Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 04:25
Behavioral task
behavioral1
Sample
eea0515d52ebc7ea40fa334aeb47a840_NEIKI.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
eea0515d52ebc7ea40fa334aeb47a840_NEIKI.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
eea0515d52ebc7ea40fa334aeb47a840_NEIKI.exe
-
Size
305KB
-
MD5
eea0515d52ebc7ea40fa334aeb47a840
-
SHA1
c5647eaa4738da087e4d1af27e3da3a63c88c30e
-
SHA256
77c5fcf35eb6ed3285a3978296c30baf31f4ab7e0e800c0abc491b843b160e5b
-
SHA512
080c26675af531af80a920b9f6a5192f2bfd397996424c9f4319f05111cb04a47835539700b6625c0eb0089380631a669b8c666ae340c6638f03e0440fe3d818
-
SSDEEP
6144:jsR3uim1w1quaNxunXe8yhrtMsQBvli+RQFdq:jsR3uXpvAO8qRMsrOQF
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackmih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqklqhpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfgjml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oemhjlha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqmokioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajapoqmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olpgconp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjbqmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiqjao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkcpei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lghlndfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piqpkpml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfdfmfle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djmiejji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccnddg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjgonf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afajafoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjjpjgjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aaimopli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lljpjchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boobki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iaaekl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iplnnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bomlppdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biiiempl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khcbpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofnjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdkjdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdiogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcepqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eaheeecg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifffkncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkigoimd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpigma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qndkpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Danpemej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifbkgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llhocfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlafnbal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Engjkeab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bflbigdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccnddg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Akcldl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Halbai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nldahn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfmgelil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfhhjklc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keeeje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anjnnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppopja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flcojeak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgoebmip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcoce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efmlqigc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nddeae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeoeplfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agolnbok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacmpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgjkmijh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkggmldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gekfnoog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjldp32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000c00000001445e-9.dat