Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 03:40
Behavioral task
behavioral1
Sample
e246a89db78ff29e0188ed1624561060_NEIKI.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
e246a89db78ff29e0188ed1624561060_NEIKI.exe
Resource
win10v2004-20240426-en
General
-
Target
e246a89db78ff29e0188ed1624561060_NEIKI.exe
-
Size
391KB
-
MD5
e246a89db78ff29e0188ed1624561060
-
SHA1
c392ce8d73000351004d3bc89a72896b746eabff
-
SHA256
25ccf1d2c3b7fce3f7467df49b3b5572cf816682dd025cb5842a005de23f9eb0
-
SHA512
a1d5f665aeaea7bb93d1bc19e1f653b6daa49f3ac29ab96c648fa5c45c4619ef0e5f61488983c21d156ed3f485c14aeba2c3f52b6a0de0d5d09f1247e882f26f
-
SSDEEP
12288:2BgT9XvEhdfJkKSkU3kHyuaRB5t6k0IJogZ+SZE:2S9XvEhdfJkKSkU3kHyuaRB5t6k0IJon
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fikejl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lanaiahq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdpcikdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lohccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhpiojfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niikceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmagdbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmomml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihpdoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmanoifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bioqclil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmefooki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecnmpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlhjhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocllehcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfnmpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aihfap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qpgpkcpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfcikek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddhpod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eknkpbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpgjgboe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgqkbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hipkdnmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlngpjlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnipkkdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Geeemeif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikefkcmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iipiljgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlnpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgmalg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeaedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbnbkbja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibckfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmmagpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pciddedl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjcplpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Baohhgnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opifnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Degiggjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhdhif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajbne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Geoonjeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdoghdmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Folfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onbgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qodlkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abegfa32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000f00000001227e-5.dat family_berbew behavioral1/files/0x0008000000016d34-18.dat family_berbew behavioral1/files/0x0007000000016d4e-39.dat family_berbew behavioral1/files/0x0008000000016d69-47.dat family_berbew behavioral1/files/0x00070000000186f1-60.dat family_berbew behavioral1/files/0x0005000000018739-74.dat family_berbew behavioral1/files/0x0005000000018787-88.dat family_berbew