Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 15:18
Behavioral task
behavioral1
Sample
174a134f2f102558310a230de6453bf0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
174a134f2f102558310a230de6453bf0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
174a134f2f102558310a230de6453bf0_NeikiAnalytics.exe
-
Size
94KB
-
MD5
174a134f2f102558310a230de6453bf0
-
SHA1
16478328795bda7fafd9bd9b713484ea18aa08a9
-
SHA256
5ac842dac8749c545b3d5ce61504cb0e785e6a296f8811a108b8c5b5648ee6cc
-
SHA512
82d2790680709180e76fefafcbcdfe6976900c05402c7b71b5593a2bfbe490cde2e575f053b979da99d5c6de46e79bba51dfbafbdbfbe47f5e49573a39208205
-
SSDEEP
1536:mwQKi1GekwlkzKE2WngqGUpFfB1Jvr9+o2LPaIZTJ+7LhkiB0MPiKeEAgv:mqaGekwlkzKE2mgqXFfq5PaMU7uihJ5v
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mkgmcjld.exeKmjqmi32.exeNkjjij32.exeNqfbaq32.exeKgbefoji.exeMpolqa32.exeMaaepd32.exeNgcgcjnc.exeKgmlkp32.exeMcnhmm32.exeNbkhfc32.exeIbagcc32.exeMpaifalo.exeNnmopdep.exeLnjjdgee.exeMpmokb32.exeMcbahlip.exeNjogjfoj.exeIjfboafl.exeIabgaklg.exeLpcmec32.exeKdopod32.exeKkpnlm32.exeNqklmpdd.exeJfdida32.exeMaohkd32.exeMdpalp32.exeImihfl32.exeJdjfcecp.exeMjeddggd.exeNjacpf32.exeJpgdbg32.exeJiphkm32.exeJkdnpo32.exeJangmibi.exeKmgdgjek.exeNnhfee32.exeIjhodq32.exeKpmfddnf.exeMahbje32.exeLnepih32.exeMnapdf32.exeIfopiajn.exeJidbflcj.exeLjnnch32.exeLddbqa32.exeNnjbke32.exeNcihikcg.exeNkqpjidj.exeMcklgm32.exeIpckgh32.exeJplmmfmi.exeJfffjqdf.exeLgikfn32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkgmcjld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmjqmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkjjij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqfbaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgbefoji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpolqa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maaepd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngcgcjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgmlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcnhmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbkhfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibagcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpaifalo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnmopdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnjjdgee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpmokb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbahlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njogjfoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijfboafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijfboafl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabgaklg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpcmec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdopod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkpnlm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqklmpdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfdida32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maohkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdpalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imihfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdjfcecp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdpalp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjeddggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njacpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgdbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiphkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkdnpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jangmibi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmgdgjek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpnlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnhfee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijhodq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmfddnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mahbje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njogjfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnepih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnapdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcnhmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifopiajn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidbflcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljnnch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lddbqa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjbke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncihikcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkqpjidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpgdbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkdnpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcklgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpolqa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njacpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipckgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifopiajn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jplmmfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfffjqdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgikfn32.exe -
Malware Dropper & Backdoor - Berbew 38 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Ijfboafl.exe family_berbew C:\Windows\SysWOW64\Imdnklfp.exe family_berbew C:\Windows\SysWOW64\Ipckgh32.exe family_berbew C:\Windows\SysWOW64\Ibagcc32.exe family_berbew C:\Windows\SysWOW64\Ijhodq32.exe family_berbew C:\Windows\SysWOW64\Iabgaklg.exe family_berbew C:\Windows\SysWOW64\Ibccic32.exe family_berbew C:\Windows\SysWOW64\Ifopiajn.exe family_berbew C:\Windows\SysWOW64\Imihfl32.exe family_berbew C:\Windows\SysWOW64\Jpgdbg32.exe family_berbew C:\Windows\SysWOW64\Jfaloa32.exe family_berbew C:\Windows\SysWOW64\Jiphkm32.exe family_berbew C:\Windows\SysWOW64\Jagqlj32.exe family_berbew C:\Windows\SysWOW64\Jfdida32.exe family_berbew C:\Windows\SysWOW64\Jibeql32.exe family_berbew C:\Windows\SysWOW64\Jplmmfmi.exe family_berbew C:\Windows\SysWOW64\Jidbflcj.exe family_berbew C:\Windows\SysWOW64\Jaljgidl.exe family_berbew C:\Windows\SysWOW64\Jdjfcecp.exe family_berbew C:\Windows\SysWOW64\Jfffjqdf.exe family_berbew C:\Windows\SysWOW64\Jbmfoa32.exe family_berbew C:\Windows\SysWOW64\Jkdnpo32.exe family_berbew C:\Windows\SysWOW64\Jmbklj32.exe family_berbew C:\Windows\SysWOW64\Jangmibi.exe family_berbew C:\Windows\SysWOW64\Jiikak32.exe family_berbew C:\Windows\SysWOW64\Kdopod32.exe family_berbew C:\Windows\SysWOW64\Kgmlkp32.exe family_berbew C:\Windows\SysWOW64\Kmgdgjek.exe family_berbew C:\Windows\SysWOW64\Kdaldd32.exe family_berbew C:\Windows\SysWOW64\Kmjqmi32.exe family_berbew C:\Windows\SysWOW64\Kdcijcke.exe family_berbew C:\Windows\SysWOW64\Kgbefoji.exe family_berbew C:\Windows\SysWOW64\Kmlnbi32.exe family_berbew C:\Windows\SysWOW64\Ldaeka32.exe family_berbew C:\Windows\SysWOW64\Mpolqa32.exe family_berbew C:\Windows\SysWOW64\Mjjmog32.exe family_berbew C:\Windows\SysWOW64\Nnjbke32.exe family_berbew C:\Windows\SysWOW64\Ncldnkae.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Ijfboafl.exeImdnklfp.exeIpckgh32.exeIbagcc32.exeIjhodq32.exeIabgaklg.exeIbccic32.exeIfopiajn.exeImihfl32.exeJpgdbg32.exeJfaloa32.exeJiphkm32.exeJagqlj32.exeJfdida32.exeJibeql32.exeJplmmfmi.exeJfffjqdf.exeJidbflcj.exeJaljgidl.exeJdjfcecp.exeJbmfoa32.exeJkdnpo32.exeJmbklj32.exeJangmibi.exeJiikak32.exeKdopod32.exeKgmlkp32.exeKmgdgjek.exeKdaldd32.exeKmjqmi32.exeKdcijcke.exeKgbefoji.exeKmlnbi32.exeKpjjod32.exeKcifkp32.exeKkpnlm32.exeKpmfddnf.exeKgfoan32.exeLmqgnhmp.exeLdkojb32.exeLgikfn32.exeLkdggmlj.exeLmccchkn.exeLdmlpbbj.exeLgkhlnbn.exeLijdhiaa.exeLnepih32.exeLpcmec32.exeLcbiao32.exeLgneampk.exeLnhmng32.exeLdaeka32.exeLjnnch32.exeLnjjdgee.exeLddbqa32.exeLcgblncm.exeMjqjih32.exeMahbje32.exeMdfofakp.exeMkpgck32.exeMnocof32.exeMajopeii.exeMpmokb32.exeMcklgm32.exepid process 3924 Ijfboafl.exe 4348 Imdnklfp.exe 2380 Ipckgh32.exe 4996 Ibagcc32.exe 468 Ijhodq32.exe 4308 Iabgaklg.exe 3004 Ibccic32.exe 5040 Ifopiajn.exe 2724 Imihfl32.exe 2624 Jpgdbg32.exe 4156 Jfaloa32.exe 4796 Jiphkm32.exe 2368 Jagqlj32.exe 3048 Jfdida32.exe 4828 Jibeql32.exe 536 Jplmmfmi.exe 540 Jfffjqdf.exe 3908 Jidbflcj.exe 4680 Jaljgidl.exe 4056 Jdjfcecp.exe 2496 Jbmfoa32.exe 2964 Jkdnpo32.exe 4408 Jmbklj32.exe 1060 Jangmibi.exe 4160 Jiikak32.exe 2084 Kdopod32.exe 208 Kgmlkp32.exe 1580 Kmgdgjek.exe 3568 Kdaldd32.exe 1388 Kmjqmi32.exe 768 Kdcijcke.exe 3692 Kgbefoji.exe 2868 Kmlnbi32.exe 3036 Kpjjod32.exe 1700 Kcifkp32.exe 700 Kkpnlm32.exe 4420 Kpmfddnf.exe 2824 Kgfoan32.exe 3744 Lmqgnhmp.exe 4004 Ldkojb32.exe 2020 Lgikfn32.exe 4856 Lkdggmlj.exe 4940 Lmccchkn.exe 4328 Ldmlpbbj.exe 2256 Lgkhlnbn.exe 1992 Lijdhiaa.exe 3900 Lnepih32.exe 3840 Lpcmec32.exe 1340 Lcbiao32.exe 5084 Lgneampk.exe 4832 