Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 03:31
Behavioral task
behavioral1
Sample
dff1c2449e1bb57a77d8971046c02860_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dff1c2449e1bb57a77d8971046c02860_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
dff1c2449e1bb57a77d8971046c02860_NEIKI.exe
-
Size
109KB
-
MD5
dff1c2449e1bb57a77d8971046c02860
-
SHA1
dcba3370afe7325279144e6f68aae0ff9c90c0ac
-
SHA256
51684b12a4a486b123c6a8647028e2d0f17d244238e2e17d3b31f2bdc438170c
-
SHA512
718cb2cc2ff61a8111b9b0bb333a9511bbce0dd8b76515f7fabc2a4783d7879e030ee7ed7d38c930911c91bfd8f4a8db1a1a1a8a943cb1fcb0a174ca25a946ad
-
SSDEEP
3072:OZ9Ex5wbXIJ9tLCqwzBu1DjHLMVDqqkSpR:OrEx5AIJ99wtu1DjrFqhz
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgogk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albjlcao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikaio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhgdkjol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkaiqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddagfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnneja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejgcdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lafndg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knklagmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aigaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpafkknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gphmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aiinen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bifgdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpcmpijk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecmkghcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emhlfmgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghmfhmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkkmqnck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlaeonld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efncicpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddagfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blaopqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kifpdelo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmemc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llnofpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amcpie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnpnndgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngpolo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gikaio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llohjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqjfoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idceea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfcikek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkcofe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aamfnkai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlekia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqeicede.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlcbenjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfinoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpefdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlekia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pngphgbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpngfgle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogmhkmki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmhodf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qedhdjnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aibajhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clilkfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcenlceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdcpdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnccfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfjqnjkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmhodf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhiffc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadloj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgmcqkkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgalqkbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbbnchb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ombapedi.