Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 03:34
Behavioral task
behavioral1
Sample
e0738b1e76b86af6532b4ba35bd04420_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e0738b1e76b86af6532b4ba35bd04420_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
e0738b1e76b86af6532b4ba35bd04420_NEIKI.exe
-
Size
235KB
-
MD5
e0738b1e76b86af6532b4ba35bd04420
-
SHA1
33e39ddd8b7fe4564e7d4726d733c5222ea59cbc
-
SHA256
7340d2b4b6441a047514e299e014b31ec1e2cac1dce77bc152ac001b23835e6d
-
SHA512
6395af671b0eafc78bee7c0933c92d11cd4339966de90e8dbdc71a29c893fce1606734e0df363723cdfdb6ec85abdd79be74e59a21572d9bb0f8fd3a5d35c377
-
SSDEEP
3072:gsRSH6s1oNiivZhHOVMgu+tAcrbFAJc+RsUi1aVDkOvhJjvJ4vnZy7L5AuJaW4bu:bRUj12ZhulrtMsQB+vn87L5A5
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkgmcjld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncgkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njcpee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnfipekh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngpjnkpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkgmcjld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnmopdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbkhfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nddkgonp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncgkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngedij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnjbke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndghmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njcpee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbkhfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpjnkpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbhkac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqklmpdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncldnkae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggqoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad e0738b1e76b86af6532b4ba35bd04420_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndghmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnmopdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndidbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncihikcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncihikcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngcgcjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqklmpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nggqoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnfipekh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnnhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqiogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngcgcjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqmhbpba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" e0738b1e76b86af6532b4ba35bd04420_NEIKI.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqiogp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnolfdcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndidbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbahlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcbahlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgnnhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbhkac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngedij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmhbpba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncldnkae.exe -
