Analysis
-
max time kernel
131s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 13:04
Behavioral task
behavioral1
Sample
514164a78503ab85875d44dace4123525bb21c43c18b07575a68b32a023cd43f_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
514164a78503ab85875d44dace4123525bb21c43c18b07575a68b32a023cd43f_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
514164a78503ab85875d44dace4123525bb21c43c18b07575a68b32a023cd43f_NeikiAnalytics.exe
-
Size
176KB
-
MD5
dfaae094ed57143d2b162159aa4b0ec0
-
SHA1
4222f2d7525cdb207bdb3ac82b8d07c2c22f7c79
-
SHA256
514164a78503ab85875d44dace4123525bb21c43c18b07575a68b32a023cd43f
-
SHA512
d8a0795b5f9be0b73ffcd23f52c14cb5733dc20ba59cb985958e9ba53b26ea9f31dc25fe6946803eb1e065374214f10e9bbd3d936bedc200b68082cd7079e2ed
-
SSDEEP
3072:Ext6NTDu4J4UjmOiBn3w8BdTj2h33ppaS46HUF2pMXSfN6RnQShl:OGTB1jVu3w8BdTj2V3ppQ60MMCf0RnQ4
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lilanioo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgpagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lddbqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jagqlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbocea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfffjqdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpccnefa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kajfig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkbkamnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncldnkae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijfboafl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imdnklfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibmmhdhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjpeepnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndghmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcifkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdkhapfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidbflcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkfkfohj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldkojb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgbnmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkbebbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpkbebbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idofhfmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijhodq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdpalp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgekbljc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmegp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lddbqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maohkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgmlkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgneampk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpjjod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kajfig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmccchkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnepih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lilanioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nafokcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibojncfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imdnklfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpfijcfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdpalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqfbaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfhbppbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmegbjgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnolfdcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdhine32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Majopeii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkgdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljnnch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laefdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnlfigcc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mglack32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 514164a78503ab85875d44dace4123525bb21c43c18b07575a68b32a023cd43f_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbhmdbnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kagichjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpnlm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfaloa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jagqlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnlfigcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgidml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjjmog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiffen32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/1644-0-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000800000002343f-6.dat