Analysis
-
max time kernel
142s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 03:26
Behavioral task
behavioral1
Sample
de9fd66062ae1135af75e653f97179f0_NEIKI.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
de9fd66062ae1135af75e653f97179f0_NEIKI.exe
Resource
win10v2004-20240426-en
General
-
Target
de9fd66062ae1135af75e653f97179f0_NEIKI.exe
-
Size
227KB
-
MD5
de9fd66062ae1135af75e653f97179f0
-
SHA1
eec7bf9af17f37f06637ed38f4a19fdc3f636a55
-
SHA256
eb90682a1cb99c333f0e751f0f37443f29f0731d3f9f912a13335d6b7e08f737
-
SHA512
10c05526546d3bfa3e7258fef8474c8cf2a85290f11fe40b1128e0503a97f91d8c4bfa6a43ebe200ecaace52e00c28842989a5ad12d42593732fe356c8424f44
-
SSDEEP
3072:0BCpL71dhrvNqLWd8AnyPCwB19Bley3pwoTRBmDRGGurhUXvBj2QE2HegPelTeIf:VnNQjqwB1QFm7U5j2QE2+g24Id2jFHu
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnhmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gjlfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfjmgdlf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbkjjblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmpngk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kaqcbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lalcng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldmlpbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efpajh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffjdqg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imihfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcifkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nceonl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efgodj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ficgacna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jkdnpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kknafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mamleegg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbldaffp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hikfip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jangmibi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiikak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncihikcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbhmdbnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdjfcecp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpjqhgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jaljgidl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laciofpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nqklmpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfhqbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjolnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpccnefa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkihknfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdffocib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnhmng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnfipekh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icgqggce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jaimbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipegmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifopiajn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" de9fd66062ae1135af75e653f97179f0_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcbnejem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcgohig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkbchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcggpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijhodq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fokbim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmaioo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hccglh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjmoibog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpappc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcklgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehonfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbhkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncldnkae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcpapkgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kphmie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imdnklfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdegnep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqikdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hclakimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdcijcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njljefql.