Analysis
-
max time kernel
92s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 14:40
Behavioral task
behavioral1
Sample
61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe
-
Size
115KB
-
MD5
61b9a24b39c7e4d90caab5eb6421a190
-
SHA1
2ecf7bcd293055da45418560d3070531d8360519
-
SHA256
ddc732c689da1b1dcb4cb1700fd87312f9cc2145ce60142d9e9bf2dcb0e42df9
-
SHA512
048e6825cc06cd3cb5b0a9b16c0a751fac7e1d9cdde791bf52617324b40e5d356438e76dd03a9063819a5a56ba157481d02ef02b2b48adcc15189447f56d8259
-
SSDEEP
1536:oGURxWcw4huwvVw6tfW2LGyvCbrIRQW1ooQUPRMcu30MUwZkTKr4:oDy/6p7GdbrIR/SoQUP5u30KqTKr4
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngcgcjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjcgohig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklfoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqfbaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbkhfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcklgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcpebmkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbhkac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjqjih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpdelajl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpolqa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjhqjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjhqjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nddkgonp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Majopeii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdiklqhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjeddggd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkbchk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nddkgonp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncihikcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mahbje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjeddggd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndidbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcgohig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdiklqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Majopeii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkbchk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnapdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkjjij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqfbaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbkhfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjqjih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mahbje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nklfoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnapdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcpebmkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcklgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbhkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngcgcjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maohkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpdelajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpolqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjjmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkqpjidj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mciobn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjjmog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkjjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncihikcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkqpjidj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maohkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mciobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndidbn32.exe -