family_berbew behavioral2/memory/4260-7-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023444-14.dat family_berbew behavioral2/memory/2252-20-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023446-22.dat family_berbew behavioral2/memory/2012-23-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023448-30.dat family_berbew behavioral2/memory/1096-36-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002344a-38.dat family_berbew behavioral2/memory/3996-44-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002344c-46.dat family_berbew behavioral2/memory/1496-48-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002344e-54.dat family_berbew behavioral2/memory/3684-55-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023450-62.dat family_berbew behavioral2/memory/2464-64-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023452-70.dat family_berbew behavioral2/memory/4144-72-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023454-78.dat family_berbew behavioral2/memory/860-80-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023456-86.dat family_berbew behavioral2/memory/4856-88-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023458-94.dat family_berbew behavioral2/memory/4624-96-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002345a-102.dat family_berbew behavioral2/memory/1428-104-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002345c-110.dat family_berbew behavioral2/memory/3508-111-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002345e-118.dat family_berbew behavioral2/memory/2672-120-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023460-126.dat family_berbew behavioral2/memory/368-127-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023462-134.dat family_berbew behavioral2/memory/3180-136-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023464-142.dat family_berbew behavioral2/memory/4940-144-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023466-150.dat family_berbew behavioral2/memory/392-156-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023468-158.dat family_berbew behavioral2/memory/3536-160-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002346a-166.dat family_berbew behavioral2/memory/1492-167-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002346c-174.dat family_berbew behavioral2/memory/4384-175-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0008000000023440-182.dat family_berbew behavioral2/memory/3096-184-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002346f-190.dat family_berbew behavioral2/memory/4680-192-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023471-198.dat family_berbew behavioral2/memory/1396-204-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023473-206.dat family_berbew behavioral2/memory/4988-208-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023475-214.dat family_berbew behavioral2/memory/960-220-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023477-222.dat family_berbew behavioral2/memory/2360-224-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023479-230.dat family_berbew behavioral2/memory/4492-232-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002347b-238.dat family_berbew behavioral2/memory/1828-239-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002347d-241.dat family_berbew behavioral2/memory/1212-247-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002347f-254.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4260 Ipnalhii.exe 2252 Ibmmhdhm.exe 2012 Iiffen32.exe 1096 Ibojncfj.exe 3996 Ijfboafl.exe 1496 Imdnklfp.exe 3684 Idofhfmm.exe 2464 Ijhodq32.exe 4144 Imgkql32.exe 860 Idacmfkj.exe 4856 Iinlemia.exe 4624 Jpgdbg32.exe 1428 Jfaloa32.exe 3508 Jagqlj32.exe 2672 Jbhmdbnp.exe 368 Jjpeepnb.exe 3180 Jdhine32.exe 4940 Jfffjqdf.exe 392 Jidbflcj.exe 3536 Jpojcf32.exe 1492 Jfhbppbc.exe 4384 Jigollag.exe 3096 Jpaghf32.exe 4680 Jbocea32.exe 1396 Jkfkfohj.exe 4988 Kmegbjgn.exe 960 Kpccnefa.exe 2360 Kgmlkp32.exe 4492 Kmgdgjek.exe 1828 Kdaldd32.exe 1212 Kkkdan32.exe 4808 Kphmie32.exe 2472 Kknafn32.exe 4356 Kagichjo.exe 2076 Kpjjod32.exe 568 Kcifkp32.exe 2060 Kkpnlm32.exe 4540 Kajfig32.exe 1860 Kpmfddnf.exe 3520 Kkbkamnl.exe 3852 Liekmj32.exe 2340 Lpocjdld.exe 2376 Ldkojb32.exe 2280 Lmccchkn.exe 