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000800000002340d-7.dat family_berbew behavioral2/files/0x0007000000023414-15.dat family_berbew behavioral2/files/0x0007000000023416-23.dat family_berbew behavioral2/files/0x0007000000023419-25.dat family_berbew behavioral2/files/0x000700000002341b-38.dat family_berbew behavioral2/files/0x000700000002341d-46.dat family_berbew behavioral2/files/0x0007000000023421-63.dat family_berbew behavioral2/files/0x0007000000023427-88.dat family_berbew behavioral2/files/0x000700000002342b-105.dat family_berbew behavioral2/files/0x000700000002342d-114.dat family_berbew behavioral2/files/0x000700000002342f-122.dat family_berbew behavioral2/files/0x0007000000023433-134.dat family_berbew behavioral2/files/0x000700000002343b-174.dat family_berbew behavioral2/files/0x000700000002343e-184.dat family_berbew behavioral2/files/0x0007000000023444-210.dat family_berbew behavioral2/files/0x000700000002344e-249.dat family_berbew behavioral2/files/0x0007000000023467-335.dat family_berbew behavioral2/files/0x000700000002346f-361.dat family_berbew behavioral2/files/0x000700000002348e-475.dat family_berbew behavioral2/files/0x00070000000234dc-734.dat family_berbew behavioral2/files/0x0007000000023551-1112.dat family_berbew behavioral2/files/0x000700000002355d-1154.dat family_berbew behavioral2/files/0x00070000000235b1-1476.dat family_berbew behavioral2/files/0x00070000000235ef-1698.dat family_berbew behavioral2/files/0x000700000002363b-1955.dat family_berbew behavioral2/files/0x000700000002363f-1969.dat family_berbew behavioral2/files/0x0007000000023625-1884.dat family_berbew behavioral2/files/0x0007000000023619-1841.dat family_berbew behavioral2/files/0x000700000002360b-1795.dat family_berbew behavioral2/files/0x0007000000023605-1774.dat family_berbew behavioral2/files/0x00070000000235f7-1726.dat family_berbew behavioral2/files/0x00070000000235f5-1719.dat family_berbew behavioral2/files/0x00070000000235e7-1672.dat family_berbew behavioral2/files/0x00080000000235ba-1644.dat family_berbew behavioral2/files/0x00070000000235dc-1624.dat family_berbew behavioral2/files/0x00070000000235cb-1558.dat family_berbew behavioral2/files/0x00070000000235c7-1542.dat family_berbew behavioral2/files/0x00070000000235b6-1497.dat family_berbew behavioral2/files/0x00070000000235ac-1465.dat family_berbew behavioral2/files/0x00070000000235a4-1435.dat family_berbew behavioral2/files/0x0007000000023594-1381.dat family_berbew behavioral2/files/0x000700000002358e-1360.dat family_berbew behavioral2/files/0x0007000000023583-1326.dat family_berbew behavioral2/files/0x0007000000023567-1233.dat family_berbew behavioral2/files/0x0007000000023563-1219.dat family_berbew behavioral2/files/0x0007000000023546-1080.dat family_berbew behavioral2/files/0x000700000002350e-899.dat family_berbew behavioral2/files/0x000700000002350a-885.dat family_berbew behavioral2/files/0x00070000000234fc-841.dat family_berbew behavioral2/files/0x00070000000234f2-807.dat family_berbew behavioral2/files/0x00070000000234ea-782.dat family_berbew behavioral2/files/0x00070000000234d4-707.dat family_berbew behavioral2/files/0x00070000000234bc-627.dat family_berbew behavioral2/files/0x00070000000234b8-613.dat family_berbew behavioral2/files/0x000700000002349e-525.dat family_berbew behavioral2/files/0x0007000000023485-442.dat family_berbew behavioral2/files/0x000700000002347e-415.dat family_berbew behavioral2/files/0x0007000000023479-393.dat family_berbew behavioral2/files/0x0007000000023473-374.dat family_berbew behavioral2/files/0x000700000002346b-349.dat family_berbew behavioral2/files/0x0007000000023452-263.dat family_berbew behavioral2/files/0x0007000000023450-256.dat family_berbew behavioral2/files/0x000700000002344c-242.dat family_berbew behavioral2/files/0x000700000002344a-235.