family_berbew behavioral1/files/0x0007000000014ec4-38.dat family_berbew behavioral1/files/0x0006000000016d55-129.dat family_berbew behavioral1/files/0x0006000000018b15-215.dat family_berbew behavioral1/memory/1820-250-0x00000000003A0000-0x00000000003E3000-memory.dmp family_berbew behavioral1/files/0x0006000000018ba2-264.dat family_berbew behavioral1/files/0x0005000000019410-320.dat family_berbew behavioral1/memory/2652-422-0x00000000001B0000-0x00000000001F3000-memory.dmp family_berbew behavioral1/files/0x00050000000195a4-431.dat family_berbew behavioral1/files/0x0005000000019646-473.dat family_berbew behavioral1/files/0x000500000001996e-484.dat family_berbew behavioral1/files/0x0005000000019bd7-495.dat family_berbew behavioral1/files/0x0005000000019bef-506.dat family_berbew behavioral1/files/0x00050000000195ba-464.dat family_berbew behavioral1/files/0x00050000000195a9-445.dat family_berbew behavioral1/files/0x00050000000195a7-441.dat family_berbew behavioral1/files/0x00050000000194ef-376.dat family_berbew behavioral1/files/0x0005000000019ce6-515.dat family_berbew behavioral1/files/0x0005000000019d59-526.dat family_berbew behavioral1/files/0x0005000000019f60-539.dat family_berbew behavioral1/files/0x000500000001a013-548.dat family_berbew behavioral1/files/0x000500000001a2d0-559.dat family_berbew behavioral1/files/0x000500000001a3c2-568.dat family_berbew behavioral1/files/0x000500000001a3c8-579.dat family_berbew behavioral1/files/0x000500000001a3d4-591.dat family_berbew behavioral1/files/0x000500000001a431-616.dat family_berbew behavioral1/files/0x000500000001a447-654.dat family_berbew behavioral1/files/0x000500000001a44f-681.dat family_berbew behavioral1/files/0x000500000001a457-704.dat family_berbew behavioral1/files/0x000500000001a45f-729.dat family_berbew behavioral1/files/0x000500000001a463-741.dat family_berbew behavioral1/files/0x000500000001a474-792.dat family_berbew behavioral1/files/0x000500000001c288-884.dat family_berbew behavioral1/files/0x000500000001c857-1046.dat family_berbew behavioral1/files/0x000400000001cb24-1281.dat family_berbew behavioral1/files/0x000400000001cb9d-1419.dat family_berbew behavioral1/files/0x000400000001c903-1147.dat family_berbew behavioral1/files/0x000400000001cc2e-1533.dat family_berbew behavioral1/files/0x000400000001ce79-1615.dat family_berbew behavioral1/files/0x000400000001cf09-1639.dat family_berbew behavioral1/files/0x000400000001cf7e-1645.dat family_berbew behavioral1/files/0x000400000001cfa6-1671.dat family_berbew behavioral1/files/0x000400000001cfaf-1679.dat family_berbew behavioral1/files/0x000400000001d249-1719.dat family_berbew behavioral1/files/0x000400000001d30e-1735.dat family_berbew behavioral1/files/0x000400000001d338-1751.dat family_berbew behavioral1/files/0x000400000001d33c-1759.dat family_berbew behavioral1/files/0x000400000001d344-1775.dat family_berbew behavioral1/files/0x000400000001d349-1783.dat family_berbew behavioral1/files/0x000400000001d36c-1815.dat family_berbew behavioral1/files/0x000400000001d38a-1850.dat family_berbew behavioral1/files/0x000400000001d846-2010.dat family_berbew behavioral1/files/0x000400000001d853-2024.dat family_berbew behavioral1/files/0x000400000001d907-2065.dat family_berbew behavioral1/files/0x000400000001d94d-2088.dat family_berbew behavioral1/files/0x000400000001d955-2106.dat family_berbew behavioral1/files/0x000400000001d966-2138.dat family_berbew behavioral1/files/0x000400000001d986-2206.dat family_berbew behavioral1/files/0x000400000001d98c-2222.dat family_berbew behavioral1/files/0x000400000001d990-2230.dat family_berbew behavioral1/files/0x000400000001d962-2130.dat family_berbew behavioral1/files/0x000400000001d949-2082.dat family_berbew behavioral1/files/0x000400000001d99c-2254.dat family_berbew behavioral1/files/0x000400000001d9a4-2270.