Lnhmng32.exe 4872 Ldaeka32.exe 2036 Ljnnch32.exe 1796 Lnjjdgee.exe 2532 Lddbqa32.exe 5060 Lcgblncm.exe 548 Mjqjih32.exe 1600 Mahbje32.exe 3616 Mdfofakp.exe 684 Mkpgck32.exe 3628 Mnocof32.exe 1680 Majopeii.exe 3764 Mpmokb32.exe 2224 Mcklgm32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Lmccchkn.exeLjnnch32.exeMahbje32.exeLijdhiaa.exeMnapdf32.exeMjjmog32.exeNqfbaq32.exeNqklmpdd.exeImihfl32.exeJiikak32.exeKkpnlm32.exeMpolqa32.exeNnmopdep.exeNjcpee32.exeNbkhfc32.exeJfaloa32.exeJagqlj32.exeJmbklj32.exeMaaepd32.exeNjogjfoj.exeNcihikcg.exeLgikfn32.exeLpcmec32.exeLddbqa32.exeMkgmcjld.exeJiphkm32.exeLcgblncm.exeMcklgm32.exeMcbahlip.exeNnhfee32.exeImdnklfp.exeKdopod32.exeKdcijcke.exeMkpgck32.exeMdpalp32.exeIjfboafl.exeLdmlpbbj.exeMnocof32.exeNkqpjidj.exeJpgdbg32.exeMajopeii.exeNdidbn32.exeKgfoan32.exeLmqgnhmp.exeLdkojb32.exeMpmokb32.exeMcpebmkb.exeKmjqmi32.exeLgkhlnbn.exeLnhmng32.exeIbccic32.exeJidbflcj.exe174a134f2f102558310a230de6453bf0_NeikiAnalytics.exeIjhodq32.exeLgneampk.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Ldmlpbbj.exe Lmccchkn.exe File created C:\Windows\SysWOW64\Fldggfbc.dll Ljnnch32.exe File created C:\Windows\SysWOW64\Mdfofakp.exe Mahbje32.exe File created C:\Windows\SysWOW64\Lnepih32.exe Lijdhiaa.exe File created C:\Windows\SysWOW64\Mpolqa32.exe Mnapdf32.exe File created C:\Windows\SysWOW64\Maaepd32.exe Mjjmog32.exe File opened for modification C:\Windows\SysWOW64\Nceonl32.exe Nqfbaq32.exe File created C:\Windows\SysWOW64\Ncihikcg.exe Nqklmpdd.exe File created C:\Windows\SysWOW64\Mnnkcb32.dll Imihfl32.exe File created C:\Windows\SysWOW64\Kdopod32.exe Jiikak32.exe File opened for modification C:\Windows\SysWOW64\Kpmfddnf.exe Kkpnlm32.exe File created C:\Windows\SysWOW64\Dgcifj32.dll Mpolqa32.exe File created C:\Windows\SysWOW64\Nqklmpdd.exe Nnmopdep.exe File created C:\Windows\SysWOW64\Lkfbjdpq.dll Njcpee32.exe File created C:\Windows\SysWOW64\Opbnic32.dll Nbkhfc32.exe File opened for modification C:\Windows\SysWOW64\Jiphkm32.exe Jfaloa32.exe File created C:\Windows\SysWOW64\Jfdida32.exe Jagqlj32.exe File opened for modification C:\Windows\SysWOW64\Jangmibi.exe Jmbklj32.exe File created C:\Windows\SysWOW64\Mdpalp32.exe Maaepd32.exe File created C:\Windows\SysWOW64\Kmalco32.dll Njogjfoj.exe File created C:\Windows\SysWOW64\Ogpnaafp.dll Ncihikcg.exe File created C:\Windows\SysWOW64\Qgejif32.dll Lgikfn32.exe File opened for modification C:\Windows\SysWOW64\Lcbiao32.exe Lpcmec32.exe File created C:\Windows\SysWOW64\Plilol32.dll Lddbqa32.exe File created C:\Windows\SysWOW64\Geegicjl.dll Mkgmcjld.exe File created C:\Windows\SysWOW64\Jagqlj32.exe Jiphkm32.exe File opened for modification C:\Windows\SysWOW64\Lcgblncm.exe Lddbqa32.exe File opened for modification C:\Windows\SysWOW64\Mjqjih32.exe Lcgblncm.exe File opened for modification C:\Windows\SysWOW64\Mjeddggd.exe Mcklgm32.exe File created C:\Windows\SysWOW64\Nkjjij32.exe Mcbahlip.exe File opened for modification C:\Windows\SysWOW64\Nqfbaq32.exe Nnhfee32.exe File opened for modification C:\Windows\SysWOW64\Ipckgh32.exe Imdnklfp.exe File created C:\Windows\SysWOW64\Kgmlkp32.exe Kdopod32.exe File created C:\Windows\SysWOW64\Kgbefoji.exe Kdcijcke.exe File created C:\Windows\SysWOW64\Mnocof32.exe Mkpgck32.exe File opened for modification C:\Windows\SysWOW64\Mcnhmm32.exe Mpolqa32.exe File created C:\Windows\SysWOW64\Mcbahlip.exe Mdpalp32.exe File opened for modification C:\Windows\SysWOW64\Imdnklfp.exe Ijfboafl.exe File opened for modification C:\Windows\SysWOW64\Lgkhlnbn.exe Ldmlpbbj.exe File created C:\Windows\SysWOW64\Majopeii.exe Mnocof32.exe File opened for modification C:\Windows\SysWOW64\Nkqpjidj.exe Ncihikcg.exe File opened for modification C:\Windows\SysWOW64\Njcpee32.exe Nkqpjidj.exe File created C:\Windows\SysWOW64\Jfaloa32.exe Jpgdbg32.exe File opened for modification C:\Windows\SysWOW64\Mpmokb32.exe Majopeii.exe File created C:\Windows\SysWOW64\Nbkhfc32.exe Njcpee32.exe File created C:\Windows\SysWOW64\Dlddhggk.dll Ndidbn32.exe File opened for modification C:\Windows\SysWOW64\Kgbefoji.exe Kdcijcke.exe File created C:\Windows\SysWOW64\Lmqgnhmp.exe Kgfoan32.exe File created C:\Windows\SysWOW64\Ldkojb32.exe Lmqgnhmp.exe File created C:\Windows\SysWOW64\Dnkdikig.dll Ldkojb32.exe File created C:\Windows\SysWOW64\Epmjjbbj.dll Mpmokb32.exe File created C:\Windows\SysWOW64\Ekipni32.dll Mcpebmkb.exe File created C:\Windows\SysWOW64\Ggcjqj32.dll