Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 01:11
Behavioral task
behavioral1
Sample
b8b8fd42e45f7b073c056d7c9c128b90_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b8b8fd42e45f7b073c056d7c9c128b90_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
b8b8fd42e45f7b073c056d7c9c128b90_NEIKI.exe
-
Size
220KB
-
MD5
b8b8fd42e45f7b073c056d7c9c128b90
-
SHA1
280f3764778fcf2a845bd8159fb1fecb02fd78f2
-
SHA256
dc0cd7118ff0e622dc9d4019d76f040edc0c8a489d786ae2b0550cef84cadf10
-
SHA512
56344e1e88766b7302b331e74ed739f38011c007b47193a3f39115b8591a649d3073254c0be1593f39f277dbc3cb794bf43c0285e43debcd7646e73bdb6f98da
-
SSDEEP
3072:Wae7OubpGGErCbuZM4EQrjo7vgHJJPPIgpB:WacxGfTMfQrjoziJJHIU
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 2172 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202.exe 5092 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202a.exe 1436 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202b.exe 3964 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202c.exe 3424 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202d.exe 3096 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202e.exe 2984 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202f.exe 3676 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202g.exe 1404 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202h.exe 4568 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202i.exe 2644 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202j.exe 2000 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202k.exe 4992 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202l.exe 2856 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202m.exe 100 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202n.exe 4536 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202o.exe 2040 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202p.exe 2516 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202q.exe 752 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202r.exe 4024 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202s.exe 1288 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202t.exe 3656 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202u.exe 868 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202v.exe 3132 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202w.exe 4676 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202x.exe 1412 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202y.exe -
resource yara_rule behavioral2/memory/3920-0-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x000a00000002328e-5.dat upx behavioral2/memory/3920-9-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x000800000002340c-18.dat upx behavioral2/memory/2172-19-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/5092-21-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x000800000002340f-29.dat upx behavioral2/memory/5092-31-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/1436-32-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/1436-41-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x0007000000023410-39.dat upx behavioral2/memory/3964-43-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x0007000000023411-52.dat upx behavioral2/memory/3964-51-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/3424-53-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x0007000000023412-62.dat upx behavioral2/memory/3424-61-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x0007000000023413-69.dat upx behavioral2/memory/3096-71-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x0007000000023414-79.dat upx behavioral2/memory/2984-81-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x0007000000023415-89.dat upx behavioral2/memory/1404-92-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x0007000000023416-99.dat upx behavioral2/memory/1404-108-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/4568-106-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/3676-91-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x0007000000023417-111.dat upx behavioral2/memory/4568-113-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x0007000000023418-120.dat upx behavioral2/memory/2644-121-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x0007000000023419-129.dat upx behavioral2/memory/4992-138-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/2000-132-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x000700000002341a-140.dat upx behavioral2/memory/4992-142-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/2856-152-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x000800000002340d-153.dat upx behavioral2/files/0x000700000002341b-160.dat upx behavioral2/memory/100-163-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/4536-169-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x000700000002341c-173.dat upx behavioral2/memory/4536-172-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/2040-180-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x000700000002341d-182.dat