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4004 Dchbhn32.exe 4332 Efgodj32.exe 4316 Ejbkehcg.exe 1104 Elagacbk.exe 2444 Epmcab32.exe 4828 Eoocmoao.exe 4524 Efikji32.exe 1376 Ejegjh32.exe 1600 Eoapbo32.exe 2056 Ebploj32.exe 4988 Ejgdpg32.exe 1420 Eleplc32.exe 2500 Ecphimfb.exe 1492 Efneehef.exe 2228 Elhmablc.exe 1712 Eofinnkf.exe 4340 Ecbenm32.exe 2720 Efpajh32.exe 4196 Ehonfc32.exe 2344 Eqfeha32.exe 3940 Fbgbpihg.exe 4588 Fhajlc32.exe 4684 Fqhbmqqg.exe 4736 Fokbim32.exe 1548 Fbioei32.exe 2692 Fjqgff32.exe 892 Ficgacna.exe 212 Fmocba32.exe 3936 Fqkocpod.exe 4248 Fomonm32.exe 3972 Fcikolnh.exe 3656 Ffggkgmk.exe 4068 Fjcclf32.exe 552 Fifdgblo.exe 4144 Fqmlhpla.exe 2272 Fopldmcl.exe 1448 Fbnhphbp.exe 2352 Ffjdqg32.exe 4056 Fjepaecb.exe 4804 Fmclmabe.exe 4872 Fobiilai.exe 2536 Fcnejk32.exe 4776 Fflaff32.exe 4584 Fmficqpc.exe 2776 Fqaeco32.exe 3348 Gcpapkgp.exe 4312 Gfnnlffc.exe 4300 Gjjjle32.exe 5116 Gqdbiofi.exe 4820 Gcbnejem.exe 2880 Gfqjafdq.exe 1668 Gjlfbd32.exe 1404 Gmkbnp32.exe 2028 Gqfooodg.exe 4400 Gcekkjcj.exe 1796 Gfcgge32.exe 5068 Giacca32.exe 3692 Gqikdn32.exe 3436 Gcggpj32.exe 4924 Gfedle32.exe 4600 Gidphq32.exe 1944 Gqkhjn32.exe 1036 Gcidfi32.exe 4884 Gbldaffp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Elhmablc.exe Efneehef.exe File created C:\Windows\SysWOW64\Oggipmfe.dll Fbioei32.exe File created C:\Windows\SysWOW64\Ifegaglc.dll Gfedle32.exe File created C:\Windows\SysWOW64\Klebid32.dll Hjhfnccl.exe File created C:\Windows\SysWOW64\Iiffen32.exe Ijdeiaio.exe File created C:\Windows\SysWOW64\Jflepa32.dll Jkfkfohj.exe File opened for modification C:\Windows\SysWOW64\Hpenfjad.exe Habnjm32.exe File created C:\Windows\SysWOW64\Mdemcacc.dll Lijdhiaa.exe File created C:\Windows\SysWOW64\Gfedle32.exe Gcggpj32.exe File opened for modification C:\Windows\SysWOW64\Impepm32.exe Iidipnal.exe File opened for modification C:\Windows\SysWOW64\Ldmlpbbj.exe Lpappc32.exe File created C:\Windows\SysWOW64\Mgnnhk32.exe Mcbahlip.exe File opened for modification C:\Windows\SysWOW64\Nkqpjidj.exe Ngedij32.exe File created C:\Windows\SysWOW64\Opbnic32.dll Nqmhbpba.exe File created C:\Windows\SysWOW64\Iidipnal.exe Ijaida32.exe File created C:\Windows\SysWOW64\Dbcjkf32.dll Jbmfoa32.exe File opened for modification C:\Windows\SysWOW64\Lijdhiaa.exe Lkgdml32.exe File opened for modification C:\Windows\SysWOW64\Hmklen32.exe Hippdo32.exe File opened for modification C:\Windows\SysWOW64\Laciofpa.exe Lnhmng32.exe File created C:\Windows\SysWOW64\Mkbchk32.exe Mcklgm32.exe File created C:\Windows\SysWOW64\Bclhoo32.dll Jjpeepnb.exe File created C:\Windows\SysWOW64\Jjbako32.exe Jfffjqdf.exe File created C:\Windows\SysWOW64\Gmlgol32.dll Jdmcidam.exe File created C:\Windows\SysWOW64\Mjhqjg32.exe Mkepnjng.exe File created C:\Windows\SysWOW64\Ndbnboqb.exe Nacbfdao.exe File created C:\Windows\SysWOW64\Fcdjjo32.dll Ndbnboqb.exe File created C:\Windows\SysWOW64\Habnjm32.exe Hmfbjnbp.exe File created C:\Windows\SysWOW64\Lcbiao32.exe Ldohebqh.exe File created C:\Windows\SysWOW64\Nggqoj32.exe Ncldnkae.exe File opened for modification C:\Windows\SysWOW64\Iffmccbi.exe Ibjqcd32.exe File created C:\Windows\SysWOW64\Lgneampk.exe Lcbiao32.exe File created C:\Windows\SysWOW64\Kgkocp32.dll Lkiqbl32.exe File opened for modification C:\Windows\SysWOW64\Lnjjdgee.exe Ljnnch32.exe File created C:\Windows\SysWOW64\Nnhfee32.exe Njljefql.exe File created C:\Windows\SysWOW64\Fomonm32.exe Fqkocpod.exe File created C:\Windows\SysWOW64\Kkpnlm32.exe Kgdbkohf.exe File created C:\Windows\SysWOW64\Fogjfmfe.dll Kcifkp32.exe File created C:\Windows\SysWOW64\Ogijli32.dll Lkgdml32.exe File opened for modification C:\Windows\SysWOW64\Mjjmog32.exe Mkgmcjld.exe File created C:\Windows\SysWOW64\Mecaoggc.dll Lcgblncm.exe File opened for modification C:\Windows\SysWOW64\Ejbkehcg.exe Efgodj32.exe File created C:\Windows\SysWOW64\Gfhqbe32.exe Gbldaffp.exe File opened for modification C:\Windows\SysWOW64\Ibmmhdhm.exe Icjmmg32.exe File created C:\Windows\SysWOW64\Ggcjqj32.dll Jmkdlkph.exe File created C:\Windows\SysWOW64\Jaimbj32.exe Jmnaakne.exe File created C:\Windows\SysWOW64\Lpappc32.exe Lmccchkn.exe File created C:\Windows\SysWOW64\Ahgndd32.dll Fflaff32.exe File created C:\Windows\SysWOW64\Jmkefnli.dll Himcoo32.exe File opened for modification C:\Windows\SysWOW64\Hccglh32.exe Hpgkkioa.exe File created C:\Windows\SysWOW64\Lkgdml32.exe Lgkhlnbn.exe File created C:\Windows\SysWOW64\Fbnhphbp.exe Fopldmcl.exe File opened for modification C:\Windows\SysWOW64\Himcoo32.exe Hjjbcbqj.exe File created C:\Windows\SysWOW64\Ikjmhmfd.dll Iapjlk32.exe File created C:\Windows\SysWOW64\Jbocea32.exe Jdmcidam.exe File opened for modification C:\Windows\SysWOW64\Laefdf32.exe Lnjjdgee.exe File created C:\Windows\SysWOW64\Mdiklqhm.exe Majopeii.exe File created C:\Windows\SysWOW64\Hpbjkl32.dll Fcnejk32.exe File created C:\Windows\SysWOW64\Ibhblqpo.dll Mnlfigcc.exe File created C:\Windows\SysWOW64\Fmocba32.exe Ficgacna.exe File opened for modification C:\Windows\SysWOW64\Giacca32.exe Gfcgge32.exe File created C:\Windows\SysWOW64\Nceonl32.exe Ndbnboqb.exe File opened for modification C:\Windows\SysWOW64\Ehonfc32.exe Efpajh32.exe File created C:\Windows\SysWOW64\Dkfpkkqa.dll Gjclbc32.exe File created C:\Windows\SysWOW64\Jiphogop.dll Idacmfkj.exe -