3152 Lpappc32.exe 1516 Lcpllo32.exe 2880 Lkgdml32.exe 4028 Lnepih32.exe 2668 Lpcmec32.exe 1452 Ldohebqh.exe 5100 Lgneampk.exe 3228 Lilanioo.exe 4744 Laciofpa.exe 4460 Lpfijcfl.exe 5020 Lgpagm32.exe 4688 Ljnnch32.exe 3844 Laefdf32.exe 4736 Lddbqa32.exe 2956 Lgbnmm32.exe 2452 Mnlfigcc.exe 4904 Mpkbebbf.exe 4040 Mdfofakp.exe 1380 Mgekbljc.exe 704 Mkpgck32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fibjjh32.dll Nceonl32.exe File created C:\Windows\SysWOW64\Ncldnkae.exe Ndidbn32.exe File created C:\Windows\SysWOW64\Ijhodq32.exe Idofhfmm.exe File created C:\Windows\SysWOW64\Jpgdbg32.exe Iinlemia.exe File opened for modification C:\Windows\SysWOW64\Jigollag.exe Jfhbppbc.exe File opened for modification C:\Windows\SysWOW64\Lmccchkn.exe Ldkojb32.exe File created C:\Windows\SysWOW64\Kgkocp32.dll Lgneampk.exe File opened for modification C:\Windows\SysWOW64\Mglack32.exe Mdmegp32.exe File created C:\Windows\SysWOW64\Ibmmhdhm.exe Ipnalhii.exe File created C:\Windows\SysWOW64\Kphmie32.exe Kkkdan32.exe File created C:\Windows\SysWOW64\Kagichjo.exe Kknafn32.exe File created C:\Windows\SysWOW64\Cmafhe32.dll Ldkojb32.exe File created C:\Windows\SysWOW64\Ockcknah.dll Majopeii.exe File created C:\Windows\SysWOW64\Jbhmdbnp.exe Jagqlj32.exe File opened for modification C:\Windows\SysWOW64\Ldkojb32.exe Lpocjdld.exe File opened for modification C:\Windows\SysWOW64\Laefdf32.exe Ljnnch32.exe File created C:\Windows\SysWOW64\Nqfbaq32.exe Nnhfee32.exe File opened for modification C:\Windows\SysWOW64\Nkcmohbg.exe Ncldnkae.exe File created C:\Windows\SysWOW64\Bgcomh32.dll Lpcmec32.exe File opened for modification C:\Windows\SysWOW64\Lilanioo.exe Lgneampk.exe File created C:\Windows\SysWOW64\Pdgdjjem.dll Mkbchk32.exe File created C:\Windows\SysWOW64\Njacpf32.exe Ngcgcjnc.exe File opened for modification C:\Windows\SysWOW64\Ncihikcg.exe Ndghmo32.exe File opened for modification C:\Windows\SysWOW64\Ibojncfj.exe Iiffen32.exe File created C:\Windows\SysWOW64\Jpaghf32.exe Jigollag.exe File created C:\Windows\SysWOW64\Mkeebhjc.dll Kkkdan32.exe File opened for modification C:\Windows\SysWOW64\Lddbqa32.exe Laefdf32.exe File created C:\Windows\SysWOW64\Lcpllo32.exe Lpappc32.exe File opened for modification C:\Windows\SysWOW64\Iinlemia.exe Idacmfkj.exe File created C:\Windows\SysWOW64\Iljnde32.dll Jkfkfohj.exe File created C:\Windows\SysWOW64\Lpocjdld.exe Liekmj32.exe File created C:\Windows\SysWOW64\Dngdgf32.dll Lcpllo32.exe File opened for modification C:\Windows\SysWOW64\Ldohebqh.exe Lpcmec32.exe File created C:\Windows\SysWOW64\Jfbhfihj.dll Mgekbljc.exe File opened for modification C:\Windows\SysWOW64\Ibmmhdhm.exe Ipnalhii.exe File created C:\Windows\SysWOW64\Ebkdha32.dll Idofhfmm.exe File opened for modification C:\Windows\SysWOW64\Jkfkfohj.exe Jbocea32.exe File created C:\Windows\SysWOW64\Gefncbmc.dll Lgpagm32.exe File created C:\Windows\SysWOW64\Hnibdpde.dll Ncldnkae.exe File created C:\Windows\SysWOW64\Kdaldd32.exe Kmgdgjek.exe File opened for modification C:\Windows\SysWOW64\Kpjjod32.exe Kagichjo.exe File opened for modification C:\Windows\SysWOW64\Kpmfddnf.exe Kajfig32.exe File created C:\Windows\SysWOW64\Ebaqkk32.dll Ljnnch32.exe File created C:\Windows\SysWOW64\Nkcmohbg.exe Ncldnkae.exe File created C:\Windows\SysWOW64\Flfmin32.dll Mpkbebbf.exe File created C:\Windows\SysWOW64\Mnapdf32.exe Mkbchk32.exe File created C:\Windows\SysWOW64\Jagqlj32.exe Jfaloa32.exe File opened for modification C:\Windows\SysWOW64\Kmgdgjek.exe Kgmlkp32.exe File opened for modification C:\Windows\SysWOW64\Lpocjdld.exe Liekmj32.exe File created C:\Windows\SysWOW64\Jchbak32.dll Liekmj32.exe File created C:\Windows\SysWOW64\Baefid32.dll Lnepih32.exe File created C:\Windows\SysWOW64\Kmdigkkd.dll Mnlfigcc.exe File created C:\Windows\SysWOW64\Fhpdhp32.dll Mpdelajl.exe File created C:\Windows\SysWOW64\Nafokcol.exe Nklfoi32.exe File created C:\Windows\SysWOW64\Ndghmo32.exe Njacpf32.exe File created C:\Windows\SysWOW64\Nkqpjidj.exe Ncihikcg.exe File created C:\Windows\SysWOW64\Eddbig32.dll Imdnklfp.exe File created C:\Windows\SysWOW64\Eilljncf.dll Jbocea32.exe File opened for modification C:\Windows\SysWOW64\Mdkhapfj.exe Mnapdf32.exe File opened for modification C:\Windows\SysWOW64\Maohkd32.exe Mncmjfmk.exe File created C:\Windows\SysWOW64\Oaehlf32.dll Mdmegp32.exe File opened for modification C:\Windows\SysWOW64\Njacpf32.exe Ngcgcjnc.exe File created C:\Windows\SysWOW64\Gkillp32.dll Ibmmhdhm.exe File created C:\Windows\SysWOW64\Iinlemia.exe