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2240-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x000d000000015ccd-5.dat family_berbew behavioral1/memory/2240-11-0x0000000000250000-0x0000000000294000-memory.dmp family_berbew behavioral1/files/0x0007000000015d7f-19.dat family_berbew behavioral1/memory/2648-31-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0007000000015d93-32.dat family_berbew behavioral1/memory/2480-39-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0009000000015f65-45.dat family_berbew behavioral1/files/0x0006000000016cdc-62.dat family_berbew behavioral1/memory/2360-69-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000016d18-78.dat family_berbew behavioral1/files/0x0006000000016d3e-98.dat family_berbew behavioral1/memory/2600-106-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000016d5f-115.dat family_berbew behavioral1/files/0x0006000000016d8e-133.dat family_berbew behavioral1/files/0x0006000000016db9-158.dat family_berbew behavioral1/memory/332-164-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x00060000000171df-185.dat family_berbew behavioral1/files/0x0006000000017437-195.dat family_berbew behavioral1/files/0x0031000000018649-217.dat family_berbew behavioral1/files/0x000500000001875a-236.dat family_berbew behavioral1/files/0x0006000000018bb0-266.dat family_berbew behavioral1/memory/972-271-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x00050000000192e7-288.dat family_berbew behavioral1/memory/1856-338-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2500-352-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2500-354-0x0000000000250000-0x0000000000294000-memory.dmp family_berbew behavioral1/memory/2488-363-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0005000000019568-365.dat family_berbew behavioral1/memory/2604-380-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/1584-406-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/1276-412-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x000500000001961a-430.dat family_berbew behavioral1/memory/1680-449-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/588-460-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0005000000019624-462.dat family_berbew behavioral1/memory/2816-467-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/652-483-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0005000000019902-506.dat family_berbew behavioral1/files/0x0005000000019c4b-528.dat family_berbew behavioral1/files/0x0005000000019ddd-546.dat family_berbew behavioral1/files/0x000500000001a0d0-583.dat family_berbew behavioral1/files/0x000500000001a44b-608.dat family_berbew behavioral1/files/0x000500000001a453-616.dat family_berbew behavioral1/files/0x000500000001a48f-630.dat family_berbew behavioral1/files/0x000500000001a4b5-652.dat family_berbew behavioral1/files/0x000500000001a4c9-675.dat family_berbew behavioral1/files/0x000500000001a4d1-696.dat family_berbew behavioral1/files/0x000500000001a4d5-706.dat family_berbew behavioral1/files/0x000500000001a4de-727.dat family_berbew behavioral1/files/0x000500000001a4e7-750.dat family_berbew behavioral1/files/0x000500000001a4f3-769.dat family_berbew behavioral1/files/0x000500000001a503-798.dat family_berbew behavioral1/files/0x000500000001a50b-818.dat family_berbew behavioral1/files/0x000500000001a552-845.dat family_berbew behavioral1/files/0x000500000001adaa-874.dat family_berbew behavioral1/files/0x000500000001c763-901.dat family_berbew behavioral1/files/0x000500000001c88e-939.dat family_berbew behavioral1/files/0x000500000001c896-965.dat family_berbew behavioral1/files/0x000500000001c89b-976.dat family_berbew behavioral1/files/0x000500000001c8aa-1015.dat family_berbew behavioral1/files/0x000500000001c8af-1028.dat family_berbew behavioral1/files/0x000500000001c8bc-1063.dat family_berbew behavioral1/files/0x000500000001c8c4-1092.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3040 Qbbfopeg.exe 2648 Qljkhe32.exe 2480 Qnigda32.exe 2896 Qmlgonbe.exe 2360 Qecoqk32.exe 2872 Ahakmf32.exe 1252 Ajphib32.exe 2600 Amndem32.exe 2244 Aplpai32.exe 2252 Ahchbf32.exe 344 Affhncfc.exe 332 Aiedjneg.exe 2024 Aalmklfi.exe 2088 Adjigg32.exe 1848 Afiecb32.exe 336 Aigaon32.exe 856 Alenki32.exe 1480 Apajlhka.exe 2780 Admemg32.exe 860 Afkbib32.exe 972 Aenbdoii.exe 1692 Aiinen32.exe 628 Alhjai32.exe 1880 Apcfahio.exe 1656 Abbbnchb.exe 1856 Afmonbqk.exe 2492 Ailkjmpo.exe 2500 Bpfcgg32.exe 2488 Boiccdnf.exe 384 Bhahlj32.exe 2604 Blmdlhmp.exe 1716 Beehencq.exe 1584 Bdhhqk32.exe 1276 Bhcdaibd.exe 1228 Bkaqmeah.exe 2756 Bnpmipql.exe 1680 Begeknan.exe 588 Bhfagipa.exe 2816 Bopicc32.exe 652 Bpafkknm.exe 3016 Bhhnli32.exe 1712 Bgknheej.exe 324 Bjijdadm.exe 1420 Baqbenep.exe 2236 Bdooajdc.exe 596 Cgmkmecg.exe 2504 Cjlgiqbk.exe 2228 Cjlgiqbk.exe 2364 Cngcjo32.exe 3036 Cpeofk32.exe 2432 Cdakgibq.exe 2412 Cgpgce32.exe 1456 Cfbhnaho.exe 320 Cnippoha.exe 2748 Cllpkl32.exe 2764 Ccfhhffh.exe 2460 Cgbdhd32.exe 1264 Cfeddafl.exe 1792 Chcqpmep.exe 2400 Cpjiajeb.exe 1016 Comimg32.exe 2192 Cciemedf.exe 2664 Cfgaiaci.exe 1028 Cjbmjplb.exe -
