Analysis
-
max time kernel
136s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 13:56
Behavioral task
behavioral1
Sample
dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe
-
Size
448KB
-
MD5
dab29f121ae4729d1808cc0a51036f60
-
SHA1
77bb32a50aa2741a08dfcbf8e6f9bca32ea5e380
-
SHA256
6f3a239c96a075c0e67125a1dfe4d42d3a436498065b0fd39ef5c4af57ef2d3c
-
SHA512
6fd6b33564c075f71f5564a88fd59cdfb60bc9a66a73a1529e200de6b62d924359a91a1abe84a185ab1a4fbec28e3dd954a842d66e36dfbd5c0d7f300421ab44
-
SSDEEP
6144:CcWCt08Zfbz2u7aOl3BzrUmKyIxLfYeOO9UmKyIxLiajOEjXP3HBsR4/0ePGSzxC:oRKl7aOlxzr3cOK3TajRfXFMKNxC
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs
Processes:
dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exeMglack32.exeNdghmo32.exeNcihikcg.exeNjcpee32.exeMcklgm32.exeMaaepd32.exeNkjjij32.exeNkqpjidj.exeNdbnboqb.exeNggqoj32.exeMgidml32.exeNklfoi32.exeNcgkcl32.exeNnolfdcn.exeNqmhbpba.exeMpdelajl.exeNddkgonp.exeNnmopdep.exeMdkhapfj.exeMcbahlip.exeNjogjfoj.exeNkncdifl.exeNjacpf32.exeMjjmog32.exeNacbfdao.exeNafokcol.exeNqklmpdd.exeNceonl32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mglack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndghmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncihikcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njcpee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcklgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Maaepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkjjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkqpjidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndbnboqb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggqoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgidml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nklfoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncgkcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqmhbpba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpdelajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnmopdep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdkhapfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbahlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcbahlip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njogjfoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njcpee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkjjij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndbnboqb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkncdifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkncdifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcklgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjjmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nacbfdao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nafokcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqklmpdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndghmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mglack32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maaepd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklfoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqklmpdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nceonl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnmopdep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgidml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njogjfoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdkhapfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nddkgonp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkqpjidj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmhbpba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpdelajl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacbfdao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nafokcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncgkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nggqoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjjmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncihikcg.exe -