behavioral1/files/0x0036000000016cc3-103.dat family_berbew behavioral1/files/0x0005000000019228-123.dat family_berbew behavioral1/files/0x000500000001925d-131.dat family_berbew behavioral1/files/0x0005000000019275-145.dat family_berbew behavioral1/files/0x0005000000019283-159.dat family_berbew behavioral1/files/0x0005000000019381-173.dat family_berbew behavioral1/files/0x00050000000193a5-187.dat family_berbew behavioral1/files/0x0005000000019433-200.dat family_berbew behavioral1/files/0x0005000000019457-217.dat family_berbew behavioral1/files/0x0005000000019491-230.dat family_berbew behavioral1/memory/2364-233-0x0000000000440000-0x0000000000474000-memory.dmp family_berbew behavioral1/files/0x00050000000194b8-240.dat family_berbew behavioral1/files/0x00050000000194ef-250.dat family_berbew behavioral1/files/0x0005000000019507-260.dat family_berbew behavioral1/files/0x000500000001957d-269.dat family_berbew behavioral1/files/0x00050000000195e3-279.dat family_berbew behavioral1/files/0x000500000001961c-290.dat family_berbew behavioral1/memory/2156-303-0x00000000002D0000-0x0000000000304000-memory.dmp family_berbew behavioral1/files/0x000500000001961f-302.dat family_berbew behavioral1/files/0x0005000000019622-310.dat family_berbew behavioral1/memory/2028-314-0x00000000002E0000-0x0000000000314000-memory.dmp family_berbew behavioral1/files/0x0005000000019626-323.dat family_berbew behavioral1/files/0x0005000000019638-332.dat family_berbew behavioral1/files/0x00050000000196bd-345.dat family_berbew behavioral1/files/0x00050000000199b8-354.dat family_berbew behavioral1/files/0x0005000000019c54-365.dat family_berbew behavioral1/files/0x0005000000019c71-376.dat family_berbew behavioral1/memory/2628-374-0x0000000001F80000-0x0000000001FB4000-memory.dmp family_berbew behavioral1/files/0x0005000000019d60-387.dat family_berbew behavioral1/memory/3048-393-0x0000000000250000-0x0000000000284000-memory.dmp family_berbew behavioral1/files/0x0005000000019dd5-398.dat family_berbew behavioral1/files/0x0005000000019fd8-409.dat family_berbew behavioral1/files/0x000500000001a09c-420.dat family_berbew behavioral1/files/0x000500000001a320-431.dat family_berbew behavioral1/files/0x000500000001a43c-442.dat family_berbew behavioral1/memory/2868-435-0x0000000000350000-0x0000000000384000-memory.dmp family_berbew behavioral1/memory/2008-453-0x0000000000310000-0x0000000000344000-memory.dmp family_berbew behavioral1/files/0x000500000001a440-454.dat family_berbew behavioral1/files/0x000500000001a44b-464.dat family_berbew behavioral1/files/0x000500000001a4a9-475.dat family_berbew behavioral1/memory/352-479-0x0000000000290000-0x00000000002C4000-memory.dmp family_berbew behavioral1/files/0x000500000001a4b1-486.dat family_berbew behavioral1/files/0x000500000001a4c7-497.dat family_berbew behavioral1/files/0x000500000001a4cf-508.dat family_berbew behavioral1/files/0x000500000001a4d3-519.dat family_berbew behavioral1/files/0x000500000001a4d7-530.dat family_berbew behavioral1/files/0x000500000001a4db-541.dat family_berbew behavioral1/files/0x000500000001a4df-553.dat family_berbew behavioral1/files/0x000500000001a4e3-564.dat family_berbew behavioral1/files/0x000500000001a4e7-574.dat family_berbew behavioral1/files/0x000500000001a4eb-584.dat family_berbew behavioral1/files/0x000500000001a4ef-595.dat family_berbew behavioral1/files/0x000500000001a4f3-608.dat family_berbew behavioral1/files/0x000500000001a4f8-618.dat family_berbew behavioral1/files/0x000500000001a4fc-633.dat family_berbew behavioral1/files/0x000500000001a500-645.dat family_berbew behavioral1/files/0x000500000001a505-657.