upx behavioral2/memory/2040-184-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/2516-194-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x000700000002341e-195.dat upx behavioral2/memory/752-203-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x000700000002341f-204.dat upx behavioral2/files/0x0007000000023420-214.dat upx behavioral2/memory/4024-213-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x0007000000023421-222.dat upx behavioral2/memory/1288-225-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/3656-234-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x0007000000023422-233.dat upx behavioral2/files/0x0007000000023423-242.dat upx behavioral2/memory/868-244-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x0007000000023424-253.dat upx behavioral2/memory/3132-254-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/4676-263-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x0007000000023425-264.dat upx behavioral2/memory/1412-268-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/1412-266-0x0000000000400000-0x000000000043A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 26 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202d.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202f.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202j.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202i.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202k.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202j.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202y.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202w.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202v.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202b.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202i.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202h.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202s.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202r.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202v.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202u.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202x.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202w.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202e.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202l.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202k.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202q.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202p.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202h.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202g.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202g.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202n.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202m.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202o.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202n.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202t.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202s.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202a.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202m.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202p.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202o.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202c.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202u.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202t.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202r.exe\"" b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202q.exe -
Modifies registry class 54 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202e.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202e.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202w.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202y.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202r.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202k.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202n.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202d.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202l.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202u.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202w.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202a.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202v.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202t.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_NEIKI.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_NEIKI.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202f.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202i.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202a.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202g.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202b.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202i.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202y.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202d.