Malware Dropper & Backdoor - Berbew 29 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Mcklgm32.exe family_berbew C:\Windows\SysWOW64\Mdkhapfj.exe family_berbew C:\Windows\SysWOW64\Mgidml32.exe family_berbew C:\Windows\SysWOW64\Mglack32.exe family_berbew C:\Windows\SysWOW64\Mjjmog32.exe family_berbew C:\Windows\SysWOW64\Maaepd32.exe family_berbew C:\Windows\SysWOW64\Mpdelajl.exe family_berbew C:\Windows\SysWOW64\Nkjjij32.exe family_berbew C:\Windows\SysWOW64\Ndbnboqb.exe family_berbew C:\Windows\SysWOW64\Njogjfoj.exe family_berbew C:\Windows\SysWOW64\Nafokcol.exe family_berbew C:\Windows\SysWOW64\Ncgkcl32.exe family_berbew C:\Windows\SysWOW64\Njacpf32.exe family_berbew C:\Windows\SysWOW64\Nkqpjidj.exe family_berbew C:\Windows\SysWOW64\Nggqoj32.exe family_berbew C:\Windows\SysWOW64\Nkcmohbg.exe family_berbew C:\Windows\SysWOW64\Nqmhbpba.exe family_berbew C:\Windows\SysWOW64\Nnolfdcn.exe family_berbew C:\Windows\SysWOW64\Njcpee32.exe family_berbew C:\Windows\SysWOW64\Ncihikcg.exe family_berbew C:\Windows\SysWOW64\Ndghmo32.exe family_berbew C:\Windows\SysWOW64\Nqklmpdd.exe family_berbew C:\Windows\SysWOW64\Nnmopdep.exe family_berbew C:\Windows\SysWOW64\Nkncdifl.exe family_berbew C:\Windows\SysWOW64\Nddkgonp.exe family_berbew C:\Windows\SysWOW64\Nklfoi32.exe family_berbew C:\Windows\SysWOW64\Nceonl32.exe family_berbew C:\Windows\SysWOW64\Nacbfdao.exe family_berbew C:\Windows\SysWOW64\Mcbahlip.exe family_berbew -
Executes dropped EXE 29 IoCs
Processes:
Mcklgm32.exeMdkhapfj.exeMgidml32.exeMglack32.exeMjjmog32.exeMaaepd32.exeMpdelajl.exeMcbahlip.exeNkjjij32.exeNacbfdao.exeNdbnboqb.exeNceonl32.exeNklfoi32.exeNjogjfoj.exeNafokcol.exeNddkgonp.exeNcgkcl32.exeNkncdifl.exeNjacpf32.exeNnmopdep.exeNqklmpdd.exeNdghmo32.exeNcihikcg.exeNkqpjidj.exeNjcpee32.exeNnolfdcn.exeNqmhbpba.exeNggqoj32.exeNkcmohbg.exepid process 1684 Mcklgm32.exe 3936 Mdkhapfj.exe 1892 Mgidml32.exe 2752 Mglack32.exe 5040 Mjjmog32.exe 3448 Maaepd32.exe 4708 Mpdelajl.exe 3984 Mcbahlip.exe 1608 Nkjjij32.exe 4212 Nacbfdao.exe 632 Ndbnboqb.exe 116 Nceonl32.exe 4516 Nklfoi32.exe 2904 Njogjfoj.exe 2280 Nafokcol.exe 2392 Nddkgonp.exe 2164 Ncgkcl32.exe 2620 Nkncdifl.exe 4060 Njacpf32.exe 1364 Nnmopdep.exe 5076 Nqklmpdd.exe 2116 Ndghmo32.exe 4276 Ncihikcg.exe 436 Nkqpjidj.exe 2956 Njcpee32.exe 692 Nnolfdcn.exe 3664 Nqmhbpba.exe 1520 Nggqoj32.exe 2136 Nkcmohbg.exe -
Drops file in System32 directory 64 IoCs
Processes:
Njacpf32.exeNnmopdep.exeNqmhbpba.exeMcklgm32.exeMpdelajl.exeNacbfdao.exeNkqpjidj.exeNjcpee32.exeNklfoi32.exeMdkhapfj.exeNkjjij32.exeNkncdifl.exeMcbahlip.exeMaaepd32.exeNddkgonp.exeNcgkcl32.exeNnolfdcn.exeNceonl32.exeNqklmpdd.exeNdbnboqb.exeNafokcol.exeMgidml32.exeMglack32.exeMjjmog32.exeNcihikcg.exedab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exeNjogjfoj.exeNggqoj32.exedescription ioc process File created C:\Windows\SysWOW64\Cgfgaq32.dll Njacpf32.exe File created C:\Windows\SysWOW64\Ljfemn32.dll Nnmopdep.exe File opened for modification C:\Windows\SysWOW64\Nggqoj32.exe Nqmhbpba.exe File created C:\Windows\SysWOW64\Mdkhapfj.exe Mcklgm32.exe File created C:\Windows\SysWOW64\Mcbahlip.exe Mpdelajl.exe File created C:\Windows\SysWOW64\Ndbnboqb.exe Nacbfdao.exe File opened for modification