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2236 Gangic32.exe 3060 Gdopkn32.exe 2792 Gkkemh32.exe 2636 Hiqbndpb.exe 2684 Hkpnhgge.exe 2560 Hggomh32.exe 2720 Hhjhkq32.exe 2556 Icbimi32.exe 1036 Ihoafpmp.exe 1324 Iqmcpahh.exe 1868 Icmlam32.exe 484 Idmhkpml.exe 2280 Ifnechbj.exe 1780 Jcdbbloa.exe 576 Jokcgmee.exe 2364 Jehkodcm.exe 2136 Jifdebic.exe 1148 Kneicieh.exe 2328 Kaceodek.exe 1664 Kmjfdejp.exe 1384 Kcdnao32.exe 1936 Kmmcjehm.exe 2156 Kpkofpgq.exe 2028 Kaklpcoc.exe 2468 Kblhgk32.exe 908 Lckdanld.exe 2192 Lfjqnjkh.exe 1712 Lbqabkql.exe 2628 Lijjoe32.exe 2816 Lbcnhjnj.exe 3048 Lhpfqama.exe 2540 Lecgje32.exe 2536 Ldfgebbe.exe 2976 Lefdpe32.exe 2868 Mhdplq32.exe 2160 Mmahdggc.exe 2008 Mhgmapfi.exe 2404 Mijfnh32.exe 352 Mdpjlajk.exe 1168 Mgqcmlgl.exe 1000 Mhbped32.exe 1508 Mpigfa32.exe 2316 Ncgdbmmp.exe 3036 Nhdlkdkg.exe 2068 Nondgn32.exe 1096 Namqci32.exe 996 Nlbeqb32.exe 964 Nncahjgl.exe 2604 Nglfapnl.exe 1164 Naajoinb.exe 2148 Ndpfkdmf.exe 2208 Nkiogn32.exe 1568 Nacgdhlp.exe 2852 Ngpolo32.exe 2904 Onjgiiad.exe 2780 Oddpfc32.exe 2692 Ofelmloo.exe 2584 Oqkqkdne.exe 2200 Ogeigofa.exe 1980 Ofhick32.exe 1984 Ohfeog32.exe 1372 Oopnlacm.exe 2748 Ofjfhk32.exe 336 Oobjaqaj.exe -
Loads dropped DLL 64 IoCs
pid Process 2116 e246a89db78ff29e0188ed1624561060_NEIKI.exe 2116 e246a89db78ff29e0188ed1624561060_NEIKI.exe 2236 Gangic32.exe 2236 Gangic32.exe 3060 Gdopkn32.exe 3060 Gdopkn32.exe 2792 Gkkemh32.exe 2792 Gkkemh32.exe 2636 Hiqbndpb.exe 2636 Hiqbndpb.exe 2684 Hkpnhgge.exe 2684 Hkpnhgge.exe 2560 Hggomh32.exe 2560 Hggomh32.exe 2720 Hhjhkq32.exe 2720 Hhjhkq32.exe 2556 Icbimi32.exe 2556 Icbimi32.exe 1036 Ihoafpmp.exe 1036 Ihoafpmp.exe 1324 Iqmcpahh.exe 1324 Iqmcpahh.exe 1868 Icmlam32.exe 1868 Icmlam32.exe 484 Idmhkpml.exe 484 Idmhkpml.exe 2280 Ifnechbj.exe 2280 Ifnechbj.exe 1780 Jcdbbloa.exe 1780 Jcdbbloa.exe 576 Jokcgmee.exe 576 Jokcgmee.exe 2364 Jehkodcm.exe 2364 Jehkodcm.exe 2136 Jifdebic.exe 2136 Jifdebic.exe 1148 Kneicieh.exe 1148 Kneicieh.exe 2328 Kaceodek.exe 2328 Kaceodek.exe 1664 Kmjfdejp.exe 1664 Kmjfdejp.exe 1384 Kcdnao32.exe 1384 Kcdnao32.exe 1936 Kmmcjehm.exe 1936 Kmmcjehm.exe 2156 Kpkofpgq.exe 2156 Kpkofpgq.exe 2028 Kaklpcoc.exe 2028 Kaklpcoc.exe 2468 Kblhgk32.exe 2468 Kblhgk32.exe 908 Lckdanld.exe 908 Lckdanld.exe 2192 Lfjqnjkh.exe 2192 Lfjqnjkh.exe 1712 Lbqabkql.exe 1712 Lbqabkql.exe 2628 Lijjoe32.exe 2628 Lijjoe32.exe 2816 Lbcnhjnj.exe 2816 Lbcnhjnj.exe 3048 Lhpfqama.exe 3048 Lhpfqama.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Onffhdlh.dll Pdakniag.exe File opened for modification C:\Windows\SysWOW64\Anneqafn.exe Amohfo32.exe File created C:\Windows\SysWOW64\Lhnffb32.dll Pedleg32.exe File created C:\Windows\SysWOW64\Pnajilng.exe Pclfkc32.exe File created C:\Windows\SysWOW64\Cogbjdmj.dll Ihjnom32.exe File created C:\Windows\SysWOW64\Agfgqo32.exe Ackkppma.exe File created C:\Windows\SysWOW64\Ilcoce32.exe Ihhcbf32.exe File opened for modification C:\Windows\SysWOW64\Oopfakpa.exe Ohendqhd.exe File created C:\Windows\SysWOW64\Mfglep32.exe Mkaghg32.exe File created C:\Windows\SysWOW64\Jojkco32.exe Jpgjgboe.exe File opened for modification C:\Windows\SysWOW64\Deenjpcd.exe Process not Found File created C:\Windows\SysWOW64\Jhenjmbb.exe Process not Found File created C:\Windows\SysWOW64\Qpgpkcpp.exe Qlkdkd32.exe File opened for modification C:\Windows\SysWOW64\Gfhladfn.exe Gdjpeifj.exe File opened for modification C:\Windows\SysWOW64\Cmhglq32.exe Cgkocj32.exe File created C:\Windows\SysWOW64\Fjkgob32.dll Dmjqpdje.exe File created C:\Windows\SysWOW64\Fnpeed32.dll Process not Found File created C:\Windows\SysWOW64\Camljoch.dll Ookpodkj.exe File created C:\Windows\SysWOW64\Jibnop32.exe Process not Found File created C:\Windows\SysWOW64\Hklhae32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mabgcd32.exe Modkfi32.exe File opened for modification C:\Windows\SysWOW64\Pmagdbci.exe Pjbjhgde.exe File opened for modification C:\Windows\SysWOW64\Hnjplo32.exe Hhpgpebh.exe File created C:\Windows\SysWOW64\Aqmamm32.exe Anneqafn.exe File opened for modification C:\Windows\SysWOW64\Lhknaf32.exe Lbafdlod.exe File created C:\Windows\SysWOW64\Mnpkephg.dll Process not Found File created C:\Windows\SysWOW64\Lqelfddi.dll Dhpiojfb.exe File opened for modification C:\Windows\SysWOW64\Ancefgfd.exe Akeijlfq.exe File created C:\Windows\SysWOW64\Ifhckf32.dll Mjcaimgg.exe File opened for modification C:\Windows\SysWOW64\Einjdb32.exe Process not Found File created C:\Windows\SysWOW64\Eojlbb32.exe Process not Found File created C:\Windows\SysWOW64\Dhjojo32.dll Agbpnh32.exe File created C:\Windows\SysWOW64\Nemacb32.dll Aemkjiem.exe File opened for modification C:\Windows\SysWOW64\Mnifja32.exe Mhonngce.exe File opened for modification C:\Windows\SysWOW64\Alageg32.exe Process not Found File created C:\Windows\SysWOW64\Cjakccop.