Malware Dropper & Backdoor - Berbew 26 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000a00000002343c-7.dat family_berbew behavioral2/files/0x0008000000023447-15.dat family_berbew behavioral2/files/0x0007000000023449-23.dat family_berbew behavioral2/files/0x000700000002344b-31.dat family_berbew behavioral2/files/0x000700000002344d-39.dat family_berbew behavioral2/files/0x000700000002344f-47.dat family_berbew behavioral2/files/0x0007000000023451-56.dat family_berbew behavioral2/files/0x0007000000023453-63.dat family_berbew behavioral2/files/0x0007000000023455-71.dat family_berbew behavioral2/files/0x0007000000023459-86.dat family_berbew behavioral2/files/0x000700000002345b-93.dat family_berbew behavioral2/files/0x000700000002345d-100.dat family_berbew behavioral2/files/0x000700000002345f-107.dat family_berbew behavioral2/files/0x0007000000023465-128.dat family_berbew behavioral2/files/0x0007000000023467-135.dat family_berbew behavioral2/files/0x000700000002346b-149.dat family_berbew behavioral2/files/0x000700000002346f-163.dat family_berbew behavioral2/files/0x0007000000023477-191.dat family_berbew behavioral2/files/0x0007000000023475-184.dat family_berbew behavioral2/files/0x0007000000023473-177.dat family_berbew behavioral2/files/0x0007000000023471-170.dat family_berbew behavioral2/files/0x000700000002346d-156.dat family_berbew behavioral2/files/0x0007000000023469-142.dat family_berbew behavioral2/files/0x0007000000023463-121.dat family_berbew behavioral2/files/0x0007000000023461-114.dat family_berbew behavioral2/files/0x0007000000023457-79.dat family_berbew -
Executes dropped EXE 26 IoCs
pid Process 1572 Mkgmcjld.exe 4920 Mnfipekh.exe 2256 Mcbahlip.exe 2944 Mgnnhk32.exe 4212 Nnhfee32.exe 4552 Ngpjnkpf.exe 4640 Nnjbke32.exe 4484 Nqiogp32.exe 448 Nddkgonp.exe 4236 Ncgkcl32.exe 4228 Ngcgcjnc.exe 4916 Njacpf32.exe 3432 Nnmopdep.exe 2148 Nbhkac32.exe 1652 Nqklmpdd.exe 4876 Ndghmo32.exe 1684 Ncihikcg.exe 1560 Ngedij32.exe 3496 Njcpee32.exe 4596 Nnolfdcn.exe 4688 Nbkhfc32.exe 2840 Nqmhbpba.exe 1932 Ndidbn32.exe 4224 Ncldnkae.exe 3364 Nggqoj32.exe 2360 Nkcmohbg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mnfipekh.exe Mkgmcjld.exe File created C:\Windows\SysWOW64\Nnmopdep.exe Njacpf32.exe File opened for modification C:\Windows\SysWOW64\Nkcmohbg.exe Nggqoj32.exe File created C:\Windows\SysWOW64\Ngpjnkpf.exe Nnhfee32.exe File opened for modification C:\Windows\SysWOW64\Nbkhfc32.exe Nnolfdcn.exe File opened for modification C:\Windows\SysWOW64\Nnjbke32.exe Ngpjnkpf.exe File opened for modification C:\Windows\SysWOW64\Nnmopdep.exe Njacpf32.exe File opened for modification C:\Windows\SysWOW64\Nqklmpdd.exe Nbhkac32.exe File created C:\Windows\SysWOW64\Nnolfdcn.exe Njcpee32.exe File created C:\Windows\SysWOW64\Opbnic32.dll Nqmhbpba.exe File created C:\Windows\SysWOW64\Nnhfee32.exe Mgnnhk32.exe File created C:\Windows\SysWOW64\Cgfgaq32.dll Njacpf32.exe File created C:\Windows\SysWOW64\Nggqoj32.exe Ncldnkae.exe File created C:\Windows\SysWOW64\Mcbahlip.exe Mnfipekh.exe File created C:\Windows\SysWOW64\Mgnnhk32.exe Mcbahlip.exe File created C:\Windows\SysWOW64\Nnjbke32.exe Ngpjnkpf.exe File created C:\Windows\SysWOW64\Nkcmohbg.exe Nggqoj32.exe File created C:\Windows\SysWOW64\Bdknoa32.dll Nqklmpdd.exe File opened for modification C:\Windows\SysWOW64\Mgnnhk32.exe Mcbahlip.exe File opened for modification C:\Windows\SysWOW64\Nnhfee32.exe Mgnnhk32.exe File created C:\Windows\SysWOW64\Hlmobp32.dll Mgnnhk32.exe File opened for modification C:\Windows\SysWOW64\Ngcgcjnc.exe Ncgkcl32.exe File created C:\Windows\SysWOW64\Nbhkac32.exe Nnmopdep.exe File opened for modification C:\Windows\SysWOW64\Ndghmo32.exe Nqklmpdd.exe File opened for modification C:\Windows\SysWOW64\Ncihikcg.exe Ndghmo32.exe File created C:\Windows\SysWOW64\Ngedij32.exe