C:\Windows\SysWOW64\Njcpee32.exe Nkqpjidj.exe File created C:\Windows\SysWOW64\Cknpkhch.dll Njcpee32.exe File created C:\Windows\SysWOW64\Addjcmqn.dll Nqmhbpba.exe File opened for modification C:\Windows\SysWOW64\Ndbnboqb.exe Nacbfdao.exe File created C:\Windows\SysWOW64\Lfcbokki.dll Nklfoi32.exe File created C:\Windows\SysWOW64\Njcqqgjb.dll Mcklgm32.exe File created C:\Windows\SysWOW64\Mgidml32.exe Mdkhapfj.exe File opened for modification C:\Windows\SysWOW64\Mcbahlip.exe Mpdelajl.exe File created C:\Windows\SysWOW64\Lelgbkio.dll Mpdelajl.exe File opened for modification C:\Windows\SysWOW64\Nacbfdao.exe Nkjjij32.exe File created C:\Windows\SysWOW64\Legdcg32.dll Nkjjij32.exe File created C:\Windows\SysWOW64\Njacpf32.exe Nkncdifl.exe File created C:\Windows\SysWOW64\Egqcbapl.dll Mcbahlip.exe File opened for modification C:\Windows\SysWOW64\Nnmopdep.exe Njacpf32.exe File opened for modification C:\Windows\SysWOW64\Nqklmpdd.exe Nnmopdep.exe File created C:\Windows\SysWOW64\Mpdelajl.exe Maaepd32.exe File created C:\Windows\SysWOW64\Ncgkcl32.exe Nddkgonp.exe File opened for modification C:\Windows\SysWOW64\Ncgkcl32.exe Nddkgonp.exe File created C:\Windows\SysWOW64\Nkncdifl.exe Ncgkcl32.exe File created C:\Windows\SysWOW64\Jkeang32.dll Ncgkcl32.exe File created C:\Windows\SysWOW64\Bghhihab.dll Nnolfdcn.exe File created C:\Windows\SysWOW64\Fibjjh32.dll Nceonl32.exe File opened for modification C:\Windows\SysWOW64\Ndghmo32.exe Nqklmpdd.exe File created C:\Windows\SysWOW64\Ddpfgd32.dll Nkqpjidj.exe File created C:\Windows\SysWOW64\Gbbkdl32.dll Maaepd32.exe File created C:\Windows\SysWOW64\Fcdjjo32.dll Ndbnboqb.exe File opened for modification C:\Windows\SysWOW64\Njacpf32.exe Nkncdifl.exe File opened for modification C:\Windows\SysWOW64\Nddkgonp.exe Nafokcol.exe File created C:\Windows\SysWOW64\Cnacjn32.dll Mdkhapfj.exe File created C:\Windows\SysWOW64\Mglack32.exe Mgidml32.exe File opened for modification C:\Windows\SysWOW64\Mjjmog32.exe Mglack32.exe File opened for modification C:\Windows\SysWOW64\Maaepd32.exe Mjjmog32.exe File created C:\Windows\SysWOW64\Dihcoe32.dll Nacbfdao.exe File opened for modification C:\Windows\SysWOW64\Nklfoi32.exe Nceonl32.exe File opened for modification C:\Windows\SysWOW64\Nkqpjidj.exe Ncihikcg.exe File created C:\Windows\SysWOW64\Epmjjbbj.dll dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Mdkhapfj.exe Mcklgm32.exe File created C:\Windows\SysWOW64\Nkjjij32.exe Mcbahlip.exe File created C:\Windows\SysWOW64\Nafokcol.exe Njogjfoj.exe File opened for modification C:\Windows\SysWOW64\Nafokcol.exe Njogjfoj.exe File created C:\Windows\SysWOW64\Nddkgonp.exe Nafokcol.exe File created C:\Windows\SysWOW64\Geegicjl.dll Mglack32.exe File opened for modification C:\Windows\SysWOW64\Nkcmohbg.exe Nggqoj32.exe File created C:\Windows\SysWOW64\Bdknoa32.dll Nqklmpdd.exe File created C:\Windows\SysWOW64\Nkqpjidj.exe Ncihikcg.exe File created C:\Windows\SysWOW64\Mcklgm32.exe dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Mglack32.exe Mgidml32.exe File created C:\Windows\SysWOW64\Oaehlf32.dll Mgidml32.exe File created C:\Windows\SysWOW64\Njogjfoj.exe Nklfoi32.exe File created C:\Windows\SysWOW64\Pipfna32.dll Nddkgonp.exe File created C:\Windows\SysWOW64\Lmbnpm32.dll Nkncdifl.exe File created C:\Windows\SysWOW64\Njcpee32.exe Nkqpjidj.exe File created C:\Windows\SysWOW64\Nnolfdcn.exe Njcpee32.exe File created C:\Windows\SysWOW64\Nqmhbpba.exe Nnolfdcn.exe File created C:\Windows\SysWOW64\Nggqoj32.exe Nqmhbpba.exe File created C:\Windows\SysWOW64\Jcoegc32.dll Njogjfoj.exe File created C:\Windows\SysWOW64\Nkcmohbg.exe Nggqoj32.exe File opened for modification C:\Windows\SysWOW64\Mcklgm32.exe dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 3180 2136 WerFault.exe -