Jiphkm32.exe File opened for modification C:\Windows\SysWOW64\Kdcijcke.exe Kmjqmi32.exe File created C:\Windows\SysWOW64\Ogijli32.dll Lgkhlnbn.exe File created C:\Windows\SysWOW64\Ckegia32.dll Lnhmng32.exe File created C:\Windows\SysWOW64\Ifopiajn.exe Ibccic32.exe File created C:\Windows\SysWOW64\Jaljgidl.exe Jidbflcj.exe File opened for modification C:\Windows\SysWOW64\Lkdggmlj.exe Lgikfn32.exe File created C:\Windows\SysWOW64\Ijfboafl.exe 174a134f2f102558310a230de6453bf0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Iabgaklg.exe Ijhodq32.exe File created C:\Windows\SysWOW64\Hehifldd.dll Kdopod32.exe File created C:\Windows\SysWOW64\Lkdggmlj.exe Lgikfn32.exe File created C:\Windows\SysWOW64\Lnhmng32.exe Lgneampk.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5628 5524 WerFault.exe Nkcmohbg.exe -
Modifies registry class 64 IoCs
Processes:
Imdnklfp.exeJfffjqdf.exeKkkdan32.exeLmccchkn.exeNddkgonp.exeMcklgm32.exeLnjjdgee.exeMpolqa32.exeNkjjij32.exeJfaloa32.exeJiikak32.exeLdmlpbbj.exeLgkhlnbn.exeLpcmec32.exeNjogjfoj.exe174a134f2f102558310a230de6453bf0_NeikiAnalytics.exeNqklmpdd.exeKcifkp32.exeMdfofakp.exeMaaepd32.exeNnmopdep.exeIpckgh32.exeKpmfddnf.exeMkgmcjld.exeNcldnkae.exeJidbflcj.exeJdjfcecp.exeLdaeka32.exeLcgblncm.exeMaohkd32.exeIbccic32.exeMcpebmkb.exeIabgaklg.exeJmbklj32.exeKmlnbi32.exeKpjjod32.exeNjacpf32.exeJpgdbg32.exeLnepih32.exeMjeddggd.exeMcbahlip.exeIjhodq32.exeJkdnpo32.exeKdcijcke.exeLnhmng32.exeMkpgck32.exeIfopiajn.exeLcbiao32.exeMpaifalo.exeLddbqa32.exeMajopeii.exeNnjbke32.exeNkqpjidj.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imdnklfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfffjqdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll" Kkkdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll" Lmccchkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcklgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnjjdgee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll" Mpolqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkjjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfaloa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll" Jiikak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll" Ldmlpbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll" Lgkhlnbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpcmec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll" Njogjfoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 174a134f2f102558310a230de6453bf0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfaloa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll" Jfaloa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqklmpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcifkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll" Mdfofakp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maaepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnmopdep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipckgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpmfddnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll" Nqklmpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpolqa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkgmcjld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncldnkae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jidbflcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll" Jdjfcecp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldaeka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcgblncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maohkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 174a134f2f102558310a230de6453bf0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibccic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll" Mcpebmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njogjfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiphogop.dll" Iabgaklg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmbklj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmlnbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpjjod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcgblncm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njacpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibccic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpgdbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnepih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll" Mjeddggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcbahlip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijhodq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkdnpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdcijcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnhmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkpgck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifopiajn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcbiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll" Mpaifalo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcpebmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lddbqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Majopeii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkqpjidj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
174a134f2f102558310a230de6453bf0_NeikiAnalytics.exeIjfboafl.exeImdnklfp.exeIpckgh32.exeIbagcc32.exeIjhodq32.exeIabgaklg.exeIbccic32.exeIfopiajn.exeImihfl32.exeJpgdbg32.exeJfaloa32.exeJiphkm32.exeJagqlj32.exeJfdida32.exeJibeql32.exeJplmmfmi.exeJfffjqdf.exeJidbflcj.exeJaljgidl.exeJdjfcecp.exeJbmfoa32.exedescription pid process target process PID 3948 wrote to memory of 3924 3948 174a134f2f102558310a230de6453bf0_NeikiAnalytics.exe Ijfboafl.exe PID 3948 wrote to memory of 3924 3948 174a134f2f102558310a230de6453bf0_NeikiAnalytics.exe Ijfboafl.exe PID 3948 wrote to memory of 3924 3948 174a134f2f102558310a230de6453bf0_NeikiAnalytics.exe Ijfboafl.exe PID 3924 wrote to memory of 4348 3924 Ijfboafl.exe Imdnklfp.exe PID 3924 wrote to memory of 4348 3924 Ijfboafl.exe Imdnklfp.exe PID 3924 wrote to memory of 4348 3924 Ijfboafl.exe Imdnklfp.exe PID 4348 wrote to memory of 2380 4348 Imdnklfp.exe Ipckgh32.exe PID 4348 wrote to memory of 2380 4348 Imdnklfp.exe Ipckgh32.exe PID 4348 wrote to memory of 2380 4348 Imdnklfp.exe Ipckgh32.exe PID 2380 wrote to memory of 4996 2380 Ipckgh32.exe Ibagcc32.exe PID 2380 wrote to memory of 4996 2380 Ipckgh32.exe Ibagcc32.exe PID 2380 wrote to memory of 4996 2380 Ipckgh32.exe Ibagcc32.exe PID 4996 wrote to memory of 468 4996 Ibagcc32.exe Ijhodq32.exe PID 4996 wrote to memory of 468 4996 Ibagcc32.exe Ijhodq32.exe PID 4996 wrote to memory of 468 4996 Ibagcc32.exe Ijhodq32.exe PID 468 wrote to memory of 4308 468 Ijhodq32.exe Iabgaklg.exe PID 468 wrote to memory of 4308 468 Ijhodq32.exe Iabgaklg.exe PID 468 wrote to memory of 4308 468 Ijhodq32.exe Iabgaklg.exe PID 4308 wrote to memory of 3004 4308 Iabgaklg.exe Ibccic32.exe PID 4308 wrote to memory of 3004 4308 Iabgaklg.exe Ibccic32.exe PID 4308 wrote to memory of 3004 4308 Iabgaklg.exe Ibccic32.exe PID 3004 wrote to memory of 5040 3004 Ibccic32.exe Ifopiajn.exe PID 3004 wrote to memory of 5040 3004 Ibccic32.exe Ifopiajn.exe PID 3004 wrote to memory of 5040 3004 Ibccic32.exe Ifopiajn.exe PID 5040 wrote to memory of 2724 5040 Ifopiajn.exe Imihfl32.exe PID 5040 wrote to memory of 2724 5040 Ifopiajn.exe Imihfl32.exe PID 5040 wrote to memory of 2724 5040 Ifopiajn.exe Imihfl32.exe PID 2724 wrote to memory of 2624 2724 Imihfl32.exe Jpgdbg32.exe PID 2724 wrote to memory of 2624 2724 Imihfl32.exe Jpgdbg32.exe PID 2724 wrote to memory of 2624 2724 Imihfl32.exe Jpgdbg32.exe PID 2624 wrote to memory of 4156 2624 Jpgdbg32.exe Jfaloa32.exe PID 2624 wrote to memory of 4156 2624 Jpgdbg32.exe Jfaloa32.exe PID 2624 wrote to memory of 4156 2624 Jpgdbg32.exe Jfaloa32.exe PID 4156 wrote to memory of 4796 4156 Jfaloa32.exe Jiphkm32.exe PID 4156 wrote to memory of 4796 4156 Jfaloa32.exe Jiphkm32.exe PID 4156 wrote to memory of 4796 4156 Jfaloa32.exe Jiphkm32.exe PID 4796 wrote to memory of 2368 4796 Jiphkm32.exe Jagqlj32.exe PID 4796 wrote to memory of 2368 4796 Jiphkm32.exe Jagqlj32.exe PID 4796 wrote to memory of 2368 4796 Jiphkm32.exe Jagqlj32.exe PID 2368 wrote to memory of 3048 2368 Jagqlj32.exe Jfdida32.exe PID 2368 wrote to memory of 3048 2368 Jagqlj32.exe Jfdida32.exe PID 2368 wrote to memory of 3048 2368 Jagqlj32.exe Jfdida32.exe PID 3048 wrote to memory of 4828 3048 Jfdida32.exe Jibeql32.exe PID 3048 wrote to memory of 4828 3048 Jfdida32.exe Jibeql32.exe PID 3048 wrote to memory of 4828 3048 Jfdida32.exe Jibeql32.exe PID 4828 wrote to memory of 536 4828 Jibeql32.exe Jplmmfmi.exe PID 4828 wrote to memory of 536 4828 Jibeql32.exe Jplmmfmi.exe PID 4828 wrote to memory of 536 4828 Jibeql32.exe