Loads dropped DLL 64 IoCs
pid Process 2240 dff1c2449e1bb57a77d8971046c02860_NEIKI.exe 2240 dff1c2449e1bb57a77d8971046c02860_NEIKI.exe 3040 Qbbfopeg.exe 3040 Qbbfopeg.exe 2648 Qljkhe32.exe 2648 Qljkhe32.exe 2480 Qnigda32.exe 2480 Qnigda32.exe 2896 Qmlgonbe.exe 2896 Qmlgonbe.exe 2360 Qecoqk32.exe 2360 Qecoqk32.exe 2872 Ahakmf32.exe 2872 Ahakmf32.exe 1252 Ajphib32.exe 1252 Ajphib32.exe 2600 Amndem32.exe 2600 Amndem32.exe 2244 Aplpai32.exe 2244 Aplpai32.exe 2252 Ahchbf32.exe 2252 Ahchbf32.exe 344 Affhncfc.exe 344 Affhncfc.exe 332 Aiedjneg.exe 332 Aiedjneg.exe 2024 Aalmklfi.exe 2024 Aalmklfi.exe 2088 Adjigg32.exe 2088 Adjigg32.exe 1848 Afiecb32.exe 1848 Afiecb32.exe 336 Aigaon32.exe 336 Aigaon32.exe 856 Alenki32.exe 856 Alenki32.exe 1480 Apajlhka.exe 1480 Apajlhka.exe 2780 Admemg32.exe 2780 Admemg32.exe 860 Afkbib32.exe 860 Afkbib32.exe 972 Aenbdoii.exe 972 Aenbdoii.exe 1692 Aiinen32.exe 1692 Aiinen32.exe 628 Alhjai32.exe 628 Alhjai32.exe 1880 Apcfahio.exe 1880 Apcfahio.exe 1656 Abbbnchb.exe 1656 Abbbnchb.exe 1856 Afmonbqk.exe 1856 Afmonbqk.exe 2492 Ailkjmpo.exe 2492 Ailkjmpo.exe 2500 Bpfcgg32.exe 2500 Bpfcgg32.exe 2488 Boiccdnf.exe 2488 Boiccdnf.exe 384 Bhahlj32.exe 384 Bhahlj32.exe 2604 Blmdlhmp.exe 2604 Blmdlhmp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Afmonbqk.exe Abbbnchb.exe File created C:\Windows\SysWOW64\Dgodbh32.exe Dhmcfkme.exe File created C:\Windows\SysWOW64\Hjlanqkq.dll Cnippoha.exe File created C:\Windows\SysWOW64\Liqebf32.dll Hlfdkoin.exe File created C:\Windows\SysWOW64\Ljmlbfhi.exe Lbfdaigg.exe File opened for modification C:\Windows\SysWOW64\Admemg32.exe Apajlhka.exe File created C:\Windows\SysWOW64\Dbpodagk.exe Cndbcc32.exe File created C:\Windows\SysWOW64\Biddmpnf.dll Heglio32.exe File created C:\Windows\SysWOW64\Lmgocb32.exe Lndohedg.exe File created C:\Windows\SysWOW64\Ajpjcomh.dll Bmhideol.exe File opened for modification C:\Windows\SysWOW64\Gfefiemq.exe Gbijhg32.exe File created C:\Windows\SysWOW64\Jondlhmp.dll Gacpdbej.exe File created C:\Windows\SysWOW64\Eeoliecf.dll Jcgogk32.exe File opened for modification C:\Windows\SysWOW64\Qodlkm32.exe Qkhpkoen.exe File created C:\Windows\SysWOW64\Pihgic32.exe Pdlkiepd.exe File created C:\Windows\SysWOW64\Addnil32.dll Gegfdb32.exe File opened for modification C:\Windows\SysWOW64\Jqdipqbp.exe Jmhmpb32.exe File created C:\Windows\SysWOW64\Dglhipbb.dll Kaceodek.exe File created C:\Windows\SysWOW64\Kolpjf32.dll Pkndaa32.exe File created C:\Windows\SysWOW64\Fjmaaddo.exe Fikejl32.exe File created C:\Windows\SysWOW64\Mfbnag32.dll Hedocp32.exe File created C:\Windows\SysWOW64\Jbodgd32.dll Biafnecn.exe File created C:\Windows\SysWOW64\Amndem32.exe Ajphib32.exe File created C:\Windows\SysWOW64\Dgdmmgpj.exe Ddeaalpg.exe File opened for modification C:\Windows\SysWOW64\Fejgko32.exe Fmcoja32.exe File created C:\Windows\SysWOW64\Blnhfb32.dll Gbnccfpb.exe File opened for modification C:\Windows\SysWOW64\Mkeimlfm.exe Mgimmm32.exe File created C:\Windows\SysWOW64\Dqlafm32.exe Dnneja32.exe File created C:\Windows\SysWOW64\Ohbepi32.dll Facdeo32.exe File opened for modification C:\Windows\SysWOW64\Hdhbam32.exe Hlakpp32.exe File created C:\Windows\SysWOW64\Hjjddchg.exe Henidd32.exe File opened for modification C:\Windows\SysWOW64\Kfgdhjmk.exe Kcihlong.exe File created C:\Windows\SysWOW64\Onjgiiad.exe Oklkmnbp.exe File created C:\Windows\SysWOW64\Gjejlhlg.dll Fpcqaf32.exe File created C:\Windows\SysWOW64\Pmdoik32.dll Ecmkghcl.exe File opened for modification C:\Windows\SysWOW64\Ncgdbmmp.exe Mhbped32.exe File created C:\Windows\SysWOW64\Pqhpdhcc.exe Pnjdhmdo.exe File created C:\Windows\SysWOW64\Afohaa32.exe Ahlgfdeq.exe File opened for modification C:\Windows\SysWOW64\Kgcpjmcb.exe Keednado.exe File opened for modification C:\Windows\SysWOW64\Nljddpfe.exe Nilhhdga.exe File created C:\Windows\SysWOW64\Gejcjbah.exe Gopkmhjk.exe File created C:\Windows\SysWOW64\Pfoocjfd.exe Onhgbmfb.exe File created C:\Windows\SysWOW64\Bkommo32.exe Bfcampgf.exe File created C:\Windows\SysWOW64\Gcghbk32.dll Qjjgclai.exe File created C:\Windows\SysWOW64\Ajpjakhc.exe Aganeoip.exe File created C:\Windows\SysWOW64\Alihbgdo.dll Bgknheej.exe File created C:\Windows\SysWOW64\Nhaikn32.exe Ndemjoae.exe File created C:\Windows\SysWOW64\Pjbjhgde.exe Pfgngh32.exe File created C:\Windows\SysWOW64\Fdlpjk32.dll Cmgechbh.exe File created C:\Windows\SysWOW64\Ddagfm32.exe Dbbkja32.exe File created C:\Windows\SysWOW64\Jmocpado.exe Jehkodcm.exe File created C:\Windows\SysWOW64\Mkeimlfm.exe Mgimmm32.exe File opened for modification C:\Windows\SysWOW64\Qmicohqm.exe Qjjgclai.exe File opened for modification C:\Windows\SysWOW64\Gakcimgf.exe Gnmgmbhb.exe