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202f.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202h.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202s.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202t.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202c.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202l.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202r.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202v.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202x.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202x.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202b.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202k.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202m.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202n.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202p.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202o.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202s.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202j.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202o.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202c.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202g.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202h.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202p.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202j.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202m.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202q.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202q.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 61202c451e2f776b b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202u.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3920 wrote to memory of 2172 3920 b8b8fd42e45f7b073c056d7c9c128b90_NEIKI.exe 80 PID 3920 wrote to memory of 2172 3920 b8b8fd42e45f7b073c056d7c9c128b90_NEIKI.exe 80 PID 3920 wrote to memory of 2172 3920 b8b8fd42e45f7b073c056d7c9c128b90_NEIKI.exe 80 PID 2172 wrote to memory of 5092 2172 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202.exe 81 PID 2172 wrote to memory of 5092 2172 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202.exe 81 PID 2172 wrote to memory of 5092 2172 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202.exe 81 PID 5092 wrote to memory of 1436 5092 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202a.exe 82 PID 5092 wrote to memory of 1436 5092 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202a.exe 82 PID 5092 wrote to memory of 1436 5092 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202a.exe 82 PID 1436 wrote to memory of 3964 1436 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202b.exe 84 PID 1436 wrote to memory of 3964 1436 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202b.exe 84 PID 1436 wrote to memory of 3964 1436 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202b.exe 84 PID 3964 wrote to memory of 3424 3964 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202c.exe 86 PID 3964 wrote to memory of 3424 3964 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202c.exe 86 PID 3964 wrote to memory of 3424 3964 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202c.exe 86 PID 3424 wrote to memory of 3096 3424 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202d.exe 87 PID 3424 wrote to memory of 3096 3424 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202d.exe 87 PID 3424 wrote to memory of 3096 3424 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202d.exe 87 PID 3096 wrote to memory of 2984 3096 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202e.exe 88 PID 3096 wrote to memory of 2984 3096 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202e.exe 88 PID 3096 wrote to memory of 2984 3096 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202e.exe 88 PID 2984 wrote to memory of 3676 2984 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202f.exe 89 PID 2984 wrote to memory of 3676 2984 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202f.exe 89 PID 2984 wrote to memory of 3676 2984 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202f.exe 89 PID 3676 wrote to memory of 1404 3676 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202g.exe 91 PID 3676 wrote to memory of 1404 3676 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202g.exe 91 PID 3676 wrote to memory of 1404 3676 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202g.exe 91 PID 1404 wrote to memory of 4568 1404 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202h.exe 92 PID 1404 wrote to memory of 4568 1404 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202h.exe 92 PID 1404 wrote to memory of 4568 1404 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202h.exe 92 PID 4568 wrote to memory of 2644 4568 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202i.exe 93 PID 4568 wrote to memory of 2644 4568 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202i.exe 93 PID 4568 