Program crash 1 IoCs
pid pid_target Process 9036 8888 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll" Kgdbkohf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncldnkae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ipnalhii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmegbjgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll" Lcgblncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphlemjl.dll" Gcggpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Habnjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbhbe32.dll" Hfcpncdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ldmlpbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mgnnhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndidbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmioonpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hbhdmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncldnkae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcpebmkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mnfipekh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gqkhjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kipabjil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nacbfdao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fjqgff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gcbnejem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgneampk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbamkcqa.dll" Hfjmgdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbfiep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mnocof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll" Mdiklqhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Impepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kdffocib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nbhkac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffggkgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll" Hjolnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbocjjm.dll" Giacca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgdbkohf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll" Mpolqa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fokbim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gidphq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpappc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll" Lcpllo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmfbjnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpccnefa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Imdnklfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgmlkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmjqmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdpalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibadbaha.dll" Hmklen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijiaonm.dll" Hmmhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll" Nbkhfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phogofep.dll" Icljbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdmegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hbhdmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Haidklda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmclmabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fcnejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcglkid.dll" Gcpapkgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlfmg32.dll" Hfachc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iiibkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdghlnlo.dll" Efikji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fqmlhpla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njogjfoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hbanme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll" Jbfpobpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ijfboafl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nqmhbpba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hcqjfh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5004 