Modifies registry class 64 IoCs
Processes:
Mglack32.exeNcgkcl32.exeNkqpjidj.exeNggqoj32.exeNnolfdcn.exedab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exeMdkhapfj.exeNklfoi32.exeNcihikcg.exeMcklgm32.exeMaaepd32.exeNjcpee32.exeNdbnboqb.exeMjjmog32.exeMcbahlip.exeNceonl32.exeNjogjfoj.exeNkncdifl.exeNnmopdep.exeNacbfdao.exeNddkgonp.exeMpdelajl.exeNkjjij32.exeNqmhbpba.exeNqklmpdd.exeNjacpf32.exeMgidml32.exeNafokcol.exeNdghmo32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mglack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncgkcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nkqpjidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" Nggqoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll" Nnolfdcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdkhapfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mglack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll" Mglack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nklfoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll" Ncihikcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nggqoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcklgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll" Maaepd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njcpee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndbnboqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjjmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll" Mcbahlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll" Nceonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll" Njogjfoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nkncdifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnmopdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdkhapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll" Nacbfdao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll" Nkqpjidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll" Mpdelajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpdelajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll" Nkjjij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncihikcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqmhbpba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nkjjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll" Ncgkcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnmopdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njcpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqklmpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nggqoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll" Mdkhapfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Maaepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndbnboqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nceonl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nklfoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nacbfdao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll" dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcklgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll" Mgidml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgidml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpdelajl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nacbfdao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll" Nafokcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll" Ndghmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Maaepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcbahlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkjjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njogjfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll" Nnmopdep.