl.exe 2900 Ogogoi32.exe 1616 Obdkma32.exe 4956 Oqgkhnjf.exe 2668 Ojopad32.exe 1792 Odednmpm.exe 1492 Ojalgcnd.exe 4992 Pcjapi32.exe 2100 Pnpemb32.exe 1992 Peimil32.exe 4160 Pkceffcd.exe 1756 Peljol32.exe 4660 Pndohaqe.exe 4052 Pkhoae32.exe 60 Pcccfh32.exe 4752 Pgopffec.exe 2040 Qgallfcq.exe 3292 Qjpiha32.exe 4828 Qeemej32.exe 4396 Qgciaf32.exe 3388 Qalnjkgo.exe 4864 Alabgd32.exe 2196 Anpncp32.exe 5108 Acmflf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hlmobp32.dll Nkjjij32.exe File created C:\Windows\SysWOW64\Qgphkcho.dll Oqgkhnjf.exe File created C:\Windows\SysWOW64\Jmmjgejj.exe Jbhfjljd.exe File created C:\Windows\SysWOW64\Ndokbi32.exe Mlhbal32.exe File created C:\Windows\SysWOW64\Nnjlpo32.exe Ngpccdlj.exe File created C:\Windows\SysWOW64\Agglboim.exe Aeiofcji.exe File opened for modification C:\Windows\SysWOW64\Bffkij32.exe Bgcknmop.exe File opened for modification C:\Windows\SysWOW64\Bgehcmmm.exe Balpgb32.exe File created C:\Windows\SysWOW64\Becifhfj.exe Ajneip32.exe File opened for modification C:\Windows\SysWOW64\Cahfmgoo.exe Cknnpm32.exe File opened for modification C:\Windows\SysWOW64\Clbceo32.exe Cehkhecb.exe File created C:\Windows\SysWOW64\Fdegandp.exe Fcckif32.exe File opened for modification C:\Windows\SysWOW64\Laalifad.exe Lkgdml32.exe File created C:\Windows\SysWOW64\Higbhjml.dll Qjpiha32.exe File created C:\Windows\SysWOW64\Ajneip32.exe Adcmmeog.exe File opened for modification C:\Windows\SysWOW64\Gdcdbl32.exe Gbdgfa32.exe File created C:\Windows\SysWOW64\Picpfp32.dll Chdkoa32.exe File opened for modification C:\Windows\SysWOW64\Daaicfgd.exe Dkgqfl32.exe File created C:\Windows\SysWOW64\Dkljak32.exe Ddbbeade.exe File created C:\Windows\SysWOW64\Kiaefcan.dll Ddbbeade.exe File created C:\Windows\SysWOW64\Fbnkjc32.dll Kbaipkbi.exe File created C:\Windows\SysWOW64\Gnbinq32.dll Kbhoqj32.exe File opened for modification C:\Windows\SysWOW64\Pnfdcjkg.exe Pfolbmje.exe File opened for modification C:\Windows\SysWOW64\Ieolehop.exe Icnpmp32.exe File created C:\Windows\SysWOW64\Elcmjaol.dll Pgioqq32.exe File created C:\Windows\SysWOW64\Pdmpje32.exe Pmfhig32.exe File created C:\Windows\SysWOW64\Bebblb32.exe Bagflcje.exe File created C:\Windows\SysWOW64\Chagok32.exe Cmlcbbcj.exe File opened for modification C:\Windows\SysWOW64\Alhhhcal.exe Aacckjaf.exe File opened for modification C:\Windows\SysWOW64\Gkkojgao.exe Gdqgmmjb.exe File opened for modification C:\Windows\SysWOW64\Ilghlc32.exe Iihkpg32.exe File created C:\Windows\SysWOW64\Knfoif32.dll Ogifjcdp.exe File opened for modification C:\Windows\SysWOW64\Balpgb32.exe Bffkij32.exe File created C:\Windows\SysWOW64\Deokon32.exe Dmgbnq32.exe File created C:\Windows\SysWOW64\Mkpgck32.exe Mpkbebbf.exe File opened for modification C:\Windows\SysWOW64\Pkceffcd.exe Peimil32.exe File created C:\Windows\SysWOW64\Dhbbhk32.dll Kpeiioac.exe File created C:\Windows\SysWOW64\Mdpalp32.exe Maaepd32.exe File created C:\Windows\SysWOW64\Jiglalpk.dll Angddopp.exe File created C:\Windows\SysWOW64\Eeanii32.dll Jpgmha32.exe File opened for modification C:\Windows\SysWOW64\Pclgkb32.exe Pqmjog32.exe File opened for modification C:\Windows\SysWOW64\Iiaephpc.exe Hfcicmqp.exe File created C:\Windows\SysWOW64\Hkmgakaf.dll Ojjffddl.exe File opened for modification C:\Windows\SysWOW64\Lfhdlh32.exe Lpnlpnih.exe File opened for modification C:\Windows\SysWOW64\Oncofm32.exe Ogifjcdp.exe File opened for modification C:\Windows\SysWOW64\Ogogoi32.exe Ojjffddl.exe File opened for modification C:\Windows\SysWOW64\Ojopad32.exe Oqgkhnjf.exe File created C:\Windows\SysWOW64\Bdolhc32.exe Bjghpn32.exe File created C:\Windows\SysWOW64\Elgfgl32.exe Eemnjbaj.exe File created C:\Windows\SysWOW64\Cajolcjk.dll Eofbch32.exe File created C:\Windows\SysWOW64\Hofdacke.exe Himldi32.exe File opened for modification C:\Windows\SysWOW64\Hmjdjgjo.exe Hfqlnm32.exe File opened for modification C:\Windows\SysWOW64\Odocigqg.exe Olhlhjpd.exe File created C:\Windows\SysWOW64\Phiifkjp.dll Bagflcje.exe File opened for modification C:\Windows\SysWOW64\Mipcob32.exe Mgagbf32.exe File opened for modification C:\Windows\SysWOW64\Ldmlpbbj.exe Lmccchkn.exe File created C:\Windows\SysWOW64\Efpmmmoo.dll Clbceo32.exe File created C:\Windows\SysWOW64\Jcpfco32.dll Dbllbibl.exe File created C:\Windows\SysWOW64\Jihdea32.dll Edihepnm.exe File created C:\Windows\SysWOW64\Hjjgia32.dll Qalnjkgo.exe File created C:\Windows\SysWOW64\Pkfcej32.dll Lgokmgjm.exe File created C:\Windows\SysWOW64\Ocdqjceo.exe Oqfdnhfk.exe File opened for modification C:\Windows\SysWOW64\Alabgd32.exe Qalnjkgo.exe File created C:\Windows\SysWOW64\Kihgme32.dll Adcmmeog.