Jplmmfmi.exe PID 536 wrote to memory of 540 536 Jplmmfmi.exe Jfffjqdf.exe PID 536 wrote to memory of 540 536 Jplmmfmi.exe Jfffjqdf.exe PID 536 wrote to memory of 540 536 Jplmmfmi.exe Jfffjqdf.exe PID 540 wrote to memory of 3908 540 Jfffjqdf.exe Jidbflcj.exe PID 540 wrote to memory of 3908 540 Jfffjqdf.exe Jidbflcj.exe PID 540 wrote to memory of 3908 540 Jfffjqdf.exe Jidbflcj.exe PID 3908 wrote to memory of 4680 3908 Jidbflcj.exe Jaljgidl.exe PID 3908 wrote to memory of 4680 3908 Jidbflcj.exe Jaljgidl.exe PID 3908 wrote to memory of 4680 3908 Jidbflcj.exe Jaljgidl.exe PID 4680 wrote to memory of 4056 4680 Jaljgidl.exe Jdjfcecp.exe PID 4680 wrote to memory of 4056 4680 Jaljgidl.exe Jdjfcecp.exe PID 4680 wrote to memory of 4056 4680 Jaljgidl.exe Jdjfcecp.exe PID 4056 wrote to memory of 2496 4056 Jdjfcecp.exe Jbmfoa32.exe PID 4056 wrote to memory of 2496 4056 Jdjfcecp.exe Jbmfoa32.exe PID 4056 wrote to memory of 2496 4056 Jdjfcecp.exe Jbmfoa32.exe PID 2496 wrote to memory of 2964 2496 Jbmfoa32.exe Jkdnpo32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\174a134f2f102558310a230de6453bf0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\174a134f2f102558310a230de6453bf0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Imdnklfp.exeC:\Windows\system32\Imdnklfp.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Ijhodq32.exeC:\Windows\system32\Ijhodq32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\Ibccic32.exeC:\Windows\system32\Ibccic32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Ifopiajn.exeC:\Windows\system32\Ifopiajn.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Jagqlj32.exeC:\Windows\system32\Jagqlj32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4408 -
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4160 -
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe30⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe31⤵
- Modifies registry class
PID:3784 -
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1388 -
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:700 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4420 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3744 -
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4004 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe44⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4940 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4328 -
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3900 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3840 -
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1340 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5084 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4832 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:4872 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5060 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe59⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:3616 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:684 -
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3628 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3764 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1212 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3740 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3612 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe71⤵PID:2468
-
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe72⤵PID:2472
-
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe77⤵
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4064 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4316 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3116 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe84⤵PID:1136
-
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3980 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe87⤵
- Modifies registry class
PID:4084 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4052 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5184 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5240 -
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5296 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe94⤵
- Drops file in System32 directory
PID:5344 -
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5388 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe96⤵
- Drops file in System32 directory
PID:5436 -