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exeMcklgm32.exeMdkhapfj.exeMgidml32.exeMglack32.exeMjjmog32.exeMaaepd32.exeMpdelajl.exeMcbahlip.exeNkjjij32.exeNacbfdao.exeNdbnboqb.exeNceonl32.exeNklfoi32.exeNjogjfoj.exeNafokcol.exeNddkgonp.exeNcgkcl32.exeNkncdifl.exeNjacpf32.exeNnmopdep.exeNqklmpdd.exedescription pid process target process PID 1292 wrote to memory of 1684 1292 dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe Mcklgm32.exe PID 1292 wrote to memory of 1684 1292 dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe Mcklgm32.exe PID 1292 wrote to memory of 1684 1292 dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe Mcklgm32.exe PID 1684 wrote to memory of 3936 1684 Mcklgm32.exe Mdkhapfj.exe PID 1684 wrote to memory of 3936 1684 Mcklgm32.exe Mdkhapfj.exe PID 1684 wrote to memory of 3936 1684 Mcklgm32.exe Mdkhapfj.exe PID 3936 wrote to memory of 1892 3936 Mdkhapfj.exe Mgidml32.exe PID 3936 wrote to memory of 1892 3936 Mdkhapfj.exe Mgidml32.exe PID 3936 wrote to memory of 1892 3936 Mdkhapfj.exe Mgidml32.exe PID 1892 wrote to memory of 2752 1892 Mgidml32.exe Mglack32.exe PID 1892 wrote to memory of 2752 1892 Mgidml32.exe Mglack32.exe PID 1892 wrote to memory of 2752 1892 Mgidml32.exe Mglack32.exe PID 2752 wrote to memory of 5040 2752 Mglack32.exe Mjjmog32.exe PID 2752 wrote to memory of 5040 2752 Mglack32.exe Mjjmog32.exe PID 2752 wrote to memory of 5040 2752 Mglack32.exe Mjjmog32.exe PID 5040 wrote to memory of 3448 5040 Mjjmog32.exe Maaepd32.exe PID 5040 wrote to memory of 3448 5040 Mjjmog32.exe Maaepd32.exe PID 5040 wrote to memory of 3448 5040 Mjjmog32.exe Maaepd32.exe PID 3448 wrote to memory of 4708 3448 Maaepd32.exe Mpdelajl.exe PID 3448 wrote to memory of 4708 3448 Maaepd32.exe Mpdelajl.exe PID 3448 wrote to memory of 4708 3448 Maaepd32.exe Mpdelajl.exe PID 4708 wrote to memory of 3984 4708 Mpdelajl.exe Mcbahlip.exe PID 4708 wrote to memory of 3984 4708 Mpdelajl.exe Mcbahlip.exe PID 4708 wrote to memory of 3984 4708 Mpdelajl.exe Mcbahlip.exe PID 3984 wrote to memory of 1608 3984 Mcbahlip.exe Nkjjij32.exe PID 3984 wrote to memory of 1608 3984 Mcbahlip.exe Nkjjij32.exe PID 3984 wrote to memory of 1608 3984 Mcbahlip.exe Nkjjij32.exe PID 1608 wrote to memory of 4212 1608 Nkjjij32.exe Nacbfdao.exe PID 1608 wrote to memory of 4212 1608 Nkjjij32.exe Nacbfdao.exe PID 1608 wrote to memory of 4212 1608 Nkjjij32.exe Nacbfdao.exe PID 4212 wrote to memory of 632 4212 Nacbfdao.exe Ndbnboqb.exe PID 4212 wrote to memory of 632 4212 Nacbfdao.exe Ndbnboqb.exe PID 4212 wrote to memory of 632 4212 Nacbfdao.exe Ndbnboqb.exe PID 632 wrote to memory of 116 632 Ndbnboqb.exe Nceonl32.exe PID 632 wrote to memory of 116 632 Ndbnboqb.exe Nceonl32.exe PID 632 wrote to memory of 116 632 Ndbnboqb.exe Nceonl32.exe PID 116 wrote to memory of 4516 116 Nceonl32.exe Nklfoi32.exe PID 116 wrote to memory of 4516 116 Nceonl32.exe Nklfoi32.exe PID 116 wrote to memory of 4516 116 Nceonl32.exe Nklfoi32.exe PID 4516 wrote to memory of 2904 4516 Nklfoi32.exe Njogjfoj.exe PID 4516 wrote to memory of 2904 4516 Nklfoi32.exe Njogjfoj.exe PID 4516 wrote to memory of 2904 4516 Nklfoi32.exe Njogjfoj.exe PID 2904 wrote to memory of 2280 2904 Njogjfoj.exe Nafokcol.exe PID 2904 wrote to memory of 2280 2904 Njogjfoj.exe Nafokcol.exe PID 2904 wrote to memory of 2280 2904 Njogjfoj.exe Nafokcol.exe PID 2280 wrote to memory of 2392 2280 Nafokcol.exe Nddkgonp.exe PID 2280 wrote to memory of 2392 2280 