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2684 Liminmmk.exe 2148 Lgbeoibb.exe 2568 Makjho32.exe 2156 Mmakmp32.exe 2556 Mhgoji32.exe 2820 Mcnpojca.exe 1812 Mdpldi32.exe 1176 Mdbiji32.exe 2480 Nmkncofl.exe 1836 Nhdocl32.exe 1472 Namclbil.exe 1680 Nblpfepo.exe 2320 Nocpkf32.exe 2004 Nkjapglg.exe 1968 Omkjbb32.exe 2896 Ocgbji32.exe 1820 Olpgconp.exe 1272 Opnpimdf.exe 2688 Oldpnn32.exe 2348 Oaaifdhb.exe 2628 Poeipifl.exe 3068 Pafbadcm.exe 2332 Pgckjk32.exe 2044 Pahogc32.exe 1732 Pakllc32.exe 1164 Pkcpei32.exe 1072 Qfonkfqd.exe 2508 Qqdbiopj.exe 2632 Afajafoa.exe 1144 Acekjjmk.exe 2660 Abkhkgbb.exe 1124 Akcldl32.exe 2652 Agjmim32.exe 1456 Agljom32.exe 1988 Badnhbce.exe 1952 Bpjkiogm.exe 1396 Bibpad32.exe 1536 Bcgdom32.exe 2796 Bidlgdlk.exe 272 Bekmle32.exe 2968 Bfkifhib.exe 2888 Cofnjj32.exe 2608 Cikbhc32.exe 2360 Eccpoo32.exe 936 Epgphcqd.exe 2532 Eqjmncna.exe 1624 Fffefjmi.exe 2228 Flqmbd32.exe 1932 Fbmfkkbm.exe 2040 Fmcjhdbc.exe 832 Fbpbpkpj.exe 2792 Fbbofjnh.exe 2168 Fgohna32.exe 2312 Fdbhge32.exe 1684 Gjpqpl32.exe 1216 Ggcaiqhj.exe 2016 Gmpjagfa.exe 660 Ggfnopfg.exe 3032 Gqnbhf32.exe 1772 Gfkkpmko.exe 624 Gaqomeke.exe 1792 Gfmgelil.exe 2052 Gljpncgc.exe 2672 Hfpdkl32.exe -
Loads dropped DLL 64 IoCs
pid Process 2196 eea0515d52ebc7ea40fa334aeb47a840_NEIKI.exe 2196 eea0515d52ebc7ea40fa334aeb47a840_NEIKI.exe 2684 Liminmmk.exe 2684 Liminmmk.exe 2148 Lgbeoibb.exe 2148 Lgbeoibb.exe 2568 Makjho32.exe 2568 Makjho32.exe 2156 Mmakmp32.exe 2156 Mmakmp32.exe 2556 Mhgoji32.exe 2556 Mhgoji32.exe 2820 Mcnpojca.exe 2820 Mcnpojca.exe 1812 Mdpldi32.exe 1812 Mdpldi32.exe 1176 Mdbiji32.exe 1176 Mdbiji32.exe 2480 Nmkncofl.exe 2480 Nmkncofl.exe 1836 Nhdocl32.exe 1836 Nhdocl32.exe 1472 Namclbil.exe 1472 Namclbil.exe 1680 Nblpfepo.exe 1680 Nblpfepo.exe 2320 Nocpkf32.exe 2320 Nocpkf32.exe 2004 Nkjapglg.exe 2004 Nkjapglg.exe 1968 Omkjbb32.exe 1968 Omkjbb32.exe 2896 Ocgbji32.exe 2896 Ocgbji32.exe 1820 Olpgconp.exe 1820 Olpgconp.exe 1272 Opnpimdf.exe 1272 Opnpimdf.exe 2688 Oldpnn32.exe 2688 Oldpnn32.exe 2348 Oaaifdhb.exe 2348 Oaaifdhb.exe 2628 Poeipifl.exe 2628 Poeipifl.exe 3068 Pafbadcm.exe 3068 Pafbadcm.exe 2332 Pgckjk32.exe 2332 Pgckjk32.exe 2044 Pahogc32.exe 2044 Pahogc32.exe 1732 Pakllc32.exe 1732 Pakllc32.exe 1588 Qndigd32.exe 1588 Qndigd32.exe 1072 Qfonkfqd.exe 1072 Qfonkfqd.exe 2508 Qqdbiopj.exe 2508 Qqdbiopj.exe 2632 Afajafoa.exe 2632 Afajafoa.exe 1144 Acekjjmk.exe 1144 Acekjjmk.exe 2660 Abkhkgbb.exe 2660 Abkhkgbb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mcnpojca.exe Mhgoji32.exe File created C:\Windows\SysWOW64\Empomd32.exe Dqinhcoc.exe File opened for modification C:\Windows\SysWOW64\Agjmim32.exe Akcldl32.exe File opened for modification C:\Windows\SysWOW64\Kpfplo32.exe Keqkofno.exe File created C:\Windows\SysWOW64\Oqojhp32.exe Ojeakfnd.exe File created C:\Windows\SysWOW64\Ifbkgj32.exe Ifpnaj32.exe File created C:\Windows\SysWOW64\Hmneebeb.exe Hbhagiem.exe File created C:\Windows\SysWOW64\Oaqeogll.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gjgiidkl.exe Gcmamj32.exe File created C:\Windows\SysWOW64\Jdcpkp32.exe Jbbccgmp.exe File created C:\Windows\SysWOW64\Mlanmb32.dll Chbihc32.exe File opened for modification C:\Windows\SysWOW64\Elndpnnn.exe Dadcppbp.exe File created C:\Windows\SysWOW64\Aljmbknm.exe Acohnhab.exe File created C:\Windows\SysWOW64\Inipeafi.dll Fkkhpadq.exe File created C:\Windows\SysWOW64\Kainfp32.dll Akiobk32.exe File created C:\Windows\SysWOW64\Gflfedag.dll Hcepqh32.exe File opened for modification C:\Windows\SysWOW64\Dcbjni32.exe Djjeedhp.exe File created C:\Windows\SysWOW64\Malpee32.exe Mffkgl32.exe File created C:\Windows\SysWOW64\Hoeheonb.dll Lkicbk32.exe File created C:\Windows\SysWOW64\Qhbokp32.dll Flfkoeoh.exe File created C:\Windows\SysWOW64\Olebgfao.exe Oekjjl32.exe File created C:\Windows\SysWOW64\Apgagg32.exe Ahpifj32.exe File created C:\Windows\SysWOW64\Bqiibc32.dll Ecfnmh32.exe File created C:\Windows\SysWOW64\Pfqlkfoc.exe Ppgcol32.exe File opened for modification C:\Windows\SysWOW64\Bogljj32.exe Bikcbc32.exe File created C:\Windows\SysWOW64\Dboeco32.exe Dgiaefgg.exe File created C:\Windows\SysWOW64\Gekfnoog.exe Goqnae32.exe File created C:\Windows\SysWOW64\Gjmagfog.dll Qnebjc32.exe File opened for modification C:\Windows\SysWOW64\Ageompfe.exe Apkgpf32.exe File created C:\Windows\SysWOW64\Jmfcop32.exe Jfmkbebl.exe File created C:\Windows\SysWOW64\Jojloc32.exe Jfagemej.exe File created C:\Windows\SysWOW64\Ladebd32.exe Lkjmfjmi.exe File opened for modification C:\Windows\SysWOW64\Mfdopp32.exe Lokgcf32.exe File opened for modification C:\Windows\SysWOW64\Mccbmh32.exe Mngjeamd.exe File created C:\Windows\SysWOW64\Llbqfe32.exe Lfhhjklc.exe File