Idacmfkj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5452 5352 WerFault.exe 182 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkjjij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkgdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgpagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lddbqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgidml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll" Maohkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nceonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll" Kpccnefa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll" Kphmie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll" Mgekbljc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maohkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncihikcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imdnklfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpappc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll" Majopeii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmgdgjek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcifkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll" Lkgdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnepih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll" Mncmjfmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiffen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll" Idofhfmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpojcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll" Lgneampk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpkbebbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll" Mgidml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll" Ndghmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll" Jkfkfohj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmegbjgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcpllo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 514164a78503ab85875d44dace4123525bb21c43c18b07575a68b32a023cd43f_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbhmdbnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgidml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 514164a78503ab85875d44dace4123525bb21c43c18b07575a68b32a023cd43f_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkpnlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll" Lpcmec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpccnefa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lddbqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll" Mnlfigcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nafokcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll" Iinlemia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iinlemia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfaloa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll" Lmccchkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpfijcfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqfbaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll" Nklfoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmbkmemo.dll" Ipnalhii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmegbjgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kphmie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgneampk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqmhbpba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll" Jpojcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll" Jbocea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll" Lcpllo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgmlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkbchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll" Mdkhapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdiklqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpdelajl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgbnmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnlfigcc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1644 wrote to memory of 4260 1644 514164a78503ab85875d44dace4123525bb21c43c18b07575a68b32a023cd43f_NeikiAnalytics.exe 83 PID 1644 wrote to memory of 4260 1644 514164a78503ab85875d44dace4123525bb21c43c18b07575a68b32a023cd43f_NeikiAnalytics.exe 83 PID 1644 wrote to memory of 4260 1644 514164a78503ab85875d44dace4123525bb21c43c18b07575a68b32a023cd43f_NeikiAnalytics.exe 83 PID 4260 wrote to memory of 2252 4260 Ipnalhii.exe 84 PID 4260 wrote to memory of 2252 4260 Ipnalhii.exe 84 PID 4260 wrote to memory of 2252 4260 