Ncihikcg.exe File created C:\Windows\SysWOW64\Ndidbn32.exe Nqmhbpba.exe File created C:\Windows\SysWOW64\Hnibdpde.dll Nggqoj32.exe File created C:\Windows\SysWOW64\Pipfna32.dll Nddkgonp.exe File created C:\Windows\SysWOW64\Njcpee32.exe Ngedij32.exe File opened for modification C:\Windows\SysWOW64\Nnolfdcn.exe Njcpee32.exe File created C:\Windows\SysWOW64\Lelgbkio.dll Mnfipekh.exe File opened for modification C:\Windows\SysWOW64\Nqiogp32.exe Nnjbke32.exe File created C:\Windows\SysWOW64\Njacpf32.exe Ngcgcjnc.exe File created C:\Windows\SysWOW64\Ndghmo32.exe Nqklmpdd.exe File opened for modification C:\Windows\SysWOW64\Nqmhbpba.exe Nbkhfc32.exe File created C:\Windows\SysWOW64\Mkgmcjld.exe e0738b1e76b86af6532b4ba35bd04420_NEIKI.exe File created C:\Windows\SysWOW64\Hnfmbf32.dll Mcbahlip.exe File created C:\Windows\SysWOW64\Ipkobd32.dll Nnmopdep.exe File created C:\Windows\SysWOW64\Mnfipekh.exe Mkgmcjld.exe File created C:\Windows\SysWOW64\Mlhblb32.dll Nnhfee32.exe File opened for modification C:\Windows\SysWOW64\Ncgkcl32.exe Nddkgonp.exe File opened for modification C:\Windows\SysWOW64\Njacpf32.exe Ngcgcjnc.exe File created C:\Windows\SysWOW64\Lmbnpm32.dll Ngcgcjnc.exe File created C:\Windows\SysWOW64\Pkckjila.dll Ndghmo32.exe File created C:\Windows\SysWOW64\Ddpfgd32.dll Ngedij32.exe File created C:\Windows\SysWOW64\Nbkhfc32.exe Nnolfdcn.exe File created C:\Windows\SysWOW64\Lkfbjdpq.dll Nnolfdcn.exe File created C:\Windows\SysWOW64\Ncldnkae.exe Ndidbn32.exe File created C:\Windows\SysWOW64\Nddkgonp.exe Nqiogp32.exe File created C:\Windows\SysWOW64\Ljfemn32.dll Nbhkac32.exe File created C:\Windows\SysWOW64\Nqmhbpba.exe Nbkhfc32.exe File created C:\Windows\SysWOW64\Addjcmqn.dll Ncldnkae.exe File created C:\Windows\SysWOW64\Codhke32.dll Mkgmcjld.exe File opened for modification C:\Windows\SysWOW64\Mcbahlip.exe Mnfipekh.exe File created C:\Windows\SysWOW64\Nqiogp32.exe Nnjbke32.exe File created C:\Windows\SysWOW64\Jlnpomfk.dll Nqiogp32.exe File created C:\Windows\SysWOW64\Ncgkcl32.exe Nddkgonp.exe File created C:\Windows\SysWOW64\Ngcgcjnc.exe Ncgkcl32.exe File created C:\Windows\SysWOW64\Nqklmpdd.exe Nbhkac32.exe File created C:\Windows\SysWOW64\Cknpkhch.dll Njcpee32.exe File opened for modification C:\Windows\SysWOW64\Mkgmcjld.exe e0738b1e76b86af6532b4ba35bd04420_NEIKI.exe File created C:\Windows\SysWOW64\Ekipni32.dll e0738b1e76b86af6532b4ba35bd04420_NEIKI.exe File created C:\Windows\SysWOW64\Kmalco32.dll Ngpjnkpf.exe -
Program crash 1 IoCs
pid pid_target Process 3636 2360 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} e0738b1e76b86af6532b4ba35bd04420_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnfipekh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgnnhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbhkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" e0738b1e76b86af6532b4ba35bd04420_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcbahlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njcpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll" Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll" Nnjbke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnmopdep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbhkac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncihikcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njcpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" Nggqoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncgkcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqklmpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll" Ncihikcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll" Nbkhfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll" Mcbahlip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll" Nqiogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngcgcjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncldnkae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nggqoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngedij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbkhfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncldnkae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll" Nnmopdep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnolfdcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnfipekh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll" Mgnnhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nddkgonp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncgkcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngcgcjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnmopdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbkhfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndidbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll" Ndidbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node e0738b1e76b86af6532b4ba35bd04420_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll" Mnfipekh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll" Nnhfee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngpjnkpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll" Ngcgcjnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 e0738b1e76b86af6532b4ba35bd04420_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll" Mkgmcjld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkgmcjld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll" Ngedij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcbahlip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqiogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll" Ndghmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqmhbpba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID e0738b1e76b86af6532b4ba35bd04420_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndghmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll" Nqmhbpba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkgmcjld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll" Ncgkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll" Nbhkac32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2456 wrote to memory of 1572 2456 e0738b1e76b86af6532b4ba35bd04420_NEIKI.exe 80 PID 2456 wrote to memory of 1572 2456 e0738b1e76b86af6532b4ba35bd04420_NEIKI.exe 80 PID 2456 wrote to memory of 1572 2456 e0738b1e76b86af6532b4ba35bd04420_NEIKI.exe 80 PID 1572 wrote to memory of 4920 1572 Mkgmcjld.exe 81 PID 1572 wrote to memory of 4920 1572 Mkgmcjld.exe 81 PID 1572 wrote to memory of 4920 1572 Mkgmcjld.exe 81 PID 4920 wrote to memory of 2256 4920 Mnfipekh.exe 82 PID 4920 wrote to memory of 2256 4920 Mnfipekh.exe 82 PID 4920 wrote to memory of 2256 4920 Mnfipekh.exe 82 PID 2256 wrote to memory of 2944 2256 Mcbahlip.exe 83 PID 2256 wrote to memory of 2944 2256 Mcbahlip.exe 83 PID 2256 wrote to memory of 2944 2256 Mcbahlip.exe 83 PID 2944 wrote to memory of 4212 2944 Mgnnhk32.exe 84 PID 2944 wrote to memory of 4212 2944 Mgnnhk32.exe 84 PID 2944 wrote to memory of 4212 2944 Mgnnhk32.exe 84 PID 4212 wrote to memory of 4552 4212 Nnhfee32.exe 85 PID 4212 wrote to memory of 4552 4212 Nnhfee32.exe 85 PID 4212 wrote to memory of 4552 4212 Nnhfee32.exe 85 PID 4552 wrote to memory of 4640 4552 Ngpjnkpf.exe 86 PID 4552 wrote to memory of 4640 4552 