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe97⤵
- Modifies registry class
PID:5484 -
C:\Windows\SysWOW64\Nkcmohbg.exeC:\Windows\system32\Nkcmohbg.exe98⤵PID:5524
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5524 -s 40899⤵
- Program crash
PID:5628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5524 -ip 55241⤵PID:5600
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD5d005b5f06395b00a9162ba861ec3fe22
SHA1e93e4a3c9dbef601de06a4f3a74e13cf119bc633
SHA2566f5d699e1cf15735adf61fc46176f14ce7193854257170d270dfcfa178cbe232
SHA512e6e5115a08a97f581c35367a942b6bba3305e8b89d1d1eb8f5bce915293606c2bcf1e9156bec2aed79c130fa3fc12e062f71f4055f6c6579e3c836a19abafd21
-
Filesize
94KB
MD5e95e0b779f755a686404ea3079def9b6
SHA13b22d11babc9fbf67d3f183a965c02ce8d189f02
SHA256995343abff051843e24ae1dad88ad0dea3c8345bbc193109162159f3768c5827
SHA5127ee170bf1ce45784ffb7513b29832b4a8be4343135236b02e2f877b9d851cb35feda6c6ae1c0679964c8fb5932ca207b65c150f17d67d7d352511ce8c30b9960
-
Filesize
94KB
MD52fbd1e677c4a049a28caed98cd55d6c5
SHA175eec4e655f3434ea98eb2a9f018575e824542bf
SHA2568f5524819fbcf4d22209c73771e1989cb4987b9630a32c342a6a97e00a8750fa
SHA512b31819d838cbf927f4afe05025a4ffebae61d4f3e66097d7afb0e55fd508b928ecb1df5f3e6339db1937f3e33c4fae8dc9c6b3c5e162fbbdd0cf165e877a6a85
-
Filesize
94KB
MD55314f9db353b17a4b4e25af8057cf4aa
SHA157a64171daca4e7d7ed0398790e3286b854505a0
SHA256e83238ec55e36da0603de472e6256faa6701b246f18e7516521c6c4798a16a39
SHA51251103e3e9aad7d2faf88d0237a8f061d0bd1783ea0fbe93d2f3d38a5b312b736c12698cf4a3709133315478f206f321af17b364a0103683e9323e1fc2ada0682
-
Filesize
94KB
MD59dbea0398e0ae962c5384723879ef6f4
SHA1ee3bedc7f8fec06f0a43f05c7dc2766e11dc076e
SHA2561521fe7f6bfcdd55fc578eff6f95cb8616692bb2072134f1ee5db105755e4b60
SHA51298b8720cd40da2e569309bf891dcc19d5686d5b5fd8aa1df0bae79cc86976b2509adb166cf8bb7a3846ef2eba1c4970dabf268737a174663a9e4d43df93057d0
-
Filesize
94KB
MD5537b87f98739d16fb181ad6e9f029da0
SHA184f59f84ba1795335ace6173d93c1e576fc7eb6a
SHA256b8a5b438d25b852418f93eecfa1b1318a022bf7f7a728c4eefd50eab46a282ac
SHA512205fcb41b8d6c83235cc871d3a4aed666be42a22aaeb4201212e4abdaa4c299d0315ea9fd3f7bbd48940957ab79fbf87d0cac651467388f05a8054146fa012bc
-
Filesize
94KB
MD53dc3069fdf6311cff265bc459da0e2c7
SHA1ae65a7bb0a58272b089817455cc38c20af240e51
SHA25642c55ff695500ece28c51f58a1a6b016064adca89f552818df5da9ac76d4fdf0
SHA512438f8822d240e3a10700ead1b3bbde596e87281c3cdf7c73fa371e50f0a06598496d03ac6a0da01497d9e7a5f10abe9edc833e40b7a83f71d825d5f63c347734
-
Filesize
94KB
MD5c013247d5f1caaaf7bc52de1d48b438c
SHA1e573ebe9ba1e075a47871208c07ee88de132cc19
SHA256ddf7cbad1498ffc0e69196466233deebf53f1c6f3312a940e4d60594c4781483
SHA512abf2b6a8551a0a557016138943f7b0bd51afd7383cd39aff76ab0c185541d77884c0dcb78cb31fc33df4fc0606f1b3dfcf6bb55a5c387a2dcb79293db5671f5c
-
Filesize
94KB
MD531b0e96aef7f7ef97f5fc95bf46b348f
SHA15afcda03e8fd1dec74cb62edb4960e8df34901e6
SHA2569cc640ee810718b58651f59316fc55221e9f894b80aa8b098b119dc2155e94eb
SHA51212173bc1ccb2813c7c8301d8edef8cc513b682a2dc93f29e47e07ea6a418f9bce25ac7c2a353419d40fc8eeb66d4b65872fa57690696ac7c80f74c6f369d389b
-
Filesize
94KB
MD566a44fff24519eea0cd3350e8ee26ca5
SHA125499fef4633b8d13c92d3c9b3ef35d64416e7fc
SHA256417a2abe132690a1e99dcc08045d4d9d6ff16d89220da9b0d4472fe9d3a0af61
SHA5128a52361dff0606952405ee1cf3e4f2a78b1ff9e1f974a5bd4251ac8e957aaaf56d88d355b99ea11e69a8040fe9c4bcb609a851552ef93b168036d1217fde22e5
-
Filesize
94KB
MD59bc59f8e88bcf84dc0e654f3b11a3ab0
SHA10c48518b7156c3d3596531e7f424ef7f1973bf5c
SHA25653662374c7b33c3e4bf8ad8af82fa8d8be9d3071871ddad2877895c620f74dc8
SHA512029652c1d0c3fb1ebc00b931b600776cf5d83978474b7f46ef9e2141f3dc8604c404fac3dbea7d9ea105a2523f5e932cef9d7b5666ac843e48521d96c659bb46
-
Filesize
94KB
MD50648a60af89d391fbf87d3c31224506c
SHA13e4c8a76457416d23c9214c4535359154faa9e09
SHA25616808597cd846e969c67bfd6e9a5a31e72b921b1b2a91aea48a2ea138348d2cb
SHA512353453e2ebbaff27041ba847ca7887414e92b05ae327cc1436fffcc4cfd6e06abfaf63c65016b0a1ddd73d5c2c0e66aa302c506c0243319db947b82b15e6ae25
-
Filesize
94KB
MD50c52d78c11d471a63b2ac285b18cb90c
SHA1a3e042ac31cf8249715ea214c0621a08a40cf957
SHA256e2bc55374b03a464045e4e0107018ac3f78fe899fb916c3e6dcd75fda4b567df
SHA512d4821de18a01e93fb11a9f60726b07dc44a968721a74353fe0d99a7c1fd1be29449dbc7f0cea5411c2190d4555dcdf3a1d4e07d796721a2dba6058ba6523ccd3
-
Filesize
94KB
MD54bc358cbef235bf605fc1cda216bc03c
SHA1eec32499c997210bef78e789feccd40bc547de0f