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lbcnhjnj.exe Lijjoe32.exe File opened for modification C:\Windows\SysWOW64\Eqdajkkb.exe Ejkima32.exe File created C:\Windows\SysWOW64\Kglbad32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hqgddm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jehkodcm.exe Jokcgmee.exe File created C:\Windows\SysWOW64\Mpdqdkie.exe Mikhgqbi.exe File created C:\Windows\SysWOW64\Abkhkgbb.exe Aibcba32.exe File created C:\Windows\SysWOW64\Nmmnnh32.dll Jeafjiop.exe File created C:\Windows\SysWOW64\Dfefmpeo.dll Process not Found File created C:\Windows\SysWOW64\Hqiqjlga.exe Process not Found File created C:\Windows\SysWOW64\Pqfjpj32.dll Abbeflpf.exe File opened for modification C:\Windows\SysWOW64\Efcomkcl.exe Ebgclm32.exe File opened for modification C:\Windows\SysWOW64\Aihfap32.exe Afjjed32.exe File created C:\Windows\SysWOW64\Daacecfc.exe Dobgihgp.exe File created C:\Windows\SysWOW64\Kmimme32.dll Gceailog.exe File opened for modification C:\Windows\SysWOW64\Gmgninie.exe Gdniqh32.exe File opened for modification C:\Windows\SysWOW64\Aajbne32.exe Anlfbi32.exe File created C:\Windows\SysWOW64\Mlcpdacl.dll Behgcf32.exe File created C:\Windows\SysWOW64\Fbgpkpnn.exe Fmjgcipg.exe File created C:\Windows\SysWOW64\Iacoff32.dll Process not Found File created C:\Windows\SysWOW64\Gbcfadgl.exe Gmgninie.exe File created C:\Windows\SysWOW64\Nookinfk.dll Ioaifhid.exe File created C:\Windows\SysWOW64\Clbnhmjo.exe Cehfkb32.exe File created C:\Windows\SysWOW64\Dllnnkld.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ljigih32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kjoifb32.exe Kdbpnk32.exe File created C:\Windows\SysWOW64\Ihoafpmp.exe Icbimi32.exe File created C:\Windows\SysWOW64\Ippdhfji.dll Aidnohbk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6660 7000 Process not Found 1485 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbhihkig.dll" Okfgfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gcbabpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqhepmkh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odiaql32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oopfakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombhbhel.dll" Mieeibkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oopfakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifffkncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibkki32.dll" Lbcnhjnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jhjphfgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bammlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cddjebgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bhfcpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddomif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ikpmpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmhlga32.dll" Jjbbpmgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdebncjd.dll" Ichllgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggmalk32.dll" Fokdfajl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gpkpedmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mlpneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Konijaag.dll" Nallalep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceobl32.dll" Pqhijbog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jkebjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flhinpbh.dll" Aababceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jckgicnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ooicid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbmnbl32.dll" Gkglnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Macalohk.dll" Mkklljmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkjjmbgi.dll" Pcaepg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bbbgod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gkkemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdkqhhpm.dll" Knnkpobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iclnjd32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpceidcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jaoqqflp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lnpgeopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fbpbpkpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lfpeeqig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gheabp32.dll" Gebbnpfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nkmdpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dolpccdl.dll" Hpmiig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ejmebq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcaepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lbqabkql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajmfad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkpkhm32.dll" Khabghdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppcbgkka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bfncpcoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fjlmpfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mmahdggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihcbj32.dll" Epbpbnan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmclhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oidglb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lopkjhko.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2236 2116 e246a89db78ff29e0188ed1624561060_NEIKI.exe 28 PID 2116 wrote to memory of 2236 2116 e246a89db78ff29e0188ed1624561060_NEIKI.exe 28 PID 2116 wrote to memory of 2236 2116 e246a89db78ff29e0188ed1624561060_NEIKI.exe 28 PID 2116 wrote to memory of 2236 2116 e246a89db78ff29e0188ed1624561060_NEIKI.exe 28 PID 2236 wrote to memory of 3060 2236 Gangic32.exe 29 PID 2236 wrote to memory of 3060 2236 Gangic32.exe 29 PID 2236 wrote to memory of 3060 2236 Gangic32.exe 29 PID 2236 wrote to memory of 3060 2236 Gangic32.exe 29 PID 3060 wrote to memory of 2792 3060 Gdopkn32.exe 30 PID 3060 wrote to memory of 2792 3060 Gdopkn32.exe 30 PID 3060 wrote to memory of 2792 3060 Gdopkn32.exe 30 PID 3060 wrote to memory of 2792 3060 Gdopkn32.exe 30 PID 2792 wrote to memory of 2636 2792 Gkkemh32.exe 31 PID 2792 wrote to memory of 2636 2792 Gkkemh32.exe 31 PID 2792 wrote to memory of 2636 2792 Gkkemh32.exe 31 PID 2792 wrote to memory of 2636 2792 Gkkemh32.exe 31 PID 2636 wrote to memory of 2684 2636 Hiqbndpb.exe 32 PID 2636 wrote to memory of 2684 2636 Hiqbndpb.exe 32 PID 2636 wrote to memory of 2684 2636 Hiqbndpb.exe 32 PID 2636 wrote to memory of 2684 2636 Hiqbndpb.exe 32 PID 2684 wrote to memory of 2560 2684 Hkpnhgge.exe 33 PID 2684 wrote to memory of 2560 2684 Hkpnhgge.exe 33 PID 2684 wrote to memory of 2560 2684 Hkpnhgge.exe 33 PID 2684 wrote to memory of 2560 2684 Hkpnhgge.exe 33 PID 2560 wrote to memory of 2720 2560 Hggomh32.exe 34 PID 2560 wrote to memory of 2720 2560 Hggomh32.exe 34 PID 2560 wrote to memory of 2720 2560 Hggomh32.exe 34 PID 2560 wrote to memory of 2720 2560 Hggomh32.exe 34 PID 2720 wrote to memory of 2556 2720 Hhjhkq32.exe 35 PID 2720 wrote to memory of 2556 2720 Hhjhkq32.exe 35 PID 2720 wrote to memory of 2556 2720 Hhjhkq32.exe 35 PID 2720 wrote to memory of 2556 2720 Hhjhkq32.exe 35 PID 2556 wrote to memory of 1036 2556 Icbimi32.exe 36 PID 2556 wrote to memory of 1036 2556 Icbimi32.exe 36 PID 2556 wrote to memory of 1036 2556 Icbimi32.exe 36 PID 2556 wrote to memory of 1036 2556 Icbimi32.exe 36 PID 1036 wrote to memory of 1324 1036 Ihoafpmp.exe 37 PID 1036 wrote to memory of 1324 1036 Ihoafpmp.exe 37 PID 1036 wrote to memory of 1324 1036 Ihoafpmp.exe 37 PID 1036 wrote to memory of 1324 1036 Ihoafpmp.exe 37 PID 