Ipnalhii.exe 84 PID 2252 wrote to memory of 2012 2252 Ibmmhdhm.exe 87 PID 2252 wrote to memory of 2012 2252 Ibmmhdhm.exe 87 PID 2252 wrote to memory of 2012 2252 Ibmmhdhm.exe 87 PID 2012 wrote to memory of 1096 2012 Iiffen32.exe 88 PID 2012 wrote to memory of 1096 2012 Iiffen32.exe 88 PID 2012 wrote to memory of 1096 2012 Iiffen32.exe 88 PID 1096 wrote to memory of 3996 1096 Ibojncfj.exe 89 PID 1096 wrote to memory of 3996 1096 Ibojncfj.exe 89 PID 1096 wrote to memory of 3996 1096 Ibojncfj.exe 89 PID 3996 wrote to memory of 1496 3996 Ijfboafl.exe 90 PID 3996 wrote to memory of 1496 3996 Ijfboafl.exe 90 PID 3996 wrote to memory of 1496 3996 Ijfboafl.exe 90 PID 1496 wrote to memory of 3684 1496 Imdnklfp.exe 91 PID 1496 wrote to memory of 3684 1496 Imdnklfp.exe 91 PID 1496 wrote to memory of 3684 1496 Imdnklfp.exe 91 PID 3684 wrote to memory of 2464 3684 Idofhfmm.exe 92 PID 3684 wrote to memory of 2464 3684 Idofhfmm.exe 92 PID 3684 wrote to memory of 2464 3684 Idofhfmm.exe 92 PID 2464 wrote to memory of 4144 2464 Ijhodq32.exe 93 PID 2464 wrote to memory of 4144 2464 Ijhodq32.exe 93 PID 2464 wrote to memory of 4144 2464 Ijhodq32.exe 93 PID 4144 wrote to memory of 860 4144 Imgkql32.exe 94 PID 4144 wrote to memory of 860 4144 Imgkql32.exe 94 PID 4144 wrote to memory of 860 4144 Imgkql32.exe 94 PID 860 wrote to memory of 4856 860 Idacmfkj.exe 95 PID 860 wrote to memory of 4856 860 Idacmfkj.exe 95 PID 860 wrote to memory of 4856 860 Idacmfkj.exe 95 PID 4856 wrote to memory of 4624 4856 Iinlemia.exe 96 PID 4856 wrote to memory of 4624 4856 Iinlemia.exe 96 PID 4856 wrote to memory of 4624 4856 Iinlemia.exe 96 PID 4624 wrote to memory of 1428 4624 Jpgdbg32.exe 97 PID 4624 wrote to memory of 1428 4624 Jpgdbg32.exe 97 PID 4624 wrote to memory of 1428 4624 Jpgdbg32.exe 97 PID 1428 wrote to memory of 3508 1428 Jfaloa32.exe 98 PID 1428 wrote to memory of 3508 1428 Jfaloa32.exe 98 PID 1428 wrote to memory of 3508 1428 Jfaloa32.exe 98 PID 3508 wrote to memory of 2672 3508 Jagqlj32.exe 99 PID 3508 wrote to memory of 2672 3508 Jagqlj32.exe 99 PID 3508 wrote to memory of 2672 3508 Jagqlj32.exe 99 PID 2672 wrote to memory of 368 2672 Jbhmdbnp.exe 101 PID 2672 wrote to memory of 368 2672 Jbhmdbnp.exe 101 PID 2672 wrote to memory of 368 2672 Jbhmdbnp.exe 101 PID 368 wrote to memory of 3180 368 Jjpeepnb.exe 102 PID 368 wrote to memory of 3180 368 Jjpeepnb.exe 102 PID 368 wrote to memory of 3180 368 Jjpeepnb.exe 102 PID 3180 wrote to memory of 4940 3180 Jdhine32.exe 103 PID 3180 wrote to memory of 4940 3180 Jdhine32.exe 103 PID 3180 wrote to memory of 4940 3180 Jdhine32.exe 103 PID 4940 wrote to memory of 392 4940 Jfffjqdf.exe 105 PID 4940 wrote to memory of 392 4940 Jfffjqdf.exe 105 PID 4940 wrote to memory of 392 4940 Jfffjqdf.exe 105 PID 392 wrote to memory of 3536 392 Jidbflcj.exe 106 PID 392 wrote to memory of 3536 392 Jidbflcj.exe 106 PID 392 wrote to memory of 3536 392 Jidbflcj.exe 106 PID 3536 wrote to memory of 1492 3536 Jpojcf32.exe 107 PID 3536 wrote to memory of 1492 3536 Jpojcf32.exe 107 PID 3536 wrote to memory of 1492 3536 Jpojcf32.exe 107 PID 1492 wrote to memory of 4384 1492 Jfhbppbc.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\514164a78503ab85875d44dace4123525bb21c43c18b07575a68b32a023cd43f_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\514164a78503ab85875d44dace4123525bb21c43c18b07575a68b32a023cd43f_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Ibojncfj.exeC:\Windows\system32\Ibojncfj.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Imdnklfp.exeC:\Windows\system32\Imdnklfp.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\Ijhodq32.exeC:\Windows\system32\Ijhodq32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Imgkql32.exeC:\Windows\system32\Imgkql32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Jagqlj32.exeC:\Windows\system32\Jagqlj32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\Jdhine32.exeC:\Windows\system32\Jdhine32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Jfhbppbc.exeC:\Windows\system32\Jfhbppbc.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4384 -
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe24⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4680 -
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4988 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:960 -
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4492 -
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe31⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1212 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:4808 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4356 -