File created C:\Windows\SysWOW64\Nmfmhhoj.dll Idnaoohk.exe File created C:\Windows\SysWOW64\Mlcpdacl.dll Bdkgocpm.exe File created C:\Windows\SysWOW64\Gkkgcp32.dll Bhhnli32.exe File opened for modification C:\Windows\SysWOW64\Djnpnc32.exe Dgodbh32.exe File opened for modification C:\Windows\SysWOW64\Iknnbklc.exe Idceea32.exe File created C:\Windows\SysWOW64\Jjnbaf32.dll Kmjojo32.exe File created C:\Windows\SysWOW64\Neplhf32.exe Nadpgggp.exe File created C:\Windows\SysWOW64\Ebjnie32.dll Ajgpbj32.exe File created C:\Windows\SysWOW64\Bpjiammk.dll Afkbib32.exe File created C:\Windows\SysWOW64\Khcmap32.dll Lliflp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8836 8812 WerFault.exe 868 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cclkfdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohaeia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chhjkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blopagpd.dll" Dccagcgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqlhdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkmhaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdooajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdakgibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qcpofbjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icdepo32.dll" Gdjpeifj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbbngf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kklpekno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocdmaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmccf32.dll" Idmhkpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmocpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphdelhp.dll" Ejkima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kilfcpqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdopkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heldepab.dll" Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpkbdiqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahoanjcc.dll" Eqijej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fepiimfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdnjb32.dll" Gifhnpea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkcdafqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eihfjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdilgioe.dll" Lcagpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oagmmgdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikbgmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfjpdigc.dll" Ojfaijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilcmjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhffckeo.dll" Mdcpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjlgiqbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkahecm.dll" Pbnoliap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egadpgfp.dll" Fcmgfkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idgjaf32.dll" Gjfdhbld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajgpbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Leljop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgeegb32.dll" Mhdplq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nondgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llnofpcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aekodi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmdmcanc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmagdbci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Affhncfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfgdhjmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkoplhip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipikqbi.dll" Joaeeklp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acmhepko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pclfkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmaqpohl.dll" Ganpomec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilcbjpbn.dll" Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipgbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hiekid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olliabba.dll" Liplnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qijdocfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnhje32.dll" Gpknlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcegmm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2240 wrote to memory of 3040 2240 dff1c2449e1bb57a77d8971046c02860_NEIKI.exe 28 PID 2240 wrote to memory of 3040 2240 dff1c2449e1bb57a77d8971046c02860_NEIKI.exe 28 PID 2240 wrote to memory of 3040 2240 dff1c2449e1bb57a77d8971046c02860_NEIKI.exe 28 PID 2240 wrote to memory of 3040 2240 dff1c2449e1bb57a77d8971046c02860_NEIKI.exe 