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9156 8708 WerFault.exe 435 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkpnlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqpego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmhjbhod.dll" Alabgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdcdbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkblkg32.dll" Icnpmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll" Qnhahj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lboeaifi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mchhggno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll" Pfhfan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdbiedpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnpemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghaliknf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifbkgjd.dll" Jfoiokfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngbpidjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll" Cjkjpgfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll" Qdbiedpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Belebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcnopdeh.dll" Fdlnbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdeqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhclmi.dll" Gmoeoidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npibja32.dll" Imfdff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbbhk32.dll" Kpeiioac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpqiemge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckafhlkg.dll" Dafbne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfhfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeiofcji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnnlaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbnafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iihkpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akalojih.dll" Ckpjfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkhbdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdnidn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmncnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chmndlge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll" Chcddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfbcpl32.dll" Cdfbibnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdlnbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenqea32.dll" Nilcjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll" Npjebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofqpqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgcknmop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cegdnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peljol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcccfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajneip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mchhggno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngpccdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll" Pgioqq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcgblncm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckcgkldl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfnphn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpqiemge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nniadn32.dll" Mdckfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll" Nnneknob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll" Bjmnoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll" Belebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Angddopp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoaihhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgfkkboc.dll" Eepjpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcimkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcllonma.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3788 wrote to memory of 4252 3788 ded952b0b66d55b160d2379721ae5360_NEIKI.exe 79 PID 3788 wrote to memory of 4252 3788 ded952b0b66d55b160d2379721ae5360_NEIKI.exe 79 PID 3788 wrote to memory of 4252 3788 ded952b0b66d55b160d2379721ae5360_NEIKI.exe 79 PID 4252 wrote to memory of 2280 4252 Kcifkp32.exe 80 PID 4252 wrote to memory of 2280 4252 Kcifkp32.exe 80 PID 4252 wrote to memory of 2280 4252 Kcifkp32.exe 80 PID 2280 wrote to memory of 2920 2280 Kkpnlm32.exe 82 PID 2280 wrote to memory of 2920 2280 Kkpnlm32.exe 82 PID 2280 wrote to memory of 2920 2280 Kkpnlm32.exe 82 PID 2920 wrote to memory of 2980 2920 Kpmfddnf.exe 84 PID 2920 wrote to memory of 2980 2920 Kpmfddnf.exe 84 PID 2920 wrote to memory of 2980 2920 Kpmfddnf.exe 84 PID 2980 wrote to memory of 3144 2980 Kckbqpnj.exe 85 PID 2980 wrote to memory of 3144 2980 Kckbqpnj.exe 85 PID 2980 wrote to memory of 3144 2980 Kckbqpnj.exe 85 PID 3144 wrote to memory of 756 3144 Kkbkamnl.exe 86 PID 3144 wrote to memory of 756 3144 Kkbkamnl.exe 86 PID 3144 wrote to memory of 756 3144 Kkbkamnl.exe 86 PID 756 wrote to memory of 2248 756 Lalcng32.exe 88 PID 756 wrote to memory of 2248 756 Lalcng32.exe 88 PID 756 wrote to memory of 2248 756 Lalcng32.exe 88 PID 2248 wrote to memory of 4952 2248 Lpocjdld.exe 89 PID 2248 wrote to memory of 4952 2248 Lpocjdld.exe 89 PID 2248 wrote to memory of 4952 2248 Lpocjdld.exe 89 PID 4952 wrote to memory of 4664 4952 Lmccchkn.exe 90 PID 4952 wrote to memory of 4664 4952 Lmccchkn.exe 90 PID 4952 wrote to memory of 4664 4952 Lmccchkn.exe 90 PID 4664 wrote to memory of 1220 4664 Ldmlpbbj.exe 91 PID 4664 wrote to memory of 1220 4664 Ldmlpbbj.exe 91 PID 4664 wrote to memory of 1220 4664 Ldmlpbbj.exe 91 PID 1220 wrote to memory of 496 1220 Lkgdml32.exe 92 PID 1220 wrote to memory of 496 1220 Lkgdml32.exe 92 PID 1220 wrote to memory of 496 1220 Lkgdml32.exe 92 PID 496 wrote to memory of 4440 496 Laalifad.exe 93 PID 496 wrote to memory of 4440 496 Laalifad.exe 93 PID 496 wrote to memory of 4440 496 Laalifad.exe 93 PID 4440 wrote to memory of 5016 4440 Lcbiao32.exe 94 PID 4440 wrote to memory of 5016 4440 Lcbiao32.exe 94 PID 4440 wrote to memory of 5016 4440 Lcbiao32.exe 94 PID 5016 wrote to memory of 2984 5016 Lilanioo.exe 95 PID 5016 wrote to memory of 2984 5016 Lilanioo.exe 95 PID 5016 wrote to memory of 2984 5016 Lilanioo.exe 95 PID 2984 wrote to memory of 5024 2984 Ldaeka32.exe 96 PID 2984 wrote to memory of 5024 2984 Ldaeka32.exe 96 PID 2984 wrote to memory of 5024 2984 Ldaeka32.exe 96 PID 5024 wrote to memory of 4576 5024 Lklnhlfb.exe 97 PID 5024 wrote to memory of 4576 5024 Lklnhlfb.exe 97 PID 5024 wrote to memory of 4576 5024 Lklnhlfb.exe 97 PID 4576 wrote to memory of 4772 4576 Laefdf32.exe 98 PID 4576 wrote to memory of 4772 4576 Laefdf32.exe 98 PID 4576 wrote to memory of 4772 4576 Laefdf32.exe 98 PID 4772 wrote to memory of 376 4772 Lcgblncm.exe 99 PID 4772 wrote to memory of 376 4772 Lcgblncm.exe 99 PID 4772 wrote to memory of 376 4772 Lcgblncm.exe 99 PID 376 wrote to memory of 2032 376 Mjqjih32.exe 100 PID 376 wrote to memory of 2032 376 Mjqjih32.exe 100 PID 376 wrote to memory of 2032 376 Mjqjih32.exe 100 PID 2032 wrote to memory of 1768 2032 Mpkbebbf.exe 101 PID 2032 wrote to memory of 1768 2032 Mpkbebbf.exe 101 PID 2032 wrote to memory of 1768 2032 Mpkbebbf.exe 101 PID 1768 wrote to memory of 4076 1768 Mkpgck32.exe 102 PID 1768 wrote to memory of 4076 1768 Mkpgck32.exe 102 PID 1768 wrote to memory of 4076 1768 Mkpgck32.exe 102 PID 4076 wrote to memory of 1832 4076 Mdiklqhm.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ded952b0b66d55b160d2379721ae5360_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\ded952b0b66d55b160d2379721ae5360_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe23⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe24⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe25⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe29⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3308 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe31⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe32⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe33⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe34⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe35⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe36⤵
- Executes dropped EXE
PID:3212 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe39⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3708 -
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe41⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe42⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe44⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4956 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe47⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe48⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe49⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe50⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe53⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe55⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe56⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:60 -