wrote to memory of 2644 4568 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202i.exe 93 PID 2644 wrote to memory of 2000 2644 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202j.exe 94 PID 2644 wrote to memory of 2000 2644 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202j.exe 94 PID 2644 wrote to memory of 2000 2644 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202j.exe 94 PID 2000 wrote to memory of 4992 2000 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202k.exe 95 PID 2000 wrote to memory of 4992 2000 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202k.exe 95 PID 2000 wrote to memory of 4992 2000 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202k.exe 95 PID 4992 wrote to memory of 2856 4992 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202l.exe 96 PID 4992 wrote to memory of 2856 4992 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202l.exe 96 PID 4992 wrote to memory of 2856 4992 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202l.exe 96 PID 2856 wrote to memory of 100 2856 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202m.exe 97 PID 2856 wrote to memory of 100 2856 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202m.exe 97 PID 2856 wrote to memory of 100 2856 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202m.exe 97 PID 100 wrote to memory of 4536 100 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202n.exe 98 PID 100 wrote to memory of 4536 100 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202n.exe 98 PID 100 wrote to memory of 4536 100 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202n.exe 98 PID 4536 wrote to memory of 2040 4536 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202o.exe 99 PID 4536 wrote to memory of 2040 4536 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202o.exe 99 PID 4536 wrote to memory of 2040 4536 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202o.exe 99 PID 2040 wrote to memory of 2516 2040 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202p.exe 100 PID 2040 wrote to memory of 2516 2040 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202p.exe 100 PID 2040 wrote to memory of 2516 2040 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202p.exe 100 PID 2516 wrote to memory of 752 2516 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202q.exe 101 PID 2516 wrote to memory of 752 2516 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202q.exe 101 PID 2516 wrote to memory of 752 2516 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202q.exe 101 PID 752 wrote to memory of 4024 752 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202r.exe 102 PID 752 wrote to memory of 4024 752 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202r.exe 102 PID 752 wrote to memory of 4024 752 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202r.exe 102 PID 4024 wrote to memory of 1288 4024 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202s.exe 103 PID 4024 wrote to memory of 1288 4024 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202s.exe 103 PID 4024 wrote to memory of 1288 4024 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202s.exe 103 PID 1288 wrote to memory of 3656 1288 b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202t.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8b8fd42e45f7b073c056d7c9c128b90_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\b8b8fd42e45f7b073c056d7c9c128b90_NEIKI.exe"1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202a.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202a.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202b.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202b.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202c.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202c.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202d.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202d.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202e.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202e.exe7⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202f.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202f.exe8⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202g.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202g.exe9⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3676 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202h.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202h.exe10⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202i.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202i.exe11⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4568 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202j.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202j.exe12⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202k.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202k.exe13⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202l.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202l.exe14⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202m.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202m.exe15⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202n.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202n.exe16⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:100 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202o.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202o.exe17⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202p.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202p.exe18⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202q.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202q.exe19⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202r.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202r.exe20⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:752 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202s.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202s.exe21⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202t.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202t.exe22⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202u.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202u.exe23⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:3656 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202v.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202v.exe24⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:868 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202w.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202w.exe25⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:3132 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202x.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202x.exe26⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:4676 -
\??\c:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202y.exec:\users\admin\appdata\local\temp\b8b8fd42e45f7b073c056d7c9c128b90_neiki_3202y.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:1412
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
220KB
MD52f8b752e0e87a9e6d3e4867a3ed1a3e1
SHA1ea2c668bc4d0b171f53079baccb909e10bb55783
SHA25670d159cc7f60e65faa26a356ede7c9c06cdfa27a01307f022e020683fdc37103
SHA512ccd0dea2a3fa21f84712386c3b399d2a43d57768d05eb9e0b162178100aa6edafe5bd038924ba77f2c52bded71bd220eb2ef05a76987e1b2abd3bb393333f45f
-
Filesize
220KB
MD5854c995086548344224dafc0e21f3430
SHA13f3051f77227c1a03e4c6ab4333fcec5ac655c32
SHA256e34aa0ea82595228fb0563f2b1a9545c7b6e4998a7313da5c10e9466c40f1446
SHA512474c16b1c9a5b809f870b26fbf845aa33e4af165fb078ebc59894d1b2bf4c8b946164164d638bca78c0ab921175e48c4de7040dc5066e0c8f3fb9384aa939000
-
Filesize
221KB
MD5a4a08f0ee55d956a5eeb63e1270d4cc9
SHA1f18664b576caf1e4b0817169e7a2dcd82cf9abc2
SHA256900860445634c543b3030b3f8c4a7470a718b7a4d740d66de10f71581f06fa01
SHA51224ed4ea1f625563b46f6170fed88d2fa1e840cb6769c68e235c1d21ab4cc46b27c1c0f9816d7eaf28cdd6b193cda8526b663194b1ddae1ad253b4f876e1431b0
-
Filesize
222KB
MD55ecc804224e67101ee7915d5faec91e1
SHA12560d28034e48dbea2aec566ab8a453adebff800
SHA2560d9186de19d2b363c15d7fbfdcd056664e0a2770e1439ef0056448d2b53477c6
SHA5124cc39211bf44789fd8efc64389e292c5907f43bc6d2da51a9e8901b997d2e922f9cdac7dcea6013679c12201f0ae7e5c946c37f68e1158c1ab62e2d08946268d
-
Filesize
222KB
MD58c8e57b703a7280307f022ec9cbff078
SHA14d2e332e423f149c9f27dad7c1a368b3c6f8b5a9
SHA256f0796ce13a6b83d738c702eb9cbe73c98c240591a6eaba813cee461e736c377f
SHA51291831693ca9a07a41c31e0c62cfdfc4d910ea8561731e2aaa6e4c231438e1f9fcf1195d52a9d511448aac7b60aa084c934f52575f4c939a3bc56c243446a0a4d
-
Filesize
222KB
MD594e44611362b8ce19c7e90a86dc38640
SHA12973932bd047855b5dae35045651b6bf8b880ea6
SHA256e65cd2c3ab32483ab785a52d0ceef46731eec04ab066904563982362e8faddcb
SHA512afc950e21a8167935666cde70f33a3102d7cbe0df5463fa9653a95eeba9d55cf66e5c8e2768d9a7c0aee2dd57999669e6662695b894c54afa94f1d030dbd05bf
-
Filesize
223KB
MD54fe601e9ffaabe9d380eb6a4e4cdcb80
SHA1e39eb0bb41c711427e6969af1bc1f0466f5c269c
SHA256dfd6c39a54f8252847fd43803e796e46fb94b35697e2a8ddd1c573507c560758
SHA512353817132fa57733c276c477b5c8fa4228bdbbd4e7c6f157d4a3fe68de75ec8cc0f1b7484cfd784725bee763213eecd5d468c1c1cc2075c635293e9119537257
-
Filesize
223KB
MD51d6ca460f27542f1cafcbd81789a6ef5
SHA1700cf2d10ff1af95179883f6ece54a93861f13f9
SHA256a373c3f7e7cb284d9198989d23cd00fda768ee748bf9e48ee608f10c2a788b8c
SHA51263d84d3e5faceaf8d6b2d3611d54d87e6ef3600d7ee14c2eaf3df6a250be98f0932def0f758822170703de58120e0e7aa1fa99d9f7a56b9f1b669083bfab4061
-
Filesize
223KB
MD561eef4a1da0cc5e96d399d0c3f0c9bf6
SHA165e0a825cf63484f1d7c3cda398343ed0f07689c
SHA256c5ef1fd2021c16165c7b38ecf6fca5b52b16ae90a0f8e2f1c2cad20cec939e6c
SHA51202e4b7ba439afb89432ba4fb4b8db650fa16415be48029566293697fd9203bffdef1075d9d618e779b5b6fb954c9323e53ec40b3d82be5131541988819aaa8f5
-
Filesize
224KB
MD59d4dd18492572892afda2029c60b3d0b
SHA1922c4fd153d9251f035f6d29bf67bee15e89d0a3
SHA256103272cc58a9f6f08ff99d618f85f595c15eb7fb7d6cf4c22a4a89e0b4778fea