28 PID 3040 wrote to memory of 2648 3040 Qbbfopeg.exe 29 PID 3040 wrote to memory of 2648 3040 Qbbfopeg.exe 29 PID 3040 wrote to memory of 2648 3040 Qbbfopeg.exe 29 PID 3040 wrote to memory of 2648 3040 Qbbfopeg.exe 29 PID 2648 wrote to memory of 2480 2648 Qljkhe32.exe 30 PID 2648 wrote to memory of 2480 2648 Qljkhe32.exe 30 PID 2648 wrote to memory of 2480 2648 Qljkhe32.exe 30 PID 2648 wrote to memory of 2480 2648 Qljkhe32.exe 30 PID 2480 wrote to memory of 2896 2480 Qnigda32.exe 31 PID 2480 wrote to memory of 2896 2480 Qnigda32.exe 31 PID 2480 wrote to memory of 2896 2480 Qnigda32.exe 31 PID 2480 wrote to memory of 2896 2480 Qnigda32.exe 31 PID 2896 wrote to memory of 2360 2896 Qmlgonbe.exe 32 PID 2896 wrote to memory of 2360 2896 Qmlgonbe.exe 32 PID 2896 wrote to memory of 2360 2896 Qmlgonbe.exe 32 PID 2896 wrote to memory of 2360 2896 Qmlgonbe.exe 32 PID 2360 wrote to memory of 2872 2360 Qecoqk32.exe 33 PID 2360 wrote to memory of 2872 2360 Qecoqk32.exe 33 PID 2360 wrote to memory of 2872 2360 Qecoqk32.exe 33 PID 2360 wrote to memory of 2872 2360 Qecoqk32.exe 33 PID 2872 wrote to memory of 1252 2872 Ahakmf32.exe 34 PID 2872 wrote to memory of 1252 2872 Ahakmf32.exe 34 PID 2872 wrote to memory of 1252 2872 Ahakmf32.exe 34 PID 2872 wrote to memory of 1252 2872 Ahakmf32.exe 34 PID 1252 wrote to memory of 2600 1252 Ajphib32.exe 35 PID 1252 wrote to memory of 2600 1252 Ajphib32.exe 35 PID 1252 wrote to memory of 2600 1252 Ajphib32.exe 35 PID 1252 wrote to memory of 2600 1252 Ajphib32.exe 35 PID 2600 wrote to memory of 2244 2600 Amndem32.exe 36 PID 2600 wrote to memory of 2244 2600 Amndem32.exe 36 PID 2600 wrote to memory of 2244 2600 Amndem32.exe 36 PID 2600 wrote to memory of 2244 2600 Amndem32.exe 36 PID 2244 wrote to memory of 2252 2244 Aplpai32.exe 37 PID 2244 wrote to memory of 2252 2244 Aplpai32.exe 37 PID 2244 wrote to memory of 2252 2244 Aplpai32.exe 37 PID 2244 wrote to memory of 2252 2244 Aplpai32.exe 37 PID 2252 wrote to memory of 344 2252 Ahchbf32.exe 38 PID 2252 wrote to memory of 344 2252 Ahchbf32.exe 38 PID 2252 wrote to memory of 344 2252 Ahchbf32.exe 38 PID 2252 wrote to memory of 344 2252 Ahchbf32.exe 38 PID 344 wrote to memory of 332 344 Affhncfc.exe 39 PID 344 wrote to memory of 332 344 Affhncfc.exe 39 PID 344 wrote to memory of 332 344 Affhncfc.exe 39 PID 344 wrote to memory of 332 344 Affhncfc.exe 39 PID 332 wrote to memory of 2024 332 Aiedjneg.exe 40 PID 332 wrote to memory of 2024 332 Aiedjneg.exe 40 PID 332 wrote to memory of 2024 332 Aiedjneg.exe 40 PID 332 wrote to memory of 2024 332 Aiedjneg.exe 40 PID 2024 wrote to memory of 2088 2024 Aalmklfi.exe 41 PID 2024 wrote to memory of 2088 2024 Aalmklfi.exe 41 PID 2024 wrote to memory of 2088 2024 Aalmklfi.exe 41 PID 2024 wrote to memory of 2088 2024 Aalmklfi.exe 41 PID 2088 wrote to memory of 1848 2088 Adjigg32.exe 42 PID 2088 wrote to memory of 1848 2088 Adjigg32.exe 42 PID 2088 wrote to memory of 1848 2088 Adjigg32.exe 42 PID 2088 wrote to memory of 1848 2088 Adjigg32.exe 42 PID 1848 wrote to memory of 336 1848 Afiecb32.exe 43 PID 1848 wrote to memory of 336 1848 Afiecb32.exe 43 PID 1848 wrote to memory of 336 1848 Afiecb32.exe 43 PID 1848 wrote to memory of 336 1848 Afiecb32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\dff1c2449e1bb57a77d8971046c02860_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\dff1c2449e1bb57a77d8971046c02860_NEIKI.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:336 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:856 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1480 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:860 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:628 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1880 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:384 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe33⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe34⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe35⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe36⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe37⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe38⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe39⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe40⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe44⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe45⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe47⤵
- Executes dropped EXE