Nafokcol.exe Nddkgonp.exe PID 2280 wrote to memory of 2392 2280 Nafokcol.exe Nddkgonp.exe PID 2392 wrote to memory of 2164 2392 Nddkgonp.exe Ncgkcl32.exe PID 2392 wrote to memory of 2164 2392 Nddkgonp.exe Ncgkcl32.exe PID 2392 wrote to memory of 2164 2392 Nddkgonp.exe Ncgkcl32.exe PID 2164 wrote to memory of 2620 2164 Ncgkcl32.exe Nkncdifl.exe PID 2164 wrote to memory of 2620 2164 Ncgkcl32.exe Nkncdifl.exe PID 2164 wrote to memory of 2620 2164 Ncgkcl32.exe Nkncdifl.exe PID 2620 wrote to memory of 4060 2620 Nkncdifl.exe Njacpf32.exe PID 2620 wrote to memory of 4060 2620 Nkncdifl.exe Njacpf32.exe PID 2620 wrote to memory of 4060 2620 Nkncdifl.exe Njacpf32.exe PID 4060 wrote to memory of 1364 4060 Njacpf32.exe Nnmopdep.exe PID 4060 wrote to memory of 1364 4060 Njacpf32.exe Nnmopdep.exe PID 4060 wrote to memory of 1364 4060 Njacpf32.exe Nnmopdep.exe PID 1364 wrote to memory of 5076 1364 Nnmopdep.exe Nqklmpdd.exe PID 1364 wrote to memory of 5076 1364 Nnmopdep.exe Nqklmpdd.exe PID 1364 wrote to memory of 5076 1364 Nnmopdep.exe Nqklmpdd.exe PID 5076 wrote to memory of 2116 5076 Nqklmpdd.exe Ndghmo32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Nkncdifl.exeC:\Windows\system32\Nkncdifl.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4276 -
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:436 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:692 -
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3664 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Nkcmohbg.exeC:\Windows\system32\Nkcmohbg.exe30⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 41231⤵
- Program crash
PID:3180
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2136 -ip 21361⤵PID:3764
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD533f78f7d23266bffe60843795b48e1d0
SHA173309fb31b962adeeff7258eaf187af86969d52b
SHA2561692d60c8993293ee64df19da1c523c9045ac97a7db370378febd11c190ebd7a
SHA512a1ec4d45937cd07ce15f02608182c0d4c3d5c90bb9c7d9cb5379823217e0c3768465aeee0a4a637d74507ed23eb117ba269bbbf6ab9bc0390f349643136eea3d
-
Filesize
448KB
MD5ea21b16e7e6147f5892d38be278be7db
SHA1500da520c367bd1b2fd5d467d69e82fa1a68788a
SHA2569d5db526c745b7fdc3e51637acd3a88086f4fe023097c3327649dceede55bf0c
SHA5122818a871c2e3c13267c123d8f18dc03c2357866586f700ce5aa52baf47b796a2028f9fce9aa8c170cc0d51ce274ec704d5a41c5b2383d04d238788cc2ab503de
-
Filesize
448KB
MD5073c58d8a5f61e68fdbdb8dfcdcbe0ba
SHA17234cd39db73d8066b5ccbddc66b1e26fee6526f
SHA2569cce42f8cfa748a56941a6254c8968842013aaadd53a52153a02e9966242affc
SHA512834601b5c40f920f38b1823f3a96c86db2ef29abef8e48bfe4831461536f148cdbd8bf8ca47f98bf08cedda7449bcea3618940e19db6c93f85c040284858e91d
-
Filesize
448KB
MD57e7c004bb0a49ba424b2e0dd836eb265
SHA1f7eedb28c7e8f85eda5e076f234218f552e3ae0f
SHA256e2a55a7aa1924cc6119487f6350d9fd7be73733234e232090817b03e0fecd4aa
SHA51262f31fef93bb9165952c40fda736dc2f20d493825a58a4ab12f3921fe7edfa5bfa36a13ec80e738e457c75d0bb9f7529007be7e927366f8068a30b4f2d10966e
-
Filesize
448KB
MD50e80bd37e5bd10846cc089d770e0e35b
SHA1edc8f3080a34d2ba3889b274886f91374de9d603
SHA256a1ef3950da569c6c97b7ae2bb2ab2fa6af766415a7278a2818c6b41ec84aaa70
SHA512c638b6299c2c32a4896fdcc7e7180265ada7237160294fc5662da93a581ed6d5f246d4d953e22f4086bfcd1b41b4acecc3a9d8973cc541552ceb093de09c9bce
-
Filesize
448KB
MD57fd46f0d1447224d756b6a778745e9c5
SHA1d281d907d06f66268fdf4286837fc8817c9bfe12
SHA2568f404ffe6c317aa323a4d57a7c3f23609b69e567b9ddc63496b3ecbc501d0160
SHA512837675ba68322a8beaa4bd0c1e68d008c7929c08f0f49b2f7eddaed4649fd49a5fc0f9e953ee48726997d1fa194ed5f3b266dd63def05b40ac0729befb66a85b
-
Filesize
448KB
MD5019a3dc0880e2d810237da6abb044646