Malware Dropper & Backdoor - Berbew 28 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0005000000023276-8.dat family_berbew behavioral2/files/0x00080000000233ca-16.dat family_berbew behavioral2/files/0x00070000000233cc-23.dat family_berbew behavioral2/files/0x00070000000233cf-26.dat family_berbew behavioral2/files/0x00070000000233d1-40.dat family_berbew behavioral2/files/0x00070000000233d3-47.dat family_berbew behavioral2/files/0x00070000000233d5-56.dat family_berbew behavioral2/files/0x00070000000233d7-63.dat family_berbew behavioral2/files/0x00070000000233d9-71.dat family_berbew behavioral2/files/0x00070000000233db-79.dat family_berbew behavioral2/files/0x00070000000233dd-87.dat family_berbew behavioral2/files/0x00070000000233df-95.dat family_berbew behavioral2/files/0x00070000000233e1-103.dat family_berbew behavioral2/files/0x00070000000233e3-111.dat family_berbew behavioral2/files/0x00070000000233e5-119.dat family_berbew behavioral2/files/0x00070000000233e7-127.dat family_berbew behavioral2/files/0x00070000000233e9-135.dat family_berbew behavioral2/files/0x00070000000233eb-143.dat family_berbew behavioral2/files/0x00070000000233ed-151.dat family_berbew behavioral2/files/0x00070000000233ef-159.dat family_berbew behavioral2/files/0x00070000000233f1-167.dat family_berbew behavioral2/files/0x00070000000233f3-175.dat family_berbew behavioral2/files/0x00070000000233f5-183.dat family_berbew behavioral2/files/0x00070000000233f7-191.dat family_berbew behavioral2/files/0x00070000000233f9-199.dat family_berbew behavioral2/files/0x00080000000233c8-207.dat family_berbew behavioral2/files/0x00070000000233fc-215.dat family_berbew behavioral2/files/0x00070000000233fe-223.dat family_berbew -
Executes dropped EXE 28 IoCs
pid Process 3068 Mjqjih32.exe 5016 Mahbje32.exe 3640 Mciobn32.exe 3396 Mjcgohig.exe 992 Majopeii.exe 4628 Mdiklqhm.exe 3652 Mcklgm32.exe 3428 Mkbchk32.exe 3136 Mjeddggd.exe 5080 Mnapdf32.exe 1232 Mpolqa32.exe 4792 Mjhqjg32.exe 4912 Maohkd32.exe 5044 Mcpebmkb.exe 3972 Mjjmog32.exe 5108 Mpdelajl.exe 4660 Nkjjij32.exe 4692 Nnhfee32.exe 1560 Nqfbaq32.exe 1436 Nklfoi32.exe 1072 Nddkgonp.exe 2468 Ngcgcjnc.exe 1196 Nbhkac32.exe 3712 Ncihikcg.exe 1668 Nkqpjidj.exe 64 Nbkhfc32.exe 4604 Ndidbn32.exe 676 Nkcmohbg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mdiklqhm.exe Majopeii.exe File created C:\Windows\SysWOW64\Odegmceb.dll Mnapdf32.exe File opened for modification C:\Windows\SysWOW64\Ncihikcg.exe Nbhkac32.exe File created C:\Windows\SysWOW64\Gqffnmfa.dll Mcklgm32.exe File opened for modification C:\Windows\SysWOW64\Nqfbaq32.exe Nnhfee32.exe File opened for modification C:\Windows\SysWOW64\Nddkgonp.exe Nklfoi32.exe File created C:\Windows\SysWOW64\Lnohlokp.dll Mjcgohig.exe File created C:\Windows\SysWOW64\Ngcgcjnc.exe Nddkgonp.exe File created C:\Windows\SysWOW64\Ndidbn32.exe Nbkhfc32.exe File created C:\Windows\SysWOW64\Mahbje32.exe Mjqjih32.exe File created C:\Windows\SysWOW64\Mjjmog32.exe Mcpebmkb.exe File created C:\Windows\SysWOW64\Jlnpomfk.dll Nklfoi32.exe File created C:\Windows\SysWOW64\Majknlkd.dll Nddkgonp.exe File opened for modification C:\Windows\SysWOW64\Majopeii.exe Mjcgohig.exe File opened for modification C:\Windows\SysWOW64\Nbhkac32.exe Ngcgcjnc.exe File created C:\Windows\SysWOW64\Ogpnaafp.dll Ncihikcg.exe File opened for modification C:\Windows\SysWOW64\Nkcmohbg.exe Ndidbn32.exe File created C:\Windows\SysWOW64\Npckna32.dll Nnhfee32.exe File created C:\Windows\SysWOW64\Fibjjh32.dll Nqfbaq32.exe File created C:\Windows\SysWOW64\Nbkhfc32.exe Nkqpjidj.exe File opened for modification C:\Windows\SysWOW64\Ndidbn32.exe Nbkhfc32.exe File created C:\Windows\SysWOW64\Hhapkbgi.dll Maohkd32.exe File created C:\Windows\SysWOW64\Nbhkac32.exe Ngcgcjnc.exe File created C:\Windows\SysWOW64\Ipkobd32.dll Ngcgcjnc.exe File