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4540 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe40⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\Liekmj32.exeC:\Windows\system32\Liekmj32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3852 -
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3152 -
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4028 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe51⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5100 -
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe54⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4460 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5020 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4688 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3844 -
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4736 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4904 -
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe63⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1380 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe65⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe67⤵
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe69⤵
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4564 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:1088 -
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4644 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:316 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3604 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:3944 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1804 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe79⤵
- Modifies registry class
PID:1392 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:4616 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:492 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5012 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe86⤵
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe87⤵
- Drops file in System32 directory
PID:3764 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:4468 -
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe90⤵PID:5136
-
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5184 -
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe92⤵
- Modifies registry class
PID:5228 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe93⤵
- Drops file in System32 directory
PID:5272 -
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5316 -
C:\Windows\SysWOW64\Nkcmohbg.exeC:\Windows\system32\Nkcmohbg.exe95⤵PID:5352
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 40096⤵
- Program crash
PID:5452
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5352 -ip 53521⤵PID:5424
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5af59fa0223a615dffa447f43d2582d53
SHA18b0de14a169b93552a73f08ef2cedacd3ebb1b21
SHA2560c890c013fea9521d9acc17afe55dd9a7fc6d39eb771c4b0ba78f7e682722d53
SHA51256d292473a781cdad1d2c655e1ce75e3c77a4b7f0b5c45a031249860d5fc696884bb08beafc04f06e957692120d63b97cbdad96fa16e1ee9372675820d463590
-
Filesize
176KB
MD57e4298826ef592fe830c446d59674997
SHA101575bd0cc33f00f61e13eb9451a455186be5ec5
SHA25635d1b088c4f262ddff54a1463955c9c551aa26a36dbe1400f1e0ffa51435de1d
SHA512b157722e4789443e17080db963db1ac79dfb436185f31cf89dd7924a65d59f785c8a59b291fe1476c87a81ca1b04934637ad554af1727835c2b4150b0764e1eb
-
Filesize
176KB
MD5b6b88257fbb9a0728938cacec9de558c
SHA19abee8d794b40f0cbbfa93162d8500824989f5c1
SHA25646148705c8b94a368683f3807ebaccc96ab93160008a7b719d5a763ad1bd7c66
SHA512095578e454a048a1ea63f243afdcb7b8c342c6071b9a78f5e63135c10d2245d6e7827d5630bf9786d16fe1cc7bd0227ea5e33dea83df8090b13f9dddf590dcc8
-
Filesize
176KB
MD55b5336764dd3602853ad589f73f83c93
SHA1718491345061cf948788fcf18002aa80d0103c27
SHA256adb3a203cebafe03e3a11c2d55bf1f695be3dc9a8ec3f04359d4b7e557fd77f8
SHA5127241a77ef63c048da6876d3c0e540cc1ab16bee0a490c52fee2972e4ad6404b715cde9f56fb41ecd6acf47ba55b29d8bf2179203805089b73f3c2f79bbd9ecea
-
Filesize
176KB
MD56c3abe740b2ef40d07cbb4620546f827
SHA1a34795d1020e331e99e40bb8670e2623906a9d99
SHA256ce0ce347b132a3748976760c51d34ac6b210a5d0db0b085a8d086faf5c227742
SHA5128161fb8139b2d06d4d7b99bdebd5cb3e55235b62cf4781a1fc171189f7d1367b3a995c791d243302f4eb719aaec8bb10d3c5a244b129cc9fbfdfa8014f1f4c11
-
Filesize
176KB
MD5dc747ec75ce6dd4abcf37ee5403cfc8f
SHA1d7060c0a18fc6cf934a5686f45a35426d50ee728