opened for modification C:\Windows\SysWOW64\Eanldqgf.exe Ekdchf32.exe File created C:\Windows\SysWOW64\Nomdjlpi.dll Ifdlng32.exe File created C:\Windows\SysWOW64\Ileoknhh.exe Hidfjckg.exe File opened for modification C:\Windows\SysWOW64\Mpopnejo.exe Mbkpeake.exe File created C:\Windows\SysWOW64\Agolnbok.exe Alihaioe.exe File created C:\Windows\SysWOW64\Cggcofkf.exe Bopknhjd.exe File created C:\Windows\SysWOW64\Lbbpgc32.dll Ninjjf32.exe File opened for modification C:\Windows\SysWOW64\Knoaeimg.exe Kcimhpma.exe File opened for modification C:\Windows\SysWOW64\Cdqfgh32.exe Ckhbnb32.exe File opened for modification C:\Windows\SysWOW64\Ecobmg32.exe Ehinpnpm.exe File opened for modification C:\Windows\SysWOW64\Kjihci32.exe Kqqdjceh.exe File created C:\Windows\SysWOW64\Dpccjn32.dll Mhgoji32.exe File opened for modification C:\Windows\SysWOW64\Qhkipdeb.exe Qaapcj32.exe File created C:\Windows\SysWOW64\Hkjnenbp.exe Hmfmkjdf.exe File opened for modification C:\Windows\SysWOW64\Egikjh32.exe Eppcmncq.exe File opened for modification C:\Windows\SysWOW64\Bhpqcpkm.exe Bogljj32.exe File created C:\Windows\SysWOW64\Cikbhc32.exe Cofnjj32.exe File created C:\Windows\SysWOW64\Fqfemqod.exe Ffaaoh32.exe File opened for modification C:\Windows\SysWOW64\Gaagcpdl.exe Gglbfg32.exe File created C:\Windows\SysWOW64\Aoihaa32.exe Process not Found File created C:\Windows\SysWOW64\Djbfepid.dll Process not Found File created C:\Windows\SysWOW64\Aakjdo32.exe Alnalh32.exe File created C:\Windows\SysWOW64\Dnefhpma.exe Dihmpinj.exe File opened for modification C:\Windows\SysWOW64\Mlolnllf.exe Meecaa32.exe File created C:\Windows\SysWOW64\Cpidai32.exe Cllkkk32.exe File created C:\Windows\SysWOW64\Glomllkd.exe Gphlgk32.exe File opened for modification C:\Windows\SysWOW64\Dicnkdnf.exe Dpkibo32.exe File created C:\Windows\SysWOW64\Hcdnhoac.exe Hnheohcl.exe File created C:\Windows\SysWOW64\Qndhjl32.dll Eoebgcol.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3516 5884 Process not Found 1111 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpgbj32.dll" Aaimopli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fapeic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lcdhgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Leikbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhgoji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Apgagg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qmenhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccmblnif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glehgdkn.dll" Heliepmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnlnpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eidmboob.dll" Abnopj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bbqkeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlgfkmph.dll" Ialadj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Llbqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jahonm32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ooabmbbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aicmadmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpccjn32.dll" Mhgoji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aihfap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlfpfpl.dll" Agolnbok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afcdpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ahpifj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Efhqmadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdjphodi.dll" Enneln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edjdohaf.dll" Fohphgce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkilnbk.dll" Dammoahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nggggoda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fdapcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nickoldp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjgqcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhcndhap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Naimepkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lghlndfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lqejbiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeoggjip.dll" Lqipkhbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppddpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpieengb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndnmialh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Floeof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcdldknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fqdiga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Baneak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ggiofa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jhmofo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cqdfehii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lijepc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jmdiahco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhdocl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfhkkdnp.dll" Pgckjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpcqnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Imaapa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkcfefdg.dll" Qiflohqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gdnkkmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iigpli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhjcec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dognqkje.dll" Aflfjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kimlqfeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgflpn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bgffhkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mihdgkpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mkqqnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdkki32.dll" Acohnhab.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2684 2196 eea0515d52ebc7ea40fa334aeb47a840_NEIKI.exe 28 PID 2196 wrote to memory of 2684 2196 eea0515d52ebc7ea40fa334aeb47a840_NEIKI.exe 28 PID 2196 wrote to memory of 2684 2196 eea0515d52ebc7ea40fa334aeb47a840_NEIKI.exe 28 PID 2196 wrote to memory of 2684 2196 eea0515d52ebc7ea40fa334aeb47a840_NEIKI.exe 28 PID 2684 wrote to memory of 2148 2684 Liminmmk.exe 29 PID 2684 wrote to memory of 2148 2684 Liminmmk.exe 29 PID 2684 wrote to memory of 2148 2684 Liminmmk.exe 29 PID 2684 wrote to memory of 2148 2684 Liminmmk.exe 29 PID 2148 wrote to memory of 2568 2148 Lgbeoibb.exe 426 PID 2148 wrote to memory of 2568 2148 Lgbeoibb.exe 426 PID 2148 wrote to memory of 2568 2148 Lgbeoibb.exe 426 PID 2148 wrote to memory of 2568 2148 Lgbeoibb.exe 426 PID 2568 wrote to memory of 2156 2568 Makjho32.exe 31 PID 2568 wrote to memory of 2156 2568 Makjho32.exe 31 PID 2568 wrote to memory of 2156 2568 Makjho32.exe 31 PID 2568 wrote to memory of 2156 2568 Makjho32.exe 31 PID 2156 wrote to memory of 2556 2156 Mmakmp32.exe 32 PID 2156 wrote to memory of 2556 2156 Mmakmp32.exe 32 PID 2156 wrote to memory of 2556 2156 Mmakmp32.exe 32 PID 2156 wrote to memory of 2556 2156 Mmakmp32.exe 32 PID 2556 wrote to memory of 2820 2556 Mhgoji32.exe 33 PID 2556 wrote to memory of 2820 2556 Mhgoji32.exe 33 PID 2556 wrote to memory of 2820 2556 Mhgoji32.exe 33 PID 2556 wrote to memory of 2820 2556 Mhgoji32.exe 33 PID 2820 wrote to memory of 1812 2820 Mcnpojca.exe 34 PID 2820 wrote to memory of 1812 2820 Mcnpojca.exe 34 PID 2820 wrote to memory of 1812 2820 Mcnpojca.exe 34 PID 2820 wrote to memory of 1812 2820 Mcnpojca.exe 34 PID 1812 wrote to memory of 1176 1812 Mdpldi32.exe 35 PID 1812 wrote to memory of 1176 1812 Mdpldi32.exe 35 PID 1812 wrote to memory of 1176 1812 Mdpldi32.exe 35 PID 1812 wrote to memory of 1176 1812 Mdpldi32.exe 35 PID 1176 wrote to memory of 2480 1176 Mdbiji32.exe 36 PID 1176 wrote to memory of 2480 1176 Mdbiji32.exe 36 PID 1176 wrote to memory of 2480 1176 Mdbiji32.exe 36 PID 1176 wrote to memory of 2480 1176 Mdbiji32.exe 36 PID 2480 wrote to memory of 1836 2480 Nmkncofl.exe 37 PID 2480 wrote to memory of 1836 2480 Nmkncofl.exe 37 PID 2480 wrote to memory of 1836 2480 Nmkncofl.exe 37 PID 2480 wrote to memory of 1836 2480 Nmkncofl.exe 37 PID 1836 wrote to memory of 1472 1836 Nhdocl32.exe 446 PID 1836 wrote to memory of 1472 1836 Nhdocl32.exe 446 PID 1836 wrote to memory of 1472 1836 Nhdocl32.exe 446 PID 1836 wrote to memory of 1472 1836 Nhdocl32.exe 446 PID 1472 wrote to memory of 1680 1472 Namclbil.exe 39 PID 1472 wrote to memory of 1680 1472 Namclbil.exe 39 PID 1472 wrote to memory of 1680 1472 Namclbil.exe 39 PID 1472 wrote to memory of 1680 1472 Namclbil.exe 39 PID 1680 wrote to memory of 2320 1680 