opened for modification C:\Windows\SysWOW64\Mjqjih32.exe 61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Mjcgohig.exe Mciobn32.exe File created C:\Windows\SysWOW64\Mdiklqhm.exe Majopeii.exe File opened for modification C:\Windows\SysWOW64\Mcklgm32.exe Mdiklqhm.exe File created C:\Windows\SysWOW64\Gpnkgo32.dll Mpolqa32.exe File created C:\Windows\SysWOW64\Nkqpjidj.exe Ncihikcg.exe File created C:\Windows\SysWOW64\Nkcmohbg.exe Ndidbn32.exe File created C:\Windows\SysWOW64\Geegicjl.dll Mcpebmkb.exe File opened for modification C:\Windows\SysWOW64\Mpdelajl.exe Mjjmog32.exe File opened for modification C:\Windows\SysWOW64\Nkjjij32.exe Mpdelajl.exe File created C:\Windows\SysWOW64\Lppbjjia.dll 61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Ocbakl32.dll Mciobn32.exe File created C:\Windows\SysWOW64\Majopeii.exe Mjcgohig.exe File created C:\Windows\SysWOW64\Jjblifaf.dll Mkbchk32.exe File opened for modification C:\Windows\SysWOW64\Mjjmog32.exe Mcpebmkb.exe File created C:\Windows\SysWOW64\Pkckjila.dll Nbhkac32.exe File created C:\Windows\SysWOW64\Opbnic32.dll Nbkhfc32.exe File opened for modification C:\Windows\SysWOW64\Mnapdf32.exe Mjeddggd.exe File created C:\Windows\SysWOW64\Gbbkdl32.dll Mjjmog32.exe File created C:\Windows\SysWOW64\Nnhfee32.exe Nkjjij32.exe File created C:\Windows\SysWOW64\Mciobn32.exe Mahbje32.exe File created C:\Windows\SysWOW64\Lifenaok.dll Mahbje32.exe File created C:\Windows\SysWOW64\Mkbchk32.exe Mcklgm32.exe File opened for modification C:\Windows\SysWOW64\Mjeddggd.exe Mkbchk32.exe File created C:\Windows\SysWOW64\Mnapdf32.exe Mjeddggd.exe File opened for modification C:\Windows\SysWOW64\Nbkhfc32.exe Nkqpjidj.exe File created C:\Windows\SysWOW64\Hnibdpde.dll Ndidbn32.exe File created C:\Windows\SysWOW64\Mjcgohig.exe Mciobn32.exe File created C:\Windows\SysWOW64\Nkjjij32.exe Mpdelajl.exe File created C:\Windows\SysWOW64\Egqcbapl.dll Mpdelajl.exe File opened for modification C:\Windows\SysWOW64\Mkbchk32.exe Mcklgm32.exe File opened for modification C:\Windows\SysWOW64\Mcpebmkb.exe Maohkd32.exe File opened for modification C:\Windows\SysWOW64\Nnhfee32.exe Nkjjij32.exe File opened for modification C:\Windows\SysWOW64\Ngcgcjnc.exe Nddkgonp.exe File created C:\Windows\SysWOW64\Mjqjih32.exe 61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Mahbje32.exe Mjqjih32.exe File created C:\Windows\SysWOW64\Mjeddggd.exe Mkbchk32.exe File created C:\Windows\SysWOW64\Mjhqjg32.exe Mpolqa32.exe File opened for modification C:\Windows\SysWOW64\Maohkd32.exe Mjhqjg32.exe File created C:\Windows\SysWOW64\Epmjjbbj.dll Mdiklqhm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4424 676 WerFault.exe 111 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mahbje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjcgohig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll" Mahbje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpolqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll" Mpdelajl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkjjij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkqpjidj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mahbje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbkhfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndidbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll" Maohkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll" Mcpebmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll" Mjjmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdiklqhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpolqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll" Mpolqa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjjmog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqfbaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mciobn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdiklqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maohkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbhkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll" Nbhkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkqpjidj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcklgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll" Ngcgcjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndidbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll" Mjqjih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Majopeii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll" Ncihikcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll" Nkqpjidj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjcgohig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcklgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll" Mjhqjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnapdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll" Nklfoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjqjih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjeddggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll" Mjeddggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqfbaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll" Mkbchk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maohkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll" Mnapdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjhqjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpdelajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngcgcjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll" Nbkhfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjqjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll" Mdiklqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbkhfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll" Mcklgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjeddggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nklfoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbhkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" Ndidbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3380 wrote to memory of 3068 3380 61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe 81 PID 3380 wrote to memory of 3068 3380 61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe 81 PID 3380 wrote to memory of 3068 3380 61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe 81 PID 3068 wrote to memory of 5016 3068 Mjqjih32.exe 82 PID 3068 wrote to memory of 5016 3068 Mjqjih32.exe 82 PID 3068 wrote to memory of 5016 3068 Mjqjih32.exe 82 PID 5016 wrote to memory of 3640 5016 Mahbje32.exe 83 PID 5016 wrote to memory of 3640 5016 Mahbje32.exe 83 PID 5016 wrote to memory of 3640 5016 Mahbje32.exe 83 PID 3640 wrote to memory of 3396 3640 Mciobn32.exe 84 PID 3640 wrote to memory of 3396 3640 Mciobn32.exe 84 PID 3640 wrote to memory of 3396 3640 Mciobn32.exe 84 PID 3396 wrote to memory of 992 3396 Mjcgohig.exe 85 PID 3396 wrote to memory of 992 3396 Mjcgohig.exe 85 PID 3396 wrote to memory of 992 3396 Mjcgohig.exe 85 PID 992 wrote to memory of 4628 992 Majopeii.exe 86 PID 992 wrote to memory of 4628 992 Majopeii.exe 86 PID 992 wrote to memory of 4628 992 Majopeii.exe 86 PID 4628 wrote to memory of 3652 4628 Mdiklqhm.exe 87 PID 4628 wrote to memory of 3652 4628 Mdiklqhm.exe 87 PID 4628 wrote to memory of 3652 4628 Mdiklqhm.exe 87 PID 3652 wrote to memory of 3428 3652 Mcklgm32.exe 89 PID 3652 wrote to memory of 3428 3652 Mcklgm32.exe 89 PID 3652 wrote to memory of 3428 3652 Mcklgm32.exe 89 PID 3428 wrote to memory