SHA17c8163614b0c529eeaf6b113bb7829e77545bd9f
SHA256c00ecbf043966a65ca1a7687791ab186d6eac7da911706cae802d95e62d8416b
SHA512fced4721b816ea32568691c19f16e27c8db7db424b4c1a67aafce31a2d47f17e7dd885fb74445650af86ca7aa168292b895959941dc9347c5148dfb57fcd3b10
-
Filesize
448KB
MD5afa068f0ab18910b55d7468f2c31a733
SHA178defe757bf5d29084e2348f4b73751ed67026ab
SHA256b1a867a258c4407396a9787d911f8feecda94246ceb1210b9a48e8de08fe7517
SHA51229203687759cc923e9c61afa196ed898d2c3834983bd85e7fcacb260c3f3527a4396eacba83594d5b242b4604d89beac4314829a595d944cf4487a9205c83089
-
Filesize
448KB
MD548f74cf83e45a4e884f40d471af84b38
SHA18e69f2a7007fa896d6b83915baa2e2ea3364592d
SHA2565a554cb29205f008dd3e8b3cb150df031c9ff4bd3d0434255c20f5492c3ec179
SHA51282bd48b3a8abb17aa3fd48ffa993d4bea07367ef322b0c6483ac0332170b8f907e6be3978f3c58b482f939d2b2062fa2c96cd262ad675fb6ce2fbba3d278c627
-
Filesize
448KB
MD5f2c3d70ce4c25bb893774cafacbe85b7
SHA1a78bf228ce064a0db09148edd0bd111baab456fd
SHA256d98c31e8ae4c2732537292e0d6f94aceb1ea277d3c2715acf74ccac36e0456be
SHA51254d94167d5970738829b5af0470dd389691481a58deeb409657932f7c95df10a10387194482c671c27f536a84ad156c2ce6a56f958f33753b6aabf869f279a02
-
Filesize
448KB
MD572d1fe64d9ecfbd04801a451b3416457
SHA16cbcedb2f67e4b8c3d133cfd5837557f94e431f6
SHA25619fc35c2cfc5e134c6b015d53f27baad31bfeee11d0c42f7a9417179ff6fcda0
SHA51290a80a617ed2f6d989a841f4e67d8eb8d54f5dc96ca1fd451f8f424d939d92455883d5a9a978b2f296f770f2f7743cde1541fc4d7d486f35f1b0999f5e92576e
-
Filesize
448KB
MD58c749cd5b867a3b4bed0810074743868
SHA18fb8c79c24fc506bc81cdb303d436785dff5feef
SHA2565bd478b4f6dd081e072965ee490e1f74b3bd96225c455842307eb9ff85aaccf0
SHA51218390a0ed5d8f45268ec6404e1e92ef9e53811621d49ab26c46f6e994d54662c5d3d9be55b8c1b86d30c39e775cc6dc4aab782f1f1bdc724ab6f4b85084ed8ca
-
Filesize
448KB
MD51b0b0d1ce606ebecd8fcbee61b7ca482
SHA12f25554773b1aed9ddcfec3fa6d5221c4dcab8bb
SHA256dce0f28b159fdce63a70762d838b832168c25473225e1dfb15a71dc3793135ea
SHA512a2e8a453dae30dd7122456a20bd85a35df1e2b9a0f6d825501d40d8d11f1b805394352fc66d917717bf8f6b7e74768a6a1510ddc313814a9a4a3d438773024c3
-
Filesize
448KB
MD5d7aa6eafb8ca69631f485af38fa707b1
SHA117547bc94b52534e9b57ee0319cd176d703714f3
SHA25667282fa4e1484e15f4fd77e9ebc4ea02d5ece79f6e48842db76195ce10696b69
SHA512526b0a84b9aec2204b0d7a33dbd78c75f75706f611000fac520baeaba84b8880ed89935201ebf8095a214f165a2b1583f9839dcf557e796420a8b3eae171668e
-
Filesize
448KB
MD5c3631240ef752989e1f14d7960a36071
SHA15da93f9ce612648971a0beb7c0134cdfb92cc659
SHA256b7f3a3bec42d3c68cb401aad2c5119cbadf089e0724aedc27b3b95942e631183
SHA51250d58ecb43a6c6384548d923434326f31d508f735445c40f0b07821044d233daddbb9837f378d0ea55048121803fbc999b2c4d5580b62a646a01ce8ff85c76a4
-
Filesize
448KB
MD52d2e03e65bffa25404b58565da12af5c
SHA1ba8a74835d780143a00cc9ce146e9924b779a7a0
SHA256223b02a4691f6fcb0cf5b9c564e7b885f06ba0f055ae4331f834aa474322f489
SHA5125101226a349e71929f6b3cb6f55dfe1003e1462194529037ed678f00559e57c043ca0d2cb9576aed3f6c75c8ab8bbbde5ff52639f44453d8d17c12c8d935e79f
-
Filesize
448KB
MD565424fd1f44b2de7e4ff55c8510540dd
SHA1a2b21c8c65ca25cf890a0571aeb750b77d84682b
SHA2561696a06b282eff17c3fd455b438d0d1da9262a15e75a89c58887857ce07a818a
SHA5129fcd7432f6901e4b456b56a7d8aa9a04138ee10cdc8aa0a48a02b240e69a37dd06f17ad116b4a866e6da67f816eb4e55db4c3cf8ba597696810991f491c48b8c
-
Filesize
448KB
MD5e84c291bf5e365a49fcffcc48c424017
SHA149afa270ba84630ce36dbecf0b2ed1da1f397387
SHA25646068bd5b667a056bdb738d03c0f2e17f26744a3a804ec2f27a8f4b3b668f24b
SHA5128db31356cf11d27b00aedb3f4280a0208cb7fde14fd7f8ae87b78f6f7bdbe2558278a0e481bbba0e12f60e7db6f75097483e6053557ce2302ee5b4fc04c3d0af
-
Filesize
448KB