Nblpfepo.exe 40 PID 1680 wrote to memory of 2320 1680 Nblpfepo.exe 40 PID 1680 wrote to memory of 2320 1680 Nblpfepo.exe 40 PID 1680 wrote to memory of 2320 1680 Nblpfepo.exe 40 PID 2320 wrote to memory of 2004 2320 Nocpkf32.exe 41 PID 2320 wrote to memory of 2004 2320 Nocpkf32.exe 41 PID 2320 wrote to memory of 2004 2320 Nocpkf32.exe 41 PID 2320 wrote to memory of 2004 2320 Nocpkf32.exe 41 PID 2004 wrote to memory of 1968 2004 Nkjapglg.exe 42 PID 2004 wrote to memory of 1968 2004 Nkjapglg.exe 42 PID 2004 wrote to memory of 1968 2004 Nkjapglg.exe 42 PID 2004 wrote to memory of 1968 2004 Nkjapglg.exe 42 PID 1968 wrote to memory of 2896 1968 Omkjbb32.exe 43 PID 1968 wrote to memory of 2896 1968 Omkjbb32.exe 43 PID 1968 wrote to memory of 2896 1968 Omkjbb32.exe 43 PID 1968 wrote to memory of 2896 1968 Omkjbb32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\eea0515d52ebc7ea40fa334aeb47a840_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\eea0515d52ebc7ea40fa334aeb47a840_NEIKI.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Liminmmk.exeC:\Windows\system32\Liminmmk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Lgbeoibb.exeC:\Windows\system32\Lgbeoibb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Makjho32.exeC:\Windows\system32\Makjho32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Mhgoji32.exeC:\Windows\system32\Mhgoji32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Mcnpojca.exeC:\Windows\system32\Mcnpojca.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Nmkncofl.exeC:\Windows\system32\Nmkncofl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Nocpkf32.exeC:\Windows\system32\Nocpkf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1820 -
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1272 -
C:\Windows\SysWOW64\Oldpnn32.exeC:\Windows\system32\Oldpnn32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Pahogc32.exeC:\Windows\system32\Pahogc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Pkcpei32.exeC:\Windows\system32\Pkcpei32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe28⤵
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1072 -
C:\Windows\SysWOW64\Qqdbiopj.exeC:\Windows\system32\Qqdbiopj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Afajafoa.exeC:\Windows\system32\Afajafoa.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Acekjjmk.exeC:\Windows\system32\Acekjjmk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1144 -
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1124 -
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe35⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Agljom32.exeC:\Windows\system32\Agljom32.exe36⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe37⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe38⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe39⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Bcgdom32.exeC:\Windows\system32\Bcgdom32.exe40⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Bidlgdlk.exeC:\Windows\system32\Bidlgdlk.exe41⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe42⤵
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe43⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Cofnjj32.exeC:\Windows\system32\Cofnjj32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe45⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Eccpoo32.exeC:\Windows\system32\Eccpoo32.exe46⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Epgphcqd.exeC:\Windows\system32\Epgphcqd.exe47⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Eqjmncna.exeC:\Windows\system32\Eqjmncna.exe48⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe49⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe50⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe51⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe52⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Fbpbpkpj.exeC:\Windows\system32\Fbpbpkpj.exe53⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe54⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe55⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe56⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe57⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe58⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe59⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe60⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe61⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Gfkkpmko.exeC:\Windows\system32\Gfkkpmko.exe62⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Gaqomeke.exeC:\Windows\system32\Gaqomeke.exe63⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe65⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe66⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe67⤵PID:2692