wrote to memory of 4004 5004 de9fd66062ae1135af75e653f97179f0_NEIKI.exe 82 PID 5004 wrote to memory of 4004 5004 de9fd66062ae1135af75e653f97179f0_NEIKI.exe 82 PID 5004 wrote to memory of 4004 5004 de9fd66062ae1135af75e653f97179f0_NEIKI.exe 82 PID 4004 wrote to memory of 4332 4004 Dchbhn32.exe 83 PID 4004 wrote to memory of 4332 4004 Dchbhn32.exe 83 PID 4004 wrote to memory of 4332 4004 Dchbhn32.exe 83 PID 4332 wrote to memory of 4316 4332 Efgodj32.exe 84 PID 4332 wrote to memory of 4316 4332 Efgodj32.exe 84 PID 4332 wrote to memory of 4316 4332 Efgodj32.exe 84 PID 4316 wrote to memory of 1104 4316 Ejbkehcg.exe 85 PID 4316 wrote to memory of 1104 4316 Ejbkehcg.exe 85 PID 4316 wrote to memory of 1104 4316 Ejbkehcg.exe 85 PID 1104 wrote to memory of 2444 1104 Elagacbk.exe 86 PID 1104 wrote to memory of 2444 1104 Elagacbk.exe 86 PID 1104 wrote to memory of 2444 1104 Elagacbk.exe 86 PID 2444 wrote to memory of 4828 2444 Epmcab32.exe 87 PID 2444 wrote to memory of 4828 2444 Epmcab32.exe 87 PID 2444 wrote to memory of 4828 2444 Epmcab32.exe 87 PID 4828 wrote to memory of 4524 4828 Eoocmoao.exe 88 PID 4828 wrote to memory of 4524 4828 Eoocmoao.exe 88 PID 4828 wrote to memory of 4524 4828 Eoocmoao.exe 88 PID 4524 wrote to memory of 1376 4524 Efikji32.exe 89 PID 4524 wrote to memory of 1376 4524 Efikji32.exe 89 PID 4524 wrote to memory of 1376 4524 Efikji32.exe 89 PID 1376 wrote to memory of 1600 1376 Ejegjh32.exe 90 PID 1376 wrote to memory of 1600 1376 Ejegjh32.exe 90 PID 1376 wrote to memory of 1600 1376 Ejegjh32.exe 90 PID 1600 wrote to memory of 2056 1600 Eoapbo32.exe 91 PID 1600 wrote to memory of 2056 1600 Eoapbo32.exe 91 PID 1600 wrote to memory of 2056 1600 Eoapbo32.exe 91 PID 2056 wrote to memory of 4988 2056 Ebploj32.exe 93 PID 2056 wrote to memory of 4988 2056 Ebploj32.exe 93 PID 2056 wrote to memory of 4988 2056 Ebploj32.exe 93 PID 4988 wrote to memory of 1420 4988 Ejgdpg32.exe 94 PID 4988 wrote to memory of 1420 4988 Ejgdpg32.exe 94 PID 4988 wrote to memory of 1420 4988 Ejgdpg32.exe 94 PID 1420 wrote to memory of 2500 1420 Eleplc32.exe 95 PID 1420 wrote to memory of 2500 1420 Eleplc32.exe 95 PID 1420 wrote to memory of 2500 1420 Eleplc32.exe 95 PID 2500 wrote to memory of 1492 2500 Ecphimfb.exe 97 PID 2500 wrote to memory of 1492 2500 Ecphimfb.exe 97 PID 2500 wrote to memory of 1492 2500 Ecphimfb.exe 97 PID 1492 wrote to memory of 2228 1492 Efneehef.exe 98 PID 1492 wrote to memory of 2228 1492 Efneehef.exe 98 PID 1492 wrote to memory of 2228 1492 Efneehef.exe 98 PID 2228 wrote to memory of 1712 2228 Elhmablc.exe 99 PID 2228 wrote to memory of 1712 2228 Elhmablc.exe 99 PID 2228 wrote to memory of 1712 2228 Elhmablc.exe 99 PID 1712 wrote to memory of 4340 1712 Eofinnkf.exe 100 PID 1712 wrote to memory of 4340 1712 Eofinnkf.exe 100 PID 1712 wrote to memory of 4340 1712 Eofinnkf.exe 100 PID 4340 wrote to memory of 2720 4340 Ecbenm32.exe 102 PID 4340 wrote to memory of 2720 4340 Ecbenm32.exe 102 PID 4340 wrote to memory of 2720 4340 Ecbenm32.exe 102 PID 2720 wrote to memory of 4196 2720 Efpajh32.exe 103 PID 2720 wrote to memory of 4196 2720 Efpajh32.exe 103 PID 2720 wrote to memory of 4196 2720 Efpajh32.exe 103 PID 4196 wrote to memory of 2344 4196 Ehonfc32.exe 104 PID 4196 wrote to memory of 2344 4196 Ehonfc32.exe 104 PID 4196 wrote to memory of 2344 4196 Ehonfc32.exe 104 PID 2344 wrote to memory of 3940 2344 Eqfeha32.exe 105 PID 2344 wrote to memory of 3940 2344 Eqfeha32.exe 105 PID 2344 wrote to memory of 3940 2344 Eqfeha32.exe 105 PID 3940 wrote to memory of 4588 3940 Fbgbpihg.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\de9fd66062ae1135af75e653f97179f0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\de9fd66062ae1135af75e653f97179f0_NEIKI.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Dchbhn32.exeC:\Windows\system32\Dchbhn32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\Efgodj32.exeC:\Windows\system32\Efgodj32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\Elagacbk.exeC:\Windows\system32\Elagacbk.