of 3136 3428 Mkbchk32.exe 90 PID 3428 wrote to memory of 3136 3428 Mkbchk32.exe 90 PID 3428 wrote to memory of 3136 3428 Mkbchk32.exe 90 PID 3136 wrote to memory of 5080 3136 Mjeddggd.exe 91 PID 3136 wrote to memory of 5080 3136 Mjeddggd.exe 91 PID 3136 wrote to memory of 5080 3136 Mjeddggd.exe 91 PID 5080 wrote to memory of 1232 5080 Mnapdf32.exe 92 PID 5080 wrote to memory of 1232 5080 Mnapdf32.exe 92 PID 5080 wrote to memory of 1232 5080 Mnapdf32.exe 92 PID 1232 wrote to memory of 4792 1232 Mpolqa32.exe 94 PID 1232 wrote to memory of 4792 1232 Mpolqa32.exe 94 PID 1232 wrote to memory of 4792 1232 Mpolqa32.exe 94 PID 4792 wrote to memory of 4912 4792 Mjhqjg32.exe 95 PID 4792 wrote to memory of 4912 4792 Mjhqjg32.exe 95 PID 4792 wrote to memory of 4912 4792 Mjhqjg32.exe 95 PID 4912 wrote to memory of 5044 4912 Maohkd32.exe 96 PID 4912 wrote to memory of 5044 4912 Maohkd32.exe 96 PID 4912 wrote to memory of 5044 4912 Maohkd32.exe 96 PID 5044 wrote to memory of 3972 5044 Mcpebmkb.exe 97 PID 5044 wrote to memory of 3972 5044 Mcpebmkb.exe 97 PID 5044 wrote to memory of 3972 5044 Mcpebmkb.exe 97 PID 3972 wrote to memory of 5108 3972 Mjjmog32.exe 98 PID 3972 wrote to memory of 5108 3972 Mjjmog32.exe 98 PID 3972 wrote to memory of 5108 3972 Mjjmog32.exe 98 PID 5108 wrote to memory of 4660 5108 Mpdelajl.exe 99 PID 5108 wrote to memory of 4660 5108 Mpdelajl.exe 99 PID 5108 wrote to memory of 4660 5108 Mpdelajl.exe 99 PID 4660 wrote to memory of 4692 4660 Nkjjij32.exe 101 PID 4660 wrote to memory of 4692 4660 Nkjjij32.exe 101 PID 4660 wrote to memory of 4692 4660 Nkjjij32.exe 101 PID 4692 wrote to memory of 1560 4692 Nnhfee32.exe 102 PID 4692 wrote to memory of 1560 4692 Nnhfee32.exe 102 PID 4692 wrote to memory of 1560 4692 Nnhfee32.exe 102 PID 1560 wrote to memory of 1436 1560 Nqfbaq32.exe 103 PID 1560 wrote to memory of 1436 1560 Nqfbaq32.exe 103 PID 1560 wrote to memory of 1436 1560 Nqfbaq32.exe 103 PID 1436 wrote to memory of 1072 1436 Nklfoi32.exe 104 PID 1436 wrote to memory of 1072 1436 Nklfoi32.exe 104 PID 1436 wrote to memory of 1072 1436 Nklfoi32.exe 104 PID 1072 wrote to memory of 2468 1072 Nddkgonp.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1196 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3712 -
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:64 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4604 -
C:\Windows\SysWOW64\Nkcmohbg.exeC:\Windows\system32\Nkcmohbg.exe29⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 40030⤵
- Program crash
PID:4424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 676 -ip 6761⤵PID:4044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
115KB
MD51eab379a79081323bc426a21e9860be8
SHA1dc16718c4c75f7650a4a99fb18bd279b4ecb2124
SHA25652de7abbf9cc8c3e20fea4e157addc46e8fc00bd106a040a785ef608ca3625ae
SHA5122fb46a7772852ae34bb56d8dad15ceaea3833aa34bdfced4637a8783bd069b4646ff8038aa2c91f7ec55daa78aed75960c9e6bf7ed0eefc5d6c2a0f405f1468a
-
Filesize
115KB
MD5ec5340bbfaca115611f944bb4109807f
SHA1714f2954fab5b0966b63c9c0c3d4ec51cf91a8f4
SHA256aca21872dafa10ee6bc1c29aa0dfb582a6ff77f48dc2966ef0c76f1fdafb507c
SHA512ea76c797e23a527965d4b29f06d76c270e627f221dfd0bfc756eced25b49b16d3c5e091aedb0247dc60509d0a99e48e143db9affc294f9db86f097ba203d89d8
-
Filesize
115KB
MD51bbad646fb12d298168276b42235e3ee
SHA128c4879edbc8f76672104efc2d4c075abb556e50
SHA2562cd815e4f213b829d744c983c9cd6d569f8d280b5aa470c3f0a1835f813b8e74
SHA51215c620cd3133a3c61ef2d49878148dcb08892a2967a7f4566b9075c942cf2335bdd1c60bb120d12420dc052d31090e12604a502945d347bd3e68133e2f360b44
-
Filesize
115KB
MD589eacd666a9b5b6372a4eb11adce7e1a
SHA185f23ee3f0913d069ef0f83e4e35edc123a71846
SHA25603ae5bfefc71b11ca0092a2e00d57a7746152cf3f5374312beb1f1c394d35ce6