1324 wrote to memory of 1868 1324 Iqmcpahh.exe 38 PID 1324 wrote to memory of 1868 1324 Iqmcpahh.exe 38 PID 1324 wrote to memory of 1868 1324 Iqmcpahh.exe 38 PID 1324 wrote to memory of 1868 1324 Iqmcpahh.exe 38 PID 1868 wrote to memory of 484 1868 Icmlam32.exe 39 PID 1868 wrote to memory of 484 1868 Icmlam32.exe 39 PID 1868 wrote to memory of 484 1868 Icmlam32.exe 39 PID 1868 wrote to memory of 484 1868 Icmlam32.exe 39 PID 484 wrote to memory of 2280 484 Idmhkpml.exe 40 PID 484 wrote to memory of 2280 484 Idmhkpml.exe 40 PID 484 wrote to memory of 2280 484 Idmhkpml.exe 40 PID 484 wrote to memory of 2280 484 Idmhkpml.exe 40 PID 2280 wrote to memory of 1780 2280 Ifnechbj.exe 41 PID 2280 wrote to memory of 1780 2280 Ifnechbj.exe 41 PID 2280 wrote to memory of 1780 2280 Ifnechbj.exe 41 PID 2280 wrote to memory of 1780 2280 Ifnechbj.exe 41 PID 1780 wrote to memory of 576 1780 Jcdbbloa.exe 42 PID 1780 wrote to memory of 576 1780 Jcdbbloa.exe 42 PID 1780 wrote to memory of 576 1780 Jcdbbloa.exe 42 PID 1780 wrote to memory of 576 1780 Jcdbbloa.exe 42 PID 576 wrote to memory of 2364 576 Jokcgmee.exe 43 PID 576 wrote to memory of 2364 576 Jokcgmee.exe 43 PID 576 wrote to memory of 2364 576 Jokcgmee.exe 43 PID 576 wrote to memory of 2364 576 Jokcgmee.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\e246a89db78ff29e0188ed1624561060_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\e246a89db78ff29e0188ed1624561060_NEIKI.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1384 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe33⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe34⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe35⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe36⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe38⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe39⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe40⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe41⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe42⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe43⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe44⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe45⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe46⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe47⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe48⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe49⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe50⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe51⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Ndpfkdmf.exeC:\Windows\system32\Ndpfkdmf.exe52⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe53⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe54⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe55⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe56⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe57⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Ofelmloo.exeC:\Windows\system32\Ofelmloo.exe58⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Oqkqkdne.exeC:\Windows\system32\Oqkqkdne.exe59⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe60⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe61⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Ohfeog32.exeC:\Windows\system32\Ohfeog32.exe62⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe63⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Ofjfhk32.exeC:\Windows\system32\Ofjfhk32.exe64⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe65⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe66⤵PID:1672
-
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe67⤵PID:2264
-
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe68⤵PID:2108
-
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe69⤵PID:1276
-
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe70⤵PID:720
-
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe71⤵PID:1004
-
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe72⤵