SHA2564b71194503a81e86941bd5bbdb3421ea8a04753bbb574115cc67972556c8ead6
SHA512776464786abae270b1757ca88b2342d0c9313ea17fb1761d9bb95480b1ba66bbf65f7de795981ba165f4a9459470475897c8fc1e9f5104376cd151ba4bb74fed
-
Filesize
176KB
MD506c7d23664049f9e4b8ae0119aa8811b
SHA1cdce39dddc7f5fbbe395d5692763076377385893
SHA2564e5d0732553ae70aee3765b77a6cd59cb9ae30aa78d02a8475fa8d962389996e
SHA51202374aa2aab1b172c066d1182def1b4b7faeb1544526a74783fa6b2e4e3b7969c941dba712a4b2166ec7aa0450792b64735c79df3a7e515398281c64f6a4ec00
-
Filesize
176KB
MD598cc87ef0055e63f6ef9f338e6097a4a
SHA166f9f42f467ee10c176ee5a4a1d85bdb90c4793f
SHA256b6afbfb8c52211974547e350234b537cd42d031123fa336e237cf5c09e399063
SHA512c04882c55aff9b99be0e7d7c82b99098961c4c784c2491459440ad68d51537581a51c1e26069078903b7971dca65030268fe74184f7b204e95f83cd3d7d6d4ab
-
Filesize
176KB
MD558f81ef4452477b363bb10b1e4b17578
SHA1a81d45deaf5a74404890e4d6cd98e161eb39e53d
SHA256e1c2750d5158b7ddfaea71c957c4f993b1411d720b087eb75380bd0ea2038adb
SHA512cbaa94e91a4bfab5ec6917dce94fbe31ba18faa7e9c88970091018afb565e7b11acd3bb25c020ce96a21c430df18789f4fa5a486479b4e1380fa3da18219d5b5
-
Filesize
176KB
MD52e6bf648eb5ea097a70f9ec237f96a52
SHA1583d1a82ef19ac752a378f878386b58fc85a2125
SHA256c05a7b775efc54b43312c8c9443853a1c98d467dc3f79aafbbb22124021381ee
SHA5124f22b06bbb297ffc62c33e19b9f4602cd225c231da414f6565dca06509d95e4822a27621d9d42a13b02fea543f1c2771806447ece204327829e80cec07a6fede
-
Filesize
176KB
MD5816160009b3c7ef74ef25688eef18931
SHA1e009d5e53c78049cfc9fa757b7084f2219a149a4
SHA256978f235a9c09b27562e57fc03c5597a19be894d01f933713e342ec3ac649cf98
SHA5122ddb89ac959f9f5d4a46b3df7a7e310ed44920ae0e9d5818c93921039daa53af304e527740d9ee56db4b16eff33c2c40417e76b6cf59df19048c6370371a00de
-
Filesize
176KB
MD5d7faeb54a33524e24ed6b9ba6414ca2e
SHA1c61e760678cbd89e4f40d162563a0e5199f4e4c1
SHA2564297a1bf3c70c9a64d9769d0c902d73b727d3a996340207d2b201bb5adff398f
SHA512f4f99597731331ebcb87b6d5ce84ae35cbaa4abb209ace301d7a0c7a4132100c511bbfd06c370a1ff79cc7dc6a3660382041eadb7693bcb6a12f6fbe5f14a0f0
-
Filesize
176KB
MD58fbf6db634f2ab0c9ed5d97e0e568058
SHA158f62b1ae10feec7af588227668860c4e5b1f731
SHA256b30feea99d7bbc92957fb3188e9e11c1cb873ba5d578aa550bc816a0742d02a9
SHA5124902c3fc851ff70f86c24e696b5b701c217749ad2e831a76c4add4bb20fd295ef71cf2b7f9e5487a7ae488657f40b5337284a27023e8be012caca7461a0e6f82
-
Filesize
176KB
MD5c0680262254c31f39f67393a6315f0da
SHA1e543b109b6c26766b11bb0ba1b7dd770e161c262
SHA25618fc09af82b7149602678769a740ef8b1c327e6e628e00b5152e78f7575c1d1b
SHA5120d3dca9570b68fafe88d309103bebe294806c1bc1301bbf14615d4995e022baf49ebd7d260473205adaf42d6f3b70784b61ef4ad514d67e38e6b52faf33941d6
-
Filesize
176KB
MD5a7001512c317345d80a0358adfc7fa6c
SHA1d5a9a25dfeeebbb280cfcb061330904fdeaa32fc
SHA256cc6f6536a32acb424967463c048e215bcbbba9c5285c15436c63509fb5315815
SHA512f879044f8869c567041e1bb28cb1add921da2d7113b46cdceee01a81f1a550189e42fbaf5c5be2185048d76861bd8ceeabe47b45011ed22f144558e2f7c67788
-
Filesize
176KB
MD59586eaaee187f828d324b15b32b1b8ce
SHA174f743e81daba857904fdd9d5e6a5997dc88a841
SHA2569edbd3a6eaec8c19dd84faa88ae4b1663365904953c468d6d677fc4ca4043965
SHA51226ae4ea95fc2f22fcba6d1bdbeb8a3878692d2d716d0d80a6542b23aad662a81f2e34a89c581a6a5ea70e5af861452cf79e3afe52c8c5904e7fd236a38df9dc0
-
Filesize
176KB
MD5541ca868397282f027cb18e5cdf6e3c7
SHA1a9c1fb2a3daef9b361648d801de8b23fac093367
SHA2560cf183de43aa024d152fc9e6bc765e655c7838a852c714ceae4ef0f7102bce20
SHA51202dc4fea7f2d27e78cc550c01ed056233a625b5cb8fccb51bfee5ac99fb4cee8c0e1daadef33de774f356dec5b5dd6bfa57672b38414fded139310d3574e35e3
-
Filesize
176KB
MD57b3a2c9e3c458c7b26360ebb1dcb753c
SHA174677e6708b9a6d00abb15618f0e64ed594a4190
SHA2562e391cf797d69c605d0eeeb24b366b965c7e060e3a9c4c87ae6498858992c7e3
SHA51251b012fa69f865d31af8b85da0a66f009427b1af1bf99b9d64cbac3c86f3b6f338cd8b19d160995caae2ceacfc548af4bdcf151ba9c8ce23ad9940b89e0ae341
-
Filesize
176KB
MD53de2c3920c13438066d913dc4a72becc
SHA1fcbf9dd2e8e02170cda0992f11bbb8744ddb17bd
SHA25685a46759b5474aeca6fc29aeff01434b37a7f7330880610ea0e256d060e56802
SHA512e17c252d0c1894d77a16f7491ed537d164744697ed52953ef65611c00de6e1b51e2af275b44ab0c4cbedfea2e77cf082abd37a003df3f147e8118347d3a3967c
-
Filesize
176KB
MD54b69af783b6457b7e3ec1d3dc8d2c7a4
SHA1f63cc1b9ce16478690dc1319547aa2ad47c24ef2
SHA2568c837666cdfbf4300cb43037cf969461b51fafb0cbc30e252d48ceb97e738372
SHA51262acd5e5b07e5dc5f60cccfb0e2ec3a7b3b4cc0ad796b726bb6d81f5aa2107c27233f3839168b3873e272d6963fdc3a84ed389a4373e3fd4c3942d72c1afac00
-
Filesize
176KB
MD5945188a294f9e6fc0837b915e9955ad6