Ngpjnkpf.exe 86 PID 4552 wrote to memory of 4640 4552 Ngpjnkpf.exe 86 PID 4640 wrote to memory of 4484 4640 Nnjbke32.exe 87 PID 4640 wrote to memory of 4484 4640 Nnjbke32.exe 87 PID 4640 wrote to memory of 4484 4640 Nnjbke32.exe 87 PID 4484 wrote to memory of 448 4484 Nqiogp32.exe 88 PID 4484 wrote to memory of 448 4484 Nqiogp32.exe 88 PID 4484 wrote to memory of 448 4484 Nqiogp32.exe 88 PID 448 wrote to memory of 4236 448 Nddkgonp.exe 89 PID 448 wrote to memory of 4236 448 Nddkgonp.exe 89 PID 448 wrote to memory of 4236 448 Nddkgonp.exe 89 PID 4236 wrote to memory of 4228 4236 Ncgkcl32.exe 90 PID 4236 wrote to memory of 4228 4236 Ncgkcl32.exe 90 PID 4236 wrote to memory of 4228 4236 Ncgkcl32.exe 90 PID 4228 wrote to memory of 4916 4228 Ngcgcjnc.exe 91 PID 4228 wrote to memory of 4916 4228 Ngcgcjnc.exe 91 PID 4228 wrote to memory of 4916 4228 Ngcgcjnc.exe 91 PID 4916 wrote to memory of 3432 4916 Njacpf32.exe 92 PID 4916 wrote to memory of 3432 4916 Njacpf32.exe 92 PID 4916 wrote to memory of 3432 4916 Njacpf32.exe 92 PID 3432 wrote to memory of 2148 3432 Nnmopdep.exe 93 PID 3432 wrote to memory of 2148 3432 Nnmopdep.exe 93 PID 3432 wrote to memory of 2148 3432 Nnmopdep.exe 93 PID 2148 wrote to memory of 1652 2148 Nbhkac32.exe 94 PID 2148 wrote to memory of 1652 2148 Nbhkac32.exe 94 PID 2148 wrote to memory of 1652 2148 Nbhkac32.exe 94 PID 1652 wrote to memory of 4876 1652 Nqklmpdd.exe 95 PID 1652 wrote to memory of 4876 1652 Nqklmpdd.exe 95 PID 1652 wrote to memory of 4876 1652 Nqklmpdd.exe 95 PID 4876 wrote to memory of 1684 4876 Ndghmo32.exe 96 PID 4876 wrote to memory of 1684 4876 Ndghmo32.exe 96 PID 4876 wrote to memory of 1684 4876 Ndghmo32.exe 96 PID 1684 wrote to memory of 1560 1684 Ncihikcg.exe 97 PID 1684 wrote to memory of 1560 1684 Ncihikcg.exe 97 PID 1684 wrote to memory of 1560 1684 Ncihikcg.exe 97 PID 1560 wrote to memory of 3496 1560 Ngedij32.exe 98 PID 1560 wrote to memory of 3496 1560 Ngedij32.exe 98 PID 1560 wrote to memory of 3496 1560 Ngedij32.exe 98 PID 3496 wrote to memory of 4596 3496 Njcpee32.exe 99 PID 3496 wrote to memory of 4596 3496 Njcpee32.exe 99 PID 3496 wrote to memory of 4596 3496 Njcpee32.exe 99 PID 4596 wrote to memory of 4688 4596 Nnolfdcn.exe 100 PID 4596 wrote to memory of 4688 4596 Nnolfdcn.exe 100 PID 4596 wrote to memory of 4688 4596 Nnolfdcn.exe 100 PID 4688 wrote to memory of 2840 4688 Nbkhfc32.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0738b1e76b86af6532b4ba35bd04420_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\e0738b1e76b86af6532b4ba35bd04420_NEIKI.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4224 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3364 -
C:\Windows\SysWOW64\Nkcmohbg.exeC:\Windows\system32\Nkcmohbg.exe27⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 40028⤵
- Program crash
PID:3636
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2360 -ip 23601⤵PID:2052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
235KB
MD5ce46324b6a5a517f8a7ec095290b532b
SHA1cf5d02144c60ec9ea91451307de566eac17f17e7
SHA256c37708b47c591a59f206906170916766f5731dcd538d0ad428899f99360cd1fc
SHA5127ee18c950293c4cf73eea7e87f4d838c31f1f76aa806294ae3bbf3be95e71cd0c647316f6a0891f5b3129445eb4e00df527312e06a98c8e9d8069f0346f2b891
-
Filesize
235KB
MD59a700159ed23f61dd75d4e31651ae216
SHA1a53c52954fda90cd3a29410dfdca39c0df51da35
SHA256e63dbba0692cbeff8d806fe7d252db689073121ce67117aaf8aef99d2adea273
SHA5121ea400847a9f3bbc6b160b36bdc86aa12328c608c533afa9e7b11190374ce6501754da66ede789567645a09c7b39a3def6280abe4cf69252739aa5a38190688c
-
Filesize
235KB
MD5ac581811a67ceb1136dd0734b6764aad