-
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe68⤵PID:2744
-
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe69⤵PID:1412
-
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2200 -
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1500 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe72⤵PID:1692
-
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe73⤵PID:2900
-
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe74⤵PID:2964
-
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe75⤵PID:916
-
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe76⤵PID:596
-
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe77⤵PID:2732
-
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe78⤵PID:1088
-
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe79⤵PID:2084
-
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe80⤵PID:2024
-
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe81⤵PID:1644
-
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2696 -
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2948 -
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1520 -
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe85⤵PID:388
-
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe86⤵
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe87⤵PID:1408
-
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe88⤵PID:2476
-
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe89⤵PID:2116
-
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe90⤵PID:1468
-
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe91⤵PID:1936
-
C:\Windows\SysWOW64\Jkpbdq32.exeC:\Windows\system32\Jkpbdq32.exe92⤵PID:576
-
C:\Windows\SysWOW64\Jplkmgol.exeC:\Windows\system32\Jplkmgol.exe93⤵PID:2240
-
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe94⤵PID:2188
-
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe95⤵PID:1616
-
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe96⤵PID:1508
-
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe97⤵PID:2528
-
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe98⤵PID:2768
-
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe99⤵PID:1672
-
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe100⤵
- Modifies registry class
PID:1404 -
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe101⤵PID:1108
-
C:\Windows\SysWOW64\Kkmand32.exeC:\Windows\system32\Kkmand32.exe102⤵PID:2592
-
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe103⤵PID:2736
-
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe104⤵PID:1392
-
C:\Windows\SysWOW64\Kfebambf.exeC:\Windows\system32\Kfebambf.exe105⤵PID:2384
-
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe106⤵PID:3108
-
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe107⤵PID:3164
-
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3216 -
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe109⤵PID:3280
-
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe110⤵PID:3332
-
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe111⤵PID:3396
-
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe112⤵PID:3456
-
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe113⤵
- Modifies registry class
PID:3508 -
C:\Windows\SysWOW64\Lcdfnehp.exeC:\Windows\system32\Lcdfnehp.exe114⤵PID:3564
-
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe115⤵PID:3620
-
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe116⤵
- Drops file in System32 directory
PID:3672 -
C:\Windows\SysWOW64\Mfdopp32.exeC:\Windows\system32\Mfdopp32.exe117⤵PID:3732
-
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe118⤵PID:3800
-
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe119⤵
- Drops file in System32 directory
PID:3864 -
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe120⤵PID:3916
-
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe121⤵PID:3968
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-