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe58⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe59⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3292 -
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe61⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3388 -
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:4864 -
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe65⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe66⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe67⤵PID:2428
-
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe68⤵PID:4264
-
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe69⤵PID:4732
-
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe70⤵
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe71⤵PID:1252
-
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe73⤵
- Drops file in System32 directory
PID:4936 -
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe75⤵PID:4180
-
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe76⤵PID:3716
-
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe77⤵PID:4996
-
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe78⤵PID:4564
-
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe79⤵PID:224
-
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe80⤵PID:2644
-
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe81⤵PID:1408
-
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe82⤵PID:2316
-
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe83⤵PID:1516
-
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe84⤵
- Drops file in System32 directory
PID:3268 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe85⤵PID:4960
-
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe86⤵PID:2344
-
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe87⤵PID:904
-
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe88⤵PID:4800
-
C:\Windows\SysWOW64\Cddecc32.exeC:\Windows\system32\Cddecc32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4296 -
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe90⤵
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe91⤵PID:4856
-
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe92⤵
- Modifies registry class
PID:3876 -
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe93⤵
- Modifies registry class
PID:1268 -
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe94⤵PID:4548
-
C:\Windows\SysWOW64\Chdkoa32.exeC:\Windows\system32\Chdkoa32.exe95⤵
- Drops file in System32 directory
PID:3528 -
C:\Windows\SysWOW64\Ckcgkldl.exeC:\Windows\system32\Ckcgkldl.exe96⤵
- Modifies registry class
PID:4156 -
C:\Windows\SysWOW64\Cbjoljdo.exeC:\Windows\system32\Cbjoljdo.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4536 -
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe98⤵
- Drops file in System32 directory
PID:3540 -
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe100⤵
- Drops file in System32 directory
PID:4492 -
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe101⤵PID:4636
-
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe102⤵PID:3260
-
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe103⤵
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe104⤵PID:4768
-
C:\Windows\SysWOW64\Dlgmpogj.exeC:\Windows\system32\Dlgmpogj.exe105⤵PID:4324
-
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe106⤵PID:1032
-
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe107⤵PID:2160
-
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe108⤵
- Drops file in System32 directory
PID:636 -
C:\Windows\SysWOW64\Dkljak32.exeC:\Windows\system32\Dkljak32.exe109⤵PID:1564
-
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe110⤵
- Modifies registry class
PID:4068 -
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe111⤵PID:2548
-
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe112⤵PID:4592
-
C:\Windows\SysWOW64\Dahode32.exeC:\Windows\system32\Dahode32.exe113⤵PID:4480
-
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe114⤵PID:3180
-
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe115⤵PID:5140
-
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe116⤵
- Drops file in System32 directory
PID:5188 -
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe117⤵PID:5232
-
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe118⤵PID:5276
-
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5320 -
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe120⤵PID:5360
-
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5408 -
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe122⤵PID:5444
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-