SHA512733f63a8740d5b0f1fe3ce4c52ba7648ef89abd1ad8dffbce0509b3e11fe21a0812054af441919d912b66b692873e2b16d7f394e91f9cb7c4f4346a067ae2610
-
Filesize
115KB
MD54482ca09b1fa6c542c74ea28cd06073d
SHA1c6771c3319c08400206e5ce8838df75aa90eac0f
SHA256aeca7d9dde2f32708c0536a68af0ebcbf32ca12ef7155bee2c41ae49ef37f462
SHA512a1fcb315919ebd3d2407bfc445c30d9e178d22b3b1d992ed370e873fabd0b6917a32d53f79ef4096c1112c0aaf0bdec73c53604a747ea5c100df581b775da03d
-
Filesize
115KB
MD5fd0fcd0648f33a1b6339683ca724d398
SHA135dfec5609cc651aef936c63d193c1c1294323b3
SHA256c1ce43c658fc33ed52b229f4ed4ae6fe22dc245933a6401be4a8d5fb13dc7f54
SHA512c9c9a0e51baed47c0ab7ec9a6444522bb651fb4d73eee61a09b568853aefc2c4667a3771ae3f8efe118802683002143f55373c01e17661b09908fdafc6498177
-
Filesize
115KB
MD542dd54dac1547795ed2b0a4d12e44576
SHA14e196d2d52fdf3e5299a33233b13a7e1b29a8923
SHA256c11d8d82a7f79c2f665a26ed9b1ea4b089c9b1d4bfbb8b4afb73b3b3818fc851
SHA5125d8080d9939743c8f4b509adb5c2511d9900af2c876ab03ca3d9497694c122a808581b7b9987911246db7f9fc7e481cc41d4fd68fc93e7748ff6e34b518a0305
-
Filesize
115KB
MD5c647f5c1e7c1e136b0c163065585fc0b
SHA19734dd5fd29a37847f5b8be3d31b5751e1ac36da
SHA256d7bfcae37efbeb6f04297baa9aee98d44f710721736d4962f693e99e3cc71779
SHA512b9befd603787aa46d43456dd280493b1dd1ed00c4f4b812f22dfe8459c4ee3336996490841a2e8f2c1f359b943a01661770850888a58b78b85d2d6276b0b2c0f
-
Filesize
115KB
MD5a948197bcef0128f5b0d8c63fe22dd7b
SHA107360c5cb1e9e801fe6e20a5c52f45120bb1c187
SHA256375752dcf84bd1cb4a2f1f5a91181d438fb34a99631e61da332f2ffa0dc72e99
SHA5129f8f5b78ae6cd22289d78c137f017ace785c5aa53e653c0cdc4797091e137355856329052065f57f301a9610b053375b941e23638ed048337e7646e79cf3cd40
-
Filesize
115KB
MD5dc0b11c1281232a8c9475d4e9fac8f97
SHA1cb77bd2d9d64ce58e40f213bbd726db5208477aa
SHA256d36dc626f1cbb41143fa233f655ac563e38aea430491d3750866cbb281d527d7
SHA51246f2f305029b72f3a22f768a0900a8b515250e4d037d638e926b9aa7dbce35170aca5c447686c0d9b3fa274befda7802a34ca953480342dd1d4a60d1ed6efe5a
-
Filesize
115KB
MD5001542a69507912c217084dbdcd5e826
SHA1f977f6cb82091fdf591b82a9499dd67743276b9a
SHA25613e060b2742f3556df7dd1a585ea23d42483d6a947c234df94ea1408007990f8
SHA512fa4f589c8856c627382c69fe0014130729ffe03edb2a643c1ce5c301d56263f2899c9bc62e52e056da74358461162d9ff4cfed5bc90a860c922b7ebe08543d5d
-
Filesize
115KB
MD52aede822052a6893e2aead38d220fdd5
SHA10a980fac68493588c78de98e010f3454bc49c53f
SHA25654295920c04bb39bbad0f1c1621c8f377f11a72e02056130d544a01c876b07d0
SHA5123d213cab541188104a2349039560273fdc2e04843cee1190fac4a32d03891e41f208f0ae90b8c72ec5baaeb2f17ba9beb5ac65c51e6bfef35df837e1989673d0
-
Filesize
115KB
MD5f5d86d813651fb94551dc63288399d66
SHA10679bcc5719a0975d18c4935a782824e92b7f18f
SHA256eab2d5ecdee60419d5ab438a168ce4f7ba497b1a7bf622871c85969a2aeba9b7
SHA512502463a6c4cf55e816643e5419c639bce1a1c75165111ab072f573141dfe7034cec1e652b2fdbf58fa38dff80f8bd5cb4701cbc665fa91407361b00dbd389078
-
Filesize
115KB
MD511004dfcb790ded233a5567f8a4595cc
SHA1afd7b27f8f70900c9a2999fc5c4f4d6699650e09
SHA256ce334aa8e38d3d2683abb17b272f5c2950564ae7c6f2820254ee94e095db6d1f
SHA51214c7408b61cdd021c892173b1cb02991fe10d976340ea44897e324e2f4d5db467bad9927a9e4808c83a8b4f185574540da28165562bc08734e2ed6a0adc81f43
-
Filesize
115KB
MD5aec099cd34280cb0ce475d839193ff74
SHA1779a839c8f69fcda4bbf1bdb84d868c8b5a3bfc7
SHA256abc0ce4cbb6082e558eeba5b6a33bb1ff91c59c771556f0caa16e735dae5ae9a
SHA51206c0e0e8ad417a0b034331dbefb9f05476fa3547c0871a5ff23abb21d128cbf430d2848b640048a9486601877df01b0b1d10079d1fad0049bfa0f48c7d33ff40
-
Filesize
115KB
MD5e4434032eea8b0fd9c44d36c831c07b6
SHA1dc4fc6dfbea43a30e5a9bce65e7fc63c7a2432e2
SHA2568703f3e26232d61e286c40a172ef51d4efd3c4a19913f078a1c5ab2923fce2d2