SHA13e3a1b1c8b48a692b2000c734e10148451790dd7
SHA256ee514ae3ef35efc3f4bc0be8c5ba3b82851bc99255a3f89951ab36ec6e10ef51
SHA512abaeb2c18ea245f238269d2200d4b852fcda47e67880fc6d23f378527000b4a83f06c6813ef7dcc51a8a0a66ac55b5975cb6901e58e8acbadfc2d1eeec1baa92
-
Filesize
235KB
MD50283089d4266b35581e6dd46bd404b5b
SHA12ce18b7485e4e41293d46578262d0d81b40154ba
SHA2565a46c833932b801239f409865b045ae7315a70ea38d97b9cd1a477eb1e73c45b
SHA5126280e31a52dbd0d1d31ac356973c0ea7550f7ff5eff776d8233f64eada55460abeaa992a2378fba4d413b46e087475b5ca880a4568432c1f3c15efb9323dc00c
-
Filesize
235KB
MD5d74ca1a6afffbd26ae1950b25efc7832
SHA1407510c212ea0ca2c168f10053752bb84ab3acde
SHA256d1f1206c92854525c84cfd249ed2ed4800cf816f695e63af569511b894cdbf3d
SHA512e258bc1f8dff7c03dbfe3e3c552aca95d710f19a6ee23ae2f43d163f31bcce7bb67b7e05dcbc3b2f9c838ef078f3b04305e88a32de8fb4b501fb55d1f3fe76c6
-
Filesize
235KB
MD53bceaa115883d27d88698bbde82d917d
SHA15edc3a494d047ba84c3b170f98e3b7127196d1fe
SHA256cad04c5dfaf2a5e96e47d8f0ae2956575b22226203fb61f07fbb149cf20377de
SHA512543f4301b2c498cdb72e5b40f3ad1bac938aa67757c4a27d8ea0b0877af8398f0dcacff2308f16c515c63c2ba25fbc4b65c0f1c16b42343279dd8915c2838907
-
Filesize
235KB
MD516e3ea2217c27fcbaa20a425ea873fea
SHA1a53cca44f22acd73cf18edc65e23d45ca94dbc02
SHA2565ad5157f67bfab48a472937166c26280f8c3e0552d5203e036bafc86ce1f28e5
SHA512493d18d7a15829655d1e35e17ee584ada34c2c1f96d3e23fb4da4953d6e2ba26e227adbd31909794b48a51989ca18e149ef9f3d047c89c54a1becf51dace2dc8
-
Filesize
235KB
MD5c00520dd8c8939ebb8de4cbe7cbf2310
SHA170c2a7a5a540afe223f235f71d7ff7c960e5e2c4
SHA2563a0d6ee3de5ec4ab5e2fe64d10a08a1d5cb9acca289b35e39dd6dee710667116
SHA5120debf4973b42fb092fb4df9c81b00cb900df28012dea71ed75af6ee66448017bc6d306ce2a5a5e5e2948072035ec5c560dcc0dfa40c818ac55f3cab73b8a615d
-
Filesize
235KB
MD5491c3362985d3358b5fbe2922bdbecdc
SHA1c40e6352325a8523b40ed1f0803459865afcde87
SHA256f91328f87b2b915c45d2a371dc9dacfc89c3b3a50e25f1ec30b20c275c494e1c
SHA512617d0f8d1511cc8dd960376de8a453dd74aa9c8f5c9090cd2ffa6ed3d5339f11288c4fe35b2426b42aaa1f25566a65ba6edd048a7149b2cc8249fae779c54164
-
Filesize
235KB
MD5fc0f2b55fd8ba4be5640c9b5cf0be131
SHA1676ac0b3f2a5e3c4a79a7fd45280bcb6a5376306
SHA2562dd17839b3ffa531c4cf1ac144131b43c9942c9320fae251aae7e5e88e67413a
SHA5126ea882b73a910abc9fa75fc50e4d6d07d58106100c1af0028e7af030c73262a502875e16d55e1e863313df1d964f3d73a5b39f2c91945b26690738ec7a6314b7
-
Filesize
235KB
MD571dac9660d68c27da53a738ba0909b6e
SHA103e4f7605aebd24b82472b46907643aecdccce7d
SHA25616c44dbd332925c8c48cab1fcde85ecbd0e9cf525b5526974159602fffae684d
SHA51250e493a8f60153f0e579b149286dc56673f1238540ce9f7b1d50c9ba41d3917c19676d5953e140c7e4d5b2f347f8f58e5f94642bd0b7b9e413e65b3327898ff6
-
Filesize
235KB
MD58bc91d2caaa2d432594bd9bc87fdaaf5
SHA1e1c08b29670e87fbbc9404cc106bc2e6ceafd001
SHA25695cf6a1fbbc4e1ddfb26a4995343cb6ad6aad747ef5208b4ce5ca10dca422837
SHA512e572ad8a32c0cbe9c57dc27a21c6e5d07d50140022385589ab1f7017d1f6d54f9953ca22169982d2543d7b53a11173ff3912c457cd30a874afdc81ee2df0a80b
-
Filesize
235KB
MD52d6302b96816ea6b4ff6decae9836c12
SHA191ca864908f7afce32e674cafe3e307d7a80bbb6
SHA2567eb95e56d44970b979e89d7019a7654d172200699fedc24c93b908f9a8c27a2a
SHA512ae38603c2803a81203616c1a9fb5f4a83825ff2b7324e1cd452eb83f386dd4a76e52ffd573c2f457ef1f6fd495b5dedb9357c4fb4c424c7df160246ce0b5e83d
-
Filesize
235KB
MD5ba07a70f7f465689bb9c6e3bff5161d7
SHA1c6ea67a6ad10fb080b6053ef894d094effc0e55a
SHA25608504994b14d121382d308ff55c866285e7cf928b96477eff874d6cbbba711f6
SHA512a9f6592585eb6222f09fd26d57fcff3977d6a1150c205c548bd7fedd1e754c9858e9b1cd43f3de568fb632811b4fff102cd8e49da498a30881d8b65b6be60f52
-
Filesize
235KB