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe73⤵PID:2012
-
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe74⤵PID:2188
-
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe75⤵PID:2788
-
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe76⤵PID:2624
-
C:\Windows\SysWOW64\Pmanoifd.exeC:\Windows\system32\Pmanoifd.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2632 -
C:\Windows\SysWOW64\Pclfkc32.exeC:\Windows\system32\Pclfkc32.exe78⤵
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe79⤵PID:1460
-
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe80⤵PID:1032
-
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe81⤵PID:2504
-
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe82⤵PID:2432
-
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe83⤵PID:2312
-
C:\Windows\SysWOW64\Qimhoi32.exeC:\Windows\system32\Qimhoi32.exe84⤵PID:3068
-
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe85⤵
- Drops file in System32 directory
PID:1272 -
C:\Windows\SysWOW64\Qpgpkcpp.exeC:\Windows\system32\Qpgpkcpp.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2392 -
C:\Windows\SysWOW64\Qedhdjnh.exeC:\Windows\system32\Qedhdjnh.exe87⤵PID:2100
-
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe88⤵PID:2124
-
C:\Windows\SysWOW64\Anlmmp32.exeC:\Windows\system32\Anlmmp32.exe89⤵PID:1832
-
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe90⤵PID:2268
-
C:\Windows\SysWOW64\Aefeijle.exeC:\Windows\system32\Aefeijle.exe91⤵PID:2664
-
C:\Windows\SysWOW64\Aplifb32.exeC:\Windows\system32\Aplifb32.exe92⤵PID:2800
-
C:\Windows\SysWOW64\Aehboi32.exeC:\Windows\system32\Aehboi32.exe93⤵PID:2688
-
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe94⤵
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Aaobdjof.exeC:\Windows\system32\Aaobdjof.exe95⤵PID:316
-
C:\Windows\SysWOW64\Adnopfoj.exeC:\Windows\system32\Adnopfoj.exe96⤵PID:1732
-
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1640 -
C:\Windows\SysWOW64\Aemkjiem.exeC:\Windows\system32\Aemkjiem.exe98⤵
- Drops file in System32 directory
PID:1172 -
C:\Windows\SysWOW64\Ajjcbpdd.exeC:\Windows\system32\Ajjcbpdd.exe99⤵PID:2240
-
C:\Windows\SysWOW64\Amhpnkch.exeC:\Windows\system32\Amhpnkch.exe100⤵PID:864
-
C:\Windows\SysWOW64\Bfadgq32.exeC:\Windows\system32\Bfadgq32.exe101⤵PID:3032
-
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1284 -
C:\Windows\SysWOW64\Bfcampgf.exeC:\Windows\system32\Bfcampgf.exe103⤵PID:1788
-
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe104⤵PID:1888
-
C:\Windows\SysWOW64\Bdgafdfp.exeC:\Windows\system32\Bdgafdfp.exe105⤵PID:2232
-
C:\Windows\SysWOW64\Behnnm32.exeC:\Windows\system32\Behnnm32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1588 -
C:\Windows\SysWOW64\Bmpfojmp.exeC:\Windows\system32\Bmpfojmp.exe107⤵PID:1960
-
C:\Windows\SysWOW64\Bghjhp32.exeC:\Windows\system32\Bghjhp32.exe108⤵PID:2700
-
C:\Windows\SysWOW64\Bhigphio.exeC:\Windows\system32\Bhigphio.exe109⤵PID:2808
-
C:\Windows\SysWOW64\Bocolb32.exeC:\Windows\system32\Bocolb32.exe110⤵PID:2564
-
C:\Windows\SysWOW64\Blgpef32.exeC:\Windows\system32\Blgpef32.exe111⤵PID:2744
-
C:\Windows\SysWOW64\Coelaaoi.exeC:\Windows\system32\Coelaaoi.exe112⤵PID:1304
-
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe113⤵PID:2172
-
C:\Windows\SysWOW64\Chnqkg32.exeC:\Windows\system32\Chnqkg32.exe114⤵PID:868
-
C:\Windows\SysWOW64\Cklmgb32.exeC:\Windows\system32\Cklmgb32.exe115⤵PID:1668
-
C:\Windows\SysWOW64\Cnkicn32.exeC:\Windows\system32\Cnkicn32.exe116⤵PID:1744
-
C:\Windows\SysWOW64\Ceaadk32.exeC:\Windows\system32\Ceaadk32.exe117⤵PID:2368
-
C:\Windows\SysWOW64\Ckoilb32.exeC:\Windows\system32\Ckoilb32.exe118⤵PID:1268
-
C:\Windows\SysWOW64\Cnmehnan.exeC:\Windows\system32\Cnmehnan.exe119⤵PID:3064
-
C:\Windows\SysWOW64\Chbjffad.exeC:\Windows\system32\Chbjffad.exe120⤵PID:1952
-
C:\Windows\SysWOW64\Cjdfmo32.exeC:\Windows\system32\Cjdfmo32.exe121⤵PID:2112
-
C:\Windows\SysWOW64\Caknol32.exeC:\Windows\system32\Caknol32.exe122⤵PID:2660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-