SHA512aaf91a379717d1826bba305e7813a4795cbdbfc10df849ff089fa29c67762efe68bb4e5f7c9eb8f6bf9090579a9c44c04e51064d9a53e303ab609d9e5528fce0
-
Filesize
115KB
MD5eea86daf3ff73b2d820fd6867d87eaa1
SHA170764848cc175f034bd7064ac084dfa40994d51d
SHA2565518e719ffd358d07ef7a51adf21e5bc2989edaab0b1fd9747be774dd1e61bea
SHA5129d384bbcb96bbd23eb52f662dd9fda90ef8f792fcf9ee6264071616b10e8383428ddb660cdee356e69467e4b4bb22c5b2e10d35c54cbd77f17722fa5666f2241
-
Filesize
115KB
MD560c9c6e8e9fee67d76ada412f30af4ab
SHA106d53275e3e5932789670aad8ef96ee889867815
SHA256cee6a045cec835c2866341232f5e4107cc11418009989d71eea9bd21317df8a3
SHA512463997be5b690da6dce60c7635c55a7a2f1e7d6235bc72b4ee2a643896b37bdb2e7cde85495b0469b945f4f342336b593841f92a0f2d60e766f679b925fd1bea
-
Filesize
115KB
MD55f830cf49d33ca28afacbf2682ddd530
SHA18ebda3a448930356908148c46552c25080d1c0d4
SHA2560e87e900193edcdcc924b9a2306898d040f947a6b585b371de992e9d830498c0
SHA512c82a4a5a12778d697c4a4481d8f7664510876f0b69fdd84887fcb10ea2a8526da234c57ebcdcfab7626076b061d522efa9b4cdcf32ce7feaeae97b0b981da5e4
-
Filesize
115KB
MD5539ccd065f99ef2352628097940f1911
SHA1a71a4fc07bae84753b226b899f9b448df73adafc
SHA2561f50b0adcc34c3dbb84160f3fc95f3c6dcf14d2de578b8b4a7f9dbc9a09f5ed4
SHA5121cc34b257eb05a75b7afcb202e25323dad250f17aa11a6118b8054a6c42a061bbca6f0404a728b142237ecfb92ebd3e9ded28f43ae92e7bab37fd7aa513b35c8
-
Filesize
115KB
MD5cef556d52c781c44cc096d0ffb09b0dd
SHA11e856d33c83a3406060bd409bfb993a7314ec2d6
SHA256948a0e5333996ecca6b387e3c63766728f25721c93a67c80b953c4ebdb4c35ec
SHA512b543efcee029643227c8621ea9475c34a9701a1a652708c7fe91569571ded2e2555f44aa27db8da7afae52cbe0b132a5278b61f97670d1ad6f811c52c4f1c0ea
-
Filesize
115KB
MD53876f29ff0f024808f3e2782e9da6dec
SHA1a351a54146f1e8324a203ea43097c4d385d2da1f
SHA25679a6f2e716458c93929bd1c70de356b8428ca4f7f61740396a8639352ac1be9f
SHA5128fa2841092941e1a443ff1f2836f1e4603d403ede01cfcdd6cd2ac7a03377bbe34d2e39b02123ef1cb90ede2f3ec38c19662ed5c68140a6ddbe3977d5717841a
-
Filesize
115KB
MD548fab0ab836fd7ff25f897523ef0b1ac
SHA19df14edc3ba7cd31288201c558940d717231fc68
SHA2566ebf0b1820255cfea496cad141648476a0b4e1a1a41955e4e3d56b20827309e6
SHA51249ef56273a3f00c90cd81c90091f4e3f757a38a91bd51519e5c5444c731785490a6e9a7b7901362f76190168dba8c46e89c138a9738acd8ece388564f6e1624b
-
Filesize
115KB
MD545dc7e9a32c3845ba41f0b2cad53e2ab
SHA182bc3e1dc46d9db79af19a36a2db205402cac44d
SHA256b2bd1dfb5dc51c45597238dd3718fec9e85a8a2b19f228262e25d512a5b08b9c
SHA5120881938f0343d89a92702bec3278a7101cd95d53f3f763ea6fd29aa14fbe7aa959f0cb4d5cececc6db01847ae38a9d8484f72f621e0a5fb8e65ce706f7d534ed
-
Filesize
115KB
MD5260a9a6ec3e6a9aff54c5dee748bacc1
SHA1f2bf360b32c6419e9d6010b4fe66837467cd795a
SHA2567e00193d1f53de0ed9c957d5ab0003f1fee7d1a4ced409ae368e30bace82c020
SHA512578ce479bb730ce48f661dc812dbe75e1f67dd865405af6f060a92ced56d82fe7ea46f6fd5f8eced82045be71b615858decaa1b16dcf0006e0b54f561ababd86
-
Filesize
115KB
MD51ea5192707504d81ab2658a47c8ecca0
SHA19e92cb837263059710315e9e63b5f5411a864dfc
SHA256c737e2826bb3fd3766921a8a1f525b0cbe976d56b75f9c0aa2f22fd8816c237b
SHA512a9808c6989cd3bb406bc4ed038827f10f3313cab85ff540edf9cc7400bae8b210c93d6161add2cae694fd9b4f6939ff33e33200d30df32a23a6554166d4454d3
-
Filesize
115KB
MD5f0108077712b1494417545d35bc05eb7
SHA1116b2701feed1974800e904e73586962cb5ec576
SHA256e2fbe995048ee02a4573d8374f74e3332920a3acf775793a7c4795af21b7f6a5
SHA5123364c553354682edf3975c7e4058124c6bf03cf04aa1416f824dabe33a447bc5deb47ab349c57a3a77dfeeee4e8005629d8f14a52169cc75d07a8799070a00b2
-
Filesize
115KB
MD5a9284e54e70080a50551cbf425bbe420
SHA12a06554f88d41f8dcb03f3c27e29b02613e601cc
SHA256a9f96907fb99271cc85aa7f3efe737a2d0ef3d287a6e64ff79de75df567346b2
SHA5121cf28a6c5d8cc1064a382f78f2fe996c09f19094ef790bf4a09fc4274548750f9d521acad35447fc2f27c01b99ee88351824c8e204f0077af8f88b231d7822ff