MD5f10869d4f373069fac52687a977684bf
SHA17b4ecdabc435628347983be919b7715e50fbb941
SHA256559843e501605321265cf3924f5a4efbc6effa56fd5f8597257d52edc9a8909c
SHA512f708c76c22424a9f549bf35a78e0f8bc45003539328075996c030d8c2ffb27162a392240200af2571e3d7345310e86d80bf35916dae5963efaf5dc1791752783
-
Filesize
448KB
MD52df0b5bca1a88d22377c3ea33cbaa094
SHA1680477f8a4545e3874526b64248b2efc5e87d9a1
SHA25694bb6d73fddd39339865b36927235863cb24db81963924cc280d8ceecaeb56a6
SHA51253c3fffecf53ec8828084944b2b1df32410fb8a827f8bde8d5968813f979280db711375928256524ebd1f929c42d9a9348596319611f8bfdd34e4003a1983967
-
Filesize
448KB
MD50b86086b08836dd7426359ee4a03bd8f
SHA17741170a5126f9969bce3ace8f514639502df1ea
SHA256ad357830f74004dec61bfe6e85770d1467a8dd3806e54e65cb042c01e49b6a75
SHA51260985a630f6ebcd7e9ccc1c56720455a16d731b7f20342797ad4d77c2771edf9c7d4cec79668e8d565706859676c209d8c5034c855d0c8a34eb765a593d17e8d
-
Filesize
448KB
MD5102bb5b7dbe3569f390a3a924880413a
SHA1f13888010f0787bd8157d47a5db49eedb4573b28
SHA25620b3afeffdbd018b339cc70e7bebd696be3c39457a2cf26a69cb2c2054f77a6c
SHA512464a75a331e81cc71182c285ae8eb211e64af1c9cc67641e986e2c11f2c8b03755046090f60b84bc7a1482c93a422d7c02c7f6918060a52cc79f1227f8f46d2e
-
Filesize
448KB
MD51ce04c6604da48661669401cbe6b2ad1
SHA1357e92fdad94377b8c6a0671cf26081cf99491d0
SHA256aef9bfc20ccfc5b563810e95f839ac46ea513a2e3804c2a4267a68be8df0df5f
SHA512e12fdf6e242621e399f7c4bd576eca2543e18068fcd134ffa033a39bba72123e6352e3c78a392a5819f54826a33b77357f08bc074667a3c91c43d4f3755f0b7e
-
Filesize
448KB
MD5edb4a254f124f6a23977ab9c81116c56
SHA13ba4fcaffbfaabd6305f71863f39d73dbecb7c98
SHA25645c6088800799aee213a1278064522804efc81ff95bd8708794999bf84ae5fa6
SHA5120ae133c2f7d1b9d26d099e9a0b6da8626e0086cbe13964f262aadd4dd153b6b6f0374a65f100f0c5b36e21133e1c9293e38352d5e4a2273b56a94e43680dfa60
-
Filesize
448KB
MD58fe8583c2e2924829ab96a4f00c4fb82
SHA1422153c6e1a6a2c1775f6a4e79d429f72ca38b56
SHA256bb6b91ec118b722d13924abdb1beef81e925b083c30c9200955ba369f17a2377
SHA512ea9868854d0e59a343059c0480c1f451cb22e9ac117e47b2dd97b535ec2d1e1350aabdb5a13c71674637e7cb290f6fd6389f459ef343a6d7b197204985ee50b2
-
Filesize
448KB
MD584b3800506d15bf356b50d9d08265a38
SHA1c2db9d1276e18f27e8b435bc752a71426349b77f
SHA256c2abaeaca57050f49a8d92cfc851a5fe130fde053e42e2795441aa00d21f2749
SHA512f61a504383ecc1c80713cd44e99a82e39ec6b26a5711efbdc2a5815d2f85b4e53078ed6addc861260ce607a8e90bc7ce84f9aec1d9e58d4d2cd8babe3c744dde
-
Filesize
448KB
MD50c3e7e905fba4704581280b2ac301fbc
SHA14393d4401bacd7ef90f5930cb4b4dcf9c1fbdb69
SHA2567c012d51cdcf415fd95ce5f5456ae06bce1283f861330f09c3518d9e52b5506e
SHA51264a712988e40ee6597f470769afea599c2d58f15416aa50c8e7c624a0c0505dd0ddf4d6efca7f59b2e286a4b351d888c7ddfe6fba322c6bb40b511a020f5c22c
-
Filesize
448KB
MD5ed8d3c094451b75f2b8b4e456c919281
SHA101521e0566a9420c8cd2a93a939b97c23f712679
SHA25648ee08ed51d476e09fc44648672d1ae52efac5b659f577e47742bb7d3d8e08aa
SHA5121f1c9a75ecf6a7112e3e243fe67a9156da9948f54ba74b8af0e9e48569d51348528b49ec917021a0bd7f7c0c93fcbb682efbb3336ed3af55b9a913daecf282cc
-
Filesize
448KB
MD59860e67b0a24825aee61319265152e5b
SHA18343e95a78dc13be4dee717990c49e3b66e55334
SHA256db7625ca1f266d85b72f31bfa207711e41ae3cd2f1daaa73f56faef412a184a4
SHA512b02d1f5be2412b8ce91034ad2a0abf060d586b79493c9f9fd83fd80fd4b35a6bdff43581b3e625d6d2b960514c9f8aa66200f146fc27d594b679ed48f68df6ff
-
Filesize
448KB
MD5b397bdd2f5faba18f959043dee4f542e
SHA17a764df7904620803777f6510ca0ea9aeeaaee3a
SHA2566489def1ef3dbcc0895a4d55863f9a8e9b43beea3ed66e48494bf1787052e946
SHA512c29a0fa0ea684c3fa8623c27b2d3a12079bafa36af812b29150dcee6d6d5ceeaafc9efd83ca26739266aa0bf6b2597613ca1cd7bc7d5124b4c70bcbc0bbab18d