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Epmcab32.exeC:\Windows\system32\Epmcab32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Efikji32.exeC:\Windows\system32\Efikji32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Eoapbo32.exeC:\Windows\system32\Eoapbo32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Ebploj32.exeC:\Windows\system32\Ebploj32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Ejgdpg32.exeC:\Windows\system32\Ejgdpg32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Ecphimfb.exeC:\Windows\system32\Ecphimfb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Elhmablc.exeC:\Windows\system32\Elhmablc.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Eofinnkf.exeC:\Windows\system32\Eofinnkf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Ecbenm32.exeC:\Windows\system32\Ecbenm32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Ehonfc32.exeC:\Windows\system32\Ehonfc32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\Eqfeha32.exeC:\Windows\system32\Eqfeha32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe23⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Fqhbmqqg.exeC:\Windows\system32\Fqhbmqqg.exe24⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4736 -
C:\Windows\SysWOW64\Fbioei32.exeC:\Windows\system32\Fbioei32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Ficgacna.exeC:\Windows\system32\Ficgacna.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:892 -
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe29⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Fqkocpod.exeC:\Windows\system32\Fqkocpod.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3936 -
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe31⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Fcikolnh.exeC:\Windows\system32\Fcikolnh.exe32⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:3656 -
C:\Windows\SysWOW64\Fjcclf32.exeC:\Windows\system32\Fjcclf32.exe34⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe35⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4144 -
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe38⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Fjepaecb.exeC:\Windows\system32\Fjepaecb.exe40⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Fmclmabe.exeC:\Windows\system32\Fmclmabe.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:4804 -
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe42⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Fcnejk32.exeC:\Windows\system32\Fcnejk32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4776 -
C:\Windows\SysWOW64\Fmficqpc.exeC:\Windows\system32\Fmficqpc.exe45⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Fqaeco32.exeC:\Windows\system32\Fqaeco32.exe46⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Gcpapkgp.exeC:\Windows\system32\Gcpapkgp.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3348 -
C:\Windows\SysWOW64\Gfnnlffc.exeC:\Windows\system32\Gfnnlffc.exe48⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe49⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe50⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4820 -
C:\Windows\SysWOW64\Gfqjafdq.exeC:\Windows\system32\Gfqjafdq.exe52⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Gjlfbd32.exeC:\Windows\system32\Gjlfbd32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe54⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Gqfooodg.exeC:\Windows\system32\Gqfooodg.exe55⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe56⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:5068 -
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Gcggpj32.exeC:\Windows\system32\Gcggpj32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3436 -
C:\Windows\SysWOW64\Gfedle32.exeC:\Windows\system32\Gfedle32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4924 -
C:\Windows\SysWOW64\Gidphq32.exeC:\Windows\system32\Gidphq32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:4600 -
C:\Windows\SysWOW64\Gqkhjn32.exeC:\Windows\system32\Gqkhjn32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Gcidfi32.exeC:\Windows\system32\Gcidfi32.exe64⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4884 -
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3396 -
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe67⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2688 -
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe69⤵PID:3128
-
C:\Windows\SysWOW64\Hclakimb.exeC:\Windows\system32\Hclakimb.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1536 -