SHA1f23500f4905efe6ac659b9ac45e157d1d279fdc1
SHA2569ea9550cf3274021ffb3e1516487e623b545e47863978dc361a0e570bd9249c7
SHA5126f28e1d05819debb36f9111b0856f9bc09a37ba2bf5fab026e637ec82ff746f273e19bcdf5c9ac6a5e9b30bb0387cbe0cab8cd961801fa3e36277003689304ed
-
Filesize
176KB
MD539befa1d8a05d2aaefa32ce5de6fd7ac
SHA19f5beb7e7bb5ca54aec693d0ecfde901ae0900b3
SHA256c375bd2d71c1c8866610b14676a687dae2d626ff5c98f48a6cc8a0cbb1cba310
SHA512778e5783baa43e046d713c3a13407d0c13c42669fc53b6a2ef466225d4c2ec5914603f87dcf810f8fa50113e9be5262c0d1f844af3b4e14d172ac2a1c1c1aeeb
-
Filesize
176KB
MD5d8594bccaa11a48740adea6861df491b
SHA18955bf7313f2a97d409c0ac50b0636b14c230953
SHA25694a0a515f3cc3c735ad9279a1ca8b1858af061ac1efd03f58350082782c5bf21
SHA51276fb20c8d8b7163390d131f00024672d427268e8e38c63bdac4cb7c27e86b0c6e53e5aa47a99ef9d52dc1400758acc317312cd69f5e1d55271427af8377917f3
-
Filesize
176KB
MD5869d7836d951ff81ad2e41ba058a1682
SHA1b27b203072ef487a322760f6ceb5702edf04b45f
SHA2563beeeaec6bfcb1f2c0ea743275abb90a7d0bb3cdfda3eaf66a2f0432c5fe3204
SHA5128300ae0c1b4755a5ee3ccf897b828cf33c3d0f9e19d9cc4a796076bde9d6c782b8ac76068ee955c2ba24d9f5a8ce8c138917b7319afedc0b38aaa898e693bee8
-
Filesize
176KB
MD596e013efa48d9562ab309c5f7d9859bc
SHA10ccc81cffc9fe1d354112aead3791941b2b56882
SHA2561c03f2fa9d6694d134505b6e6fc9964b163d6d942cfe14bc2fd22cf5129e1f57
SHA512aba3ccc201f0b697adb94f32329310a1fbec841c772c469b01ce00b793ae13543612ee9141404f4169b5cd5a71710f808756f33b32ffd579bd8d56e59aee549b
-
Filesize
176KB
MD5e063b2463d87e1c3e14aa9c12752e7b4
SHA1b306ffea7f3c7b543d46852e906811848d30aa55
SHA2561b2c2b53045800df39308f04f4222bae06120641a84f6d59a70ab69b3241e4a9
SHA512147d30eaa274295f6ffd33ec1025c920b3518e99a995a2d77fbcdfee348e35e97efaafa0201a78c45bda577957894847b593fb90b9a0ea5240db10c7a4e9a3a7
-
Filesize
176KB
MD556568a06a9fd6479fb0a6a116ddd4405
SHA1ef76ef0bb7215218169122ead2e63065303a17c0
SHA256921069ea562f9351b49550642ce197625a07cabc5280215b493fda3bc0a2cbf6
SHA5127c68caabee400e9a0fda3b09f105094337db50a47027a42f5359889c40e8ae6d4bb82f97c108308eb4093e682602317db6ea85904e4265c2da7df33135cc7d47
-
Filesize
176KB
MD52a41429c9eaf02a43aa019c325335279
SHA15b7d7540dda8c8fe4e32718e3696fed1149c87c9
SHA256d9919dbc11cc10fe5dce1ce0ef9b4702aa481079d09323c64937b744b1b822db
SHA5123a11287ad00f24c69cb72f980bb932c15dc2005dc5a7321fddd3c3d1a2ca985a14241dc3ee77fdb231ff56ef6d4d53d5384f3e6de6aaab2b5d40d38b8d184670
-
Filesize
176KB
MD53d588eab2643197d515d06595409524a
SHA101dc276bf69eb27f9183b347ebcdf5b4ad2dae49
SHA256c4fbb94b984e19d3194b5e4e9613a3212cd98d81361b4977c5c2f768e29f3552
SHA51215ee447ad55b3a3a86a676e652cf79b55e5a4a9c95b8bea78613ea230b8b3e80d78dab8136413d51a346b362306bce820b9687969b48b5c0c99105007ace1aa7
-
Filesize
176KB
MD5b0116103b1fc97b59a201756dd297be0
SHA190b26c8553ffe22b8b7dffc9b9f56838ed07cb68
SHA256828bd462b02041136391b72aded2870603d53fbb87caf107802a6ebbd741506f
SHA512cccf99c6f397f52876991848ebc623d6b66037397f7d9d55654e0c61c67f09e0a8c402323dda97cf12f7f6d365de2a208e2d6bec5945d8eb79f6cafa7a6b7a9c
-
Filesize
176KB
MD545cf40d99bf43b68be2ed03872454914
SHA1676bccea15ae7db78262d6ae3527909f5d2671e9
SHA2563641a379f7e2f6d8a851b1486e3a25049bdf6533e10412f5386d6c582812e8ff
SHA5128fb0d2a2e9982c0c504f3feebfdb25d649078fcd99df262c530cd572614d0da83c0b9598d43bb78074ac48c0b202795bab1a248fb7e3aa9bf9b99837c81d6117
-
Filesize
176KB
MD516fdd72b6e89506c7a6e86ebd5da5205
SHA127ecbe8dade5d0c5916b0b0e8d2ad040b5c2c278
SHA2564b8cae15ec1fbf2d2389de5ef86e46d2d6fbe4577a9ea7a0b54d84245bae12c7
SHA512daf191446d1f2fa2ae7e4afa7f21ee0848fe12f36e2f30313340157d61af1a3a2b54b78bb2a3854e938d9e3dc78f947a6994f504b1c606f62b4221fbab137a1c
-
Filesize
176KB
MD5689b8798b87290a378b708c4d6bccc70
SHA1bec57da9de28eed7c020a43d1564fb25ef0fd3b8
SHA256195a1abd4c6f6d03d736c50bfe55e03401e8d789bf89c8a43ca4413a4b933654
SHA5121c7ae9c597478582ec6b2d718336a422fc2706f6f1857fe0a364234df40c73bf14fbc312746975d16591cc828196993a97143be470064b7dcf6691d151aa8711
-
Filesize
176KB
MD56ef4e6747aa3395f937db2bc0e4ceac0
SHA12df4403505dd43824e6eba3fe73266cb8072762f
SHA256c40f9f6002a1b234d3ed21a1d3682a264805d1298b7bd4b20d698b9f7acfe5b5
SHA5121541808f81b606e642f231bdbd6c81819360c880ed4bb82a2b074561a719410cb5604587d91e29406623b34757724747b43397430c4723d5f17b2babad102b29
-
Filesize
176KB
MD552c273b6ff2507ea1229818a4b32e43a
SHA195dedc9c68ebc917b8d5aac5c2b55ae9aa794a2f
SHA256dd3c896f46d4dfbbfa68abdbd448730ae30e68b61a9c5a61781a2a9a76789aa8
SHA51269f221ba1b86f469fb647373010c14e4b0e480bcd45e7eb5d55e96198f6ff8b60bb351ea29870debfd92a3bae5a0293b92ccbe7ce4925fd1ce39c3aa75ef3267