PID:596 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe48⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe50⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe51⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe53⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe54⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:320 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe56⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe57⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe58⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe59⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe60⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe61⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe62⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe63⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe64⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe65⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe66⤵PID:1564
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe67⤵PID:2696
-
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe68⤵PID:2496
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe69⤵PID:2124
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1800 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe71⤵
- Modifies registry class
PID:540 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe72⤵PID:1240
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe73⤵
- Drops file in System32 directory
PID:1468 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe74⤵PID:1916
-
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe75⤵PID:2040
-
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe76⤵PID:1956
-
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe77⤵PID:804
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe78⤵PID:2532
-
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe79⤵
- Drops file in System32 directory
PID:1196 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1060 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe81⤵
- Drops file in System32 directory
PID:948 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe82⤵
- Drops file in System32 directory
PID:560 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe83⤵PID:1572
-
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe84⤵PID:2520
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe85⤵PID:2368
-
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe86⤵PID:2660
-
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe87⤵PID:2168
-
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe88⤵PID:1796
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe89⤵
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe90⤵PID:2388
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe91⤵
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe92⤵PID:668
-
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe93⤵PID:2196
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe94⤵PID:1588
-
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:240 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe96⤵PID:1492
-
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe97⤵PID:2968
-
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe98⤵PID:2704
-
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe99⤵PID:1968
-
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe100⤵PID:2308
-
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe101⤵
- Modifies registry class
PID:572 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe102⤵PID:2616
-
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1432 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe104⤵PID:2544
-
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2864 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe106⤵PID:1648
-
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe107⤵PID:1536
-
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe108⤵PID:2128
-
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe109⤵PID:2860
-
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe111⤵PID:1248
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe112⤵PID:2248
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1920 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe114⤵PID:1612
-
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe115⤵PID:2596
-
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe116⤵PID:2396
-
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe117⤵PID:3004
-
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe118⤵PID:1008
-
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe119⤵PID:1696
-
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe120⤵PID:1440
-
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe121⤵PID:2804
-
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe122⤵PID:1752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-