MD52e748af7bb582a5d058803fa3b2beda0
SHA1c8c9cda5808b81f39fe42fbf78d1f4cfeba25c24
SHA256582e7551fff2a69803d99c59148baa564b7df14cfa413b17f484fc7806cbf0c6
SHA5126b2c4689b7926447dc281f80cccf72a86db18fde629d347ca75f49349492bc8ddc6abf432e75c39735287be389794dab92fb574d62389e5b4732cc3b858ad137
-
Filesize
235KB
MD5b07fc6b0562aa09f776f13e02341cc1f
SHA1c3b236cee4904599666d1e2f951aed00e51d4664
SHA256c7af455f37f2946847efa7055754b85d9c9bf1aa313123c24abeb436f04f2cbc
SHA5126e50b6a55894b8026ab64c1ffc18b5e42b1dea9e878568cf638000640474954368f519444182c4201f6ca9bbd033a1c0de13e229da45da8518379566edc24b28
-
Filesize
235KB
MD5926792c32458c2562b79d9b861cc7199
SHA1f054c3a7ea83d407b6c2e6042a025e7b097634c3
SHA2561976931e2de4d38ca37a03066e1db4bfb36dbfbbb5ee2ef2169ff3cc0e6aa754
SHA51268341f840089c0cdbe25b366db1edcef4a5f4f3b6cb8b96c785b824e3692e4d2d95b40cfca562eee6be76a701041a8b5d40f6685ca0a41cb8a1a3a65f39a346d
-
Filesize
235KB
MD5ae382a1c4f31a64e68ab1121eb9635dc
SHA16277ac389f8bb18e5c49c5360a33108eeb765af0
SHA25695b985ec84f604d1295d9915e8a35277116a4022e9ff825c6f471a85eefc863c
SHA5120efeb48dff192943a4885f8fb8a54235f7da82b432f58de307a3f9dac4a2c79b9e187aa4b25d299fb6eeb99972f030b2bd203b9262a5f76e80cbca5e2087d10d
-
Filesize
235KB
MD57f9d378cf43836f200bf5ef75bfda026
SHA197e473d36f6a366528feac1c08fc30dd9b46ae3f
SHA2563d22ac751d3fd2235efb172696e9c7c36d1ea289dd43e618316f6bc55496a20e
SHA512e9f6db788a0529102553841febedc1f7eb8f211972b959af9073f3e263cf88a7e2a65a295fd1aa288c54ad46531db8f0873f65a0f218633a034c450ec03951b7
-
Filesize
235KB
MD587ea7315a95c28a93eb905d55c15d79e
SHA1e7e905b76164f839ee971e592ecb63d676762492
SHA25699da857c46ac5c96a42c23f467dbff2644ffffd7d728cd3f95bd5edade864089
SHA512f55309a63cc774091bec8058db6f9e77397df2e81ff080b2dc4ce711aa78f6e56e1d5ad8686349f4a503de881307415023702060f81398e6423add669714f98b
-
Filesize
235KB
MD56cc4e3b80d3f23a7ad11f31a4a65b9ad
SHA1a25c4a7ddf65f52f606f26068706892bff40d848
SHA256187e79a7d0607822e98e875ab2e88c55e0aa914e55cd41638882c874a2fd894a
SHA5127b9ddf998e360e078d4c31347dcda56cfe162a734cd4bf7d6ec97481289d7894549b5a8ea0d9ec90b28bcdc02a7aadd1cf7e6be71570e085bc6dc292e35e59cc
-
Filesize
235KB
MD5c9a56b323899d62dcd76e330f9fd4cd7
SHA10965b4e08c9d7f891b204d30b49b90833d72e303
SHA256c28ba7c33fba0414039aff36b9a020563846007637f23475121ed2972e4930d8
SHA512a86a6ddb74e8d0ae6c884b4720de290c08b3b5fd0378efa06296a7ac952981b6d4a14369237292e6fcaaa381caf81f1508609de9d56c164f69fbd3c3ea1bb755
-
Filesize
235KB
MD5f92711bf8f30d46f579a6199d17d50ab
SHA111630aff937246f4f7684dea75ec8ef4aa3b230c
SHA256911ce0c747a160975562b530c961c1261ceb8784265b8ebc8edf6b56c61b996f
SHA51233ad2f871c36afc5945a6497398c73a0e6cfffd60b74939cf4baed1c65886a510576bf4bfec7fa43849daedf7201bff06e6b120a34f60e0538c53c19cc344780
-
Filesize
235KB
MD5624cfd3f5d468075783d2c5ae5ecbd0a
SHA1295e1d31f29393300b3d4d70999d364fc700e0d9
SHA2560447d4b7764f64aa624df1599482d7dc902f970d972301f09bb405f0b288adca
SHA51232ea681afaaea02d769a63491310a697b608f87c6cc7cac0e6dbbcb78506313d45a4b18e09e4e582827da1a9f17a4485a73e73aaec2d6e3576b9e793ba449881
-
Filesize
235KB
MD51b09e118a119741b01cd4b7b5810096f
SHA1e6e5c8e15797a1b2209ee7a926c6ff03531b158e
SHA2563002fe4709dad1aefdeb6279f4604ab34780249b977c00d1529a1e3119594321
SHA512491b9fed0abb1cd11db75195f79334d539e529abb25006a24ba588f60f8ff5fe6d63fe6b29561429aadac3620a8afa3948d5abf06a22406f4bb776f0ee32daf8
-
Filesize
235KB
MD5493c7743743597dceb4eefe78efd5fa4
SHA1202116327ac490d931bf67d8075cbf5eaf764fcf
SHA2568efa47869e67907f9f643a637594377836e03e74d0f8beff43338fa3e2efb9a8
SHA512ccf8fc915af69719b6ebdcf31196da0054d7167e25c09d05a4e2d2afd1f5088ad5de02347c5e30c2516f6065cb13f564833941d8eafc20d6854825543857e02e