C:\Windows\SysWOW64\Hfjmgdlf.exeC:\Windows\system32\Hfjmgdlf.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1216 -
C:\Windows\SysWOW64\Hapaemll.exeC:\Windows\system32\Hapaemll.exe72⤵PID:3468
-
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe73⤵PID:1824
-
C:\Windows\SysWOW64\Hcnnaikp.exeC:\Windows\system32\Hcnnaikp.exe74⤵PID:3920
-
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe75⤵
- Modifies registry class
PID:4712 -
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe76⤵PID:2700
-
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe77⤵
- Drops file in System32 directory
PID:4396 -
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3112 -
C:\Windows\SysWOW64\Hmfbjnbp.exeC:\Windows\system32\Hmfbjnbp.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:4696 -
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe81⤵PID:1644
-
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe82⤵
- Modifies registry class
PID:3140 -
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe83⤵PID:1620
-
C:\Windows\SysWOW64\Hjjbcbqj.exeC:\Windows\system32\Hjjbcbqj.exe84⤵
- Drops file in System32 directory
PID:3188 -
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe85⤵
- Drops file in System32 directory
PID:4296 -
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe86⤵PID:5064
-
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe87⤵
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe88⤵PID:5172
-
C:\Windows\SysWOW64\Hpgkkioa.exeC:\Windows\system32\Hpgkkioa.exe89⤵
- Drops file in System32 directory
PID:5208 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5256 -
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe91⤵
- Modifies registry class
PID:5300 -
C:\Windows\SysWOW64\Hjmoibog.exeC:\Windows\system32\Hjmoibog.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5340 -
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe93⤵
- Drops file in System32 directory
PID:5388 -
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe94⤵
- Modifies registry class
PID:5432 -
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe95⤵PID:5468
-
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe96⤵PID:5520
-
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe97⤵
- Modifies registry class
PID:5560 -
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe98⤵
- Modifies registry class
PID:5608 -
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5660 -
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe100⤵
- Modifies registry class
PID:5700 -
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe101⤵
- Modifies registry class
PID:5744 -
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe102⤵PID:5792
-
C:\Windows\SysWOW64\Icgqggce.exeC:\Windows\system32\Icgqggce.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5828 -
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe104⤵
- Drops file in System32 directory
PID:5872 -
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe105⤵PID:5916
-
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe106⤵
- Drops file in System32 directory
PID:5964 -
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe107⤵
- Drops file in System32 directory
PID:6004 -
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe108⤵
- Modifies registry class
PID:6072 -
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe109⤵
- Modifies registry class
PID:6136 -
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe110⤵
- Drops file in System32 directory
PID:5200 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe111⤵PID:5160
-
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe112⤵PID:5324
-
C:\Windows\SysWOW64\Ijdeiaio.exeC:\Windows\system32\Ijdeiaio.exe113⤵
- Drops file in System32 directory
PID:5424 -
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe114⤵PID:5372
-
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe115⤵PID:5528
-
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe116⤵PID:5576
-
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe117⤵PID:5628
-
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe118⤵
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe119⤵
- Modifies registry class
PID:5752 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe120⤵PID:5776
-
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe121⤵
- Modifies registry class
PID:5880 -
C:\Windows\SysWOW64\Imdnklfp.exeC:\Windows\system32\Imdnklfp.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-