SHA512506076b542551a32227499dd2b6017e143ee39f6f01d285a1543c82e92f88b795c9993fd0cc096c9a36b3ceae8ccdfabc2c120f8fcee0b793c35611e6abe4e6e
-
Filesize
224KB
MD512b3e8e9f51e550414f43675e05617a4
SHA19429a71b4eafaf959df41226ba39b3a6d9a13ba5
SHA256faaed8d3dd62a2135831925563bb72d1486290d7ae8075e8c082e46103af1828
SHA5126d808291a554e4d0ac55978d796a19b34069d9250b6d6ac293c6c6a97945d1902051b50628d37f2f005e7cfb57839e6284b6b69353739a93bc812051c787d6c3
-
Filesize
224KB
MD5e7b41816b43756d96585bef282d3f575
SHA11cbc66f28a84be6f8a4e854abac1ed252b04d44e
SHA256e7d205aa75acba68c9b7bd7568c02dd4d67a3ec5a87c1dd138904a02d55814c2
SHA5123fbfbcca5d51b1d5fee854ef35274994461860f9a401afe1b5903b08f97b69d6b9b3fffffc0fd32381d6f82885a1a38a7c8da0ea27f279a40168de7f15c8a955
-
Filesize
225KB
MD597470fb9dbe6642860adbc1244b43741
SHA1cd21c5e8d131a9c3ac0e2ac93aa26d18c55be5f7
SHA256281617e33bd017085e502d3750d825e14fca4fe49800b020145bebec9e78bd53
SHA51202732409070e306aef4efce9a046008000fd1bc0ba962d4074ffa85d296a57a8947c42612ad05ab71930e8bf2dbca275774f84df78c24c92ad2ea3b4c1ea103c
-
Filesize
225KB
MD5b4486bb8a60268ed362673f990d8de11
SHA1f5bb54b30a0f123f05ff2659a663171b76243b61
SHA256cbe0e182cd4d968ae56690cdf95c4d476b5a96d094fffd82d978dbcab519f81c
SHA512e5a84e9757ce22eb3fdb13c1dbb8265826f6dfe4208ddeb9c216567e1d0b10424534f46672674f0ff0b4eff49a03bf3356c93220638e47e0ce9920a3a4be2a3c
-
Filesize
225KB
MD526e6e65ccb349f979c800ffeaeb51de0
SHA15bb29c35c2a1ec84cc682c1e092b1447eeeea65a
SHA256b489baaaefa0539ef44782a8fb4ff51a2c854abb23369401b43a14a39e44dee7
SHA5128e683d60c2f7252682e1f99341293fd6f688e16c39a085046fd93d378b1c1664269a78fc69824db478617e9b7d2272021c4fec7ea2344202b1fb5bbd03ac0b99
-
Filesize
225KB
MD58a4b15dddb2709a77ae75c1c07a6705b
SHA191eccaf9ee79868a403ab5e3a898c54256623081
SHA256eab5d65c8d85b0eee97531148c5ebdb40ef3c71043cdff45feeb9e0aa3f45275
SHA5126fcf240ed702f597fca55422622e101e00d7a3fde1f773a4714796df3adb06bf3dcd17dab15a04da83bc9ccf2bd5ccddd9fedf75337728b90ff9ba4c0f5f145f
-
Filesize
226KB
MD575909c355cbf812d7a4d8aab57002c68
SHA1fb30b76f7c2d9129a1eae81bd7a8829da7d7064c
SHA2562b3cc88cd94e36b279cfea2fafe7f11b06327ee1a9b5cc866969fc7fb2f45829
SHA51277ccebfae1546ebb8b66e1e84725def0f49a9ee4787293b1140f7fc82e6be898a437c2cd5211bc0e050e5705000f44830f9fee23f809b6845737e0022980314f
-
Filesize
226KB
MD5cc74b7aae2bb056aaff21db69c74851f
SHA1b446257412d388abdb2660197211f5d7eab7fd8a
SHA2568b963ab41cb09516a98057e2bf8d9bd8d144de553ab185273e0d5a470a57243d
SHA512f3e2b91bf999e0515afbe5fba2af88a59d443e4e2e94d99fce4ca1e59e3bcc0f49298c38a4ded2b918f02207b03b25a364c30fafcfae7b49553591101a5f641a
-
Filesize
226KB
MD5a08438246badc1a752d49315d147a0c4
SHA19a643a7e3175ea9443ada2e7da6dfc8a53ff2ca8
SHA25696a556e72971755afdd18eb71f388c8b6d1b8c35b1589d65e864d85b546737d1
SHA51296968dfc28bc6770eb65c147deaf22c74e15800b6cb3f4bf02b626d2dfb799a6f22f510e31d3ea2c956fb98d40b7e64c084529fe75b64a68c511e58cccdf6053
-
Filesize
221KB
MD58057d7c7a978740a941a9895c0db2573
SHA16ebfadf90d404d19f3af4fda7c115795334c0c64
SHA256f4333cc1313812d7ba05be60cc9fc2f944feabe3f09e03e87e9bbf01faf2de44
SHA512d03041bd7e891d75075b9573e543b835a9d7cbd48e8766cd45c70edc19c92dd869ff320481b970f18aa488762e6c907dc3e7654d9134a46c6f58ae8541d22fb5
-
Filesize
221KB
MD5f59836b64dbf466781041361d5264b82
SHA1a4090f2da86ee0cfa742bbb3dc3b95290238ad08
SHA256e6d40c206a0e480e5556dcdea594753ac5b0bc1347596a7114b0fa276579e084
SHA512402b142cd4c60430aebc94fba1f97b0c960cc0f65c18677bc8f489bb3280cc27c24789ce893c9906b748843a60122626e6e2b340e56a8a99264b99fa65468afc
-
Filesize
221KB
MD59261fa5aa23f85b769966aae257835f4
SHA1bfed05ffea54c2cc51ed89c3ab56f95695ef7ac0
SHA25641d3ad347f8bdb0e65209d2c8418ab22160848a83a099def21e310a957bbf3f4
SHA512992fc3a121d8b83aa0802ca9762caa020b0fc5b663c220cdad9527af9f2f874a725b3803142bf26a05cf691084687f2de49ee32ee2e528a545ee266c0f691b3a
-
Filesize
222KB
MD5f282390b671447c99a46b562d78d419c
SHA12047bc1775e6db99c1d754a91f74be33bee6afe8
SHA256e510322af0ae383d8b9622e44b2abb09a8b197462cdeec46337e240b57b3b228
SHA512cf9cb21b836a29d12c03639738f05fd60be1f94ba4b584aa575d3dcaab85af4aaca266151149b508edf91655bf7c18a35ac80c85ca4f44211660e57e2c6b4978
-
Filesize
223KB
MD586d474aa29df2d2065e9e56d0d33e581
SHA1e2069717b0e9e3f0783a209976294f6883a14a32
SHA25626d27848064355aa682728006bec48e6d4ef913c70477b878bb57790af6fce7c
SHA512786feef6e20d565a04646d455299530b2f0eb892b6f0eb595e78a1301cf5cb0c3fed1c68570fc829662a6f640a5f56148b9c0712b717dc9b4735f559f217e7d3
-
Filesize
223KB
MD55fdcf8252e751f54ce99955cac34f18a
SHA15c7704dac4d0a3184be98fabc79c4ac00abc8618
SHA256b925c9102a507e1b81c7b55319762462d663a074b9e843086a33532934b9d944
SHA51297ae5523307128f059c5d71f50290b7c0c157a145475edee1465da55af67090ef6ebeea59ee204a47a3adea538ebad01a14fcd34e5c01bac493f20b90f63d9c7
-
Filesize
224KB
MD5eefcc66468eb4c881f630fea4ea11af6
SHA18ddf4eb21765046b6a60cdc8464340e0a2109072
SHA256cb4f8247725339fd16ff6dae71d4cebfa5fd4d8f921524e40440e4e10470955d
SHA512d70d471ca1df6a390e1cdf1944e9f002c0aebcca66cf1b58d52362ebc1f24e82594d80b1494ee1cc532bcc671faa4661aaa6050a8b9aab577d8c26183b5a3b56