SHA25603e04188e349ad2ccda69fd38263cacd6bff3443441d582a23bf1a87fc7144b1
SHA5124bdb53674ae46343bbe6dd412304600e15337b4321283b1ccd727034bbe53f440ffec6337070e18f8b795d2c2268396661612fd5c8beeedfca6b1b8f99a8d566
-
Filesize
94KB
MD526b4bd2f02da6ca6b361b8d1ba146894
SHA14a561de84806721e958949c3a9a0c710c5f19e0e
SHA2562c22f74c7398e276f6878555cae23bba6ccfe92e9945db67cb5f9a7841cf2999
SHA5121baa664197d81b0337e3ea6954f223307d787f2d25fdcb66cfbc4f9a0f6a98e736233bc6a7ba5d73e18bbc849b314d9fb9cd8f36b71286859939c09478dd3f96
-
Filesize
94KB
MD5b5f519f4419b64d0df626f28387a8e5f
SHA1125248b519b26b788a94e1c1516209e1408f67e3
SHA25688a265b5ec4efe3f1f64f392443601b1039678bd033c022d6cde835507892567
SHA5123fb5c4ea61c4f9d826396faedf841f767e1d6d68890d60fcd80f2a2fd742a7f4ef3f367c6ef5165093f78090578823323871e6c1bca8036f9ae9d50513b97a8f
-
Filesize
94KB
MD5e76131c6b4c684a5d91fde06015b484f
SHA1dbcf7ed1c63238b240f0c89bd73cef19d27caa76
SHA25608bb08c00cadb7afc96293b900b77a91ae07969afe7332f77d0978be3388107f
SHA5120b1268083eb498c537c13e2d6fa97c6a61a57028b857352afad45303e34cff68053551bff989a6cebe274622b702ecc96828000cc567f6439fbba021f54a4184
-
Filesize
94KB
MD54789a12f89f7576af9dae0a5f83711d8
SHA155db7e0494049605da0d65c9bafdcfaa4aa64904
SHA2560628042663bb7417b370f6e95a03ff7350b0838a361a7aae9af1565112d8e8a7
SHA5128302ce3d726e37c365fafdb912552a07664298acd9cad58396ded1c038d2d80ca9a953cb3d4e03c182649a84a4861cbc59a7251265838678d6173bf32c516075
-
Filesize
94KB
MD5d7dfcfc423774d3dea8a9eccc74adad6
SHA1837c236570f6e170db5c6dac240667f188c64edc
SHA256d935f0659c0b4cbc1021349d6139278b5c75e7de73d3d87652220e3485c91f45
SHA51291bceefd58fad44fd8d2d3167e0cee11d3c3fb2ff3e2f2e8dccf0e16a850dd83d0235003bbcf4fac1b40ecd34618efa226bf433b43e94ba24545ae67cffd34d7
-
Filesize
94KB
MD57c05a6cb62d1a322e415f97ceebe9d97
SHA1541ed30f5a047816ab95dfcc156ff1fd790e6646
SHA2569f8775b0c93195879c427784acdb6d934769e002d4c29c6bb1c3516527411cd3
SHA512070e82b544edaf421c4d69a568365c69510a29c83ac145d688c654bec557b25586bd383bf63becc0ed1761052cb59c5b3fd1b1bafef11bc60ee4918de7ff4109
-
Filesize
94KB
MD5f57b2ce908b4554c349a6d49a64805f9
SHA15e2c55c9ef1584ef1f683aa5c4924e842d300279
SHA256bbb7c83d67bf33cbfa142c1bda4c728a985cdd5f69d315f00e6629a2248769e2
SHA512eb1d57d317ff6910721aa754a4f0d9349ece2128fb2e24c84e56f73722d9d8b59666d78e34b49588907bc0595d4964deb6aee62796e85fe685775a13c3f5e948
-
Filesize
94KB
MD5958024c9401ea51ca34cabc7a3ece9fe
SHA1c65945daa627719bfc52fa35e593bb319daf6114
SHA256902466a494e644eb72c0a221b5bf3440e5666ed1438dc610da2434d5f0b54ede
SHA5128e018500dc3c29074c0128d26880891ba4029472a2d7bad756091e338100654960ac48feef5974a4e3b5341cf2d1b2d925b46b959c502bfedad53778f3ec1b43
-
Filesize
94KB
MD586c2cc11c84093ff46a62e3d0a9f96a1
SHA13ca005d3df5b7e810e31240979aa3721ff3bdd3c
SHA2569a2f199ad1d9a0049bc737a27118561753d99e9ccc1e11178f2dc7aa284c5fb8
SHA512fe052ed9e6d3cbd5c21d730531812add0f286db40cbf76556f9061180907f892deddc07a4f015b45d92eeab9f51e89301899d74f9f630e5fbf393b5ffa351883
-
Filesize
94KB
MD5bc6b76f47f04852c3f7e6be99d5bfcf5
SHA1ea7f7fbfed99110c1ad1e228a741fb67b7864ebc
SHA256c921b7e16dde4ef49863cac428d9d95220c6fb699cdf2df9395cc30578c1cdfa
SHA5127ae34a253c946a6a9107516b24fd7b09d4bd7d54aaeaec26cce8376d854eb7c5fc3a7cb54f0102422fd15a4c4925bef2398428dd359dd1a241d00e6c4124d321
-
Filesize
94KB
MD5dc83c4615953ca0451b80fe40bc619d9
SHA122db8c119ce34c6b60de88f6cdf7572d49f95464
SHA2567a545baabe22e72bf6fa0cd7f081c4e7b557f43e8613b77dd68fa1a936e77779
SHA51287a70ef60817e8847c86a9bcdb5bc5c7584f9390d54d613ef987fdb05d6a5c294c433c981b024ca8edc95a71b6dd7913f64d0425069fe851f71ad1373dc6e189
-
Filesize
94KB
MD54001e750e982d0682fceaff26a768b39
SHA15976924cec15068e39cabd64228b3ba560c80579
SHA2569fe3e6c1047d5e7a3baf3083d54df6e47f5cde8abeb9cd19fffaace98a390b6d
SHA5126031f31261cc2c444a865c92d59881e0ccf873592daad4f24a2717396c4e3915c3f3c2e3d80f556ddb3c2e56e2c8b4f81c08bb6ecd57c369cb88a6c60b132a2e
-
Filesize
94KB
MD53fdf02552db58da451af1c082f497e1f
SHA10782eaca333f6e4156f07e47c1183275ff81d024
SHA2562e84c4ea2533caf97937f6343bd0d324588b5270b08cd940ccd8c9f5fa4b836e
SHA51291fc1db52876d312526f632f007f37572ca0a8ac69abfb00c7412b0df4b6c13d6f857892c5431fc42731eb2b67b1bc0f58804486f6b7b29f7d3d6f03bb79c250
-
Filesize
94KB
MD57ba00b65ef1aaf022ac7f23a3a2684c5
SHA18f475a6c4fd8c5aae5542c9e3514a163b0f1b202
SHA256b412ac81dafd727af522ccefebd409429bb13de01edef6560db425a6fc892b18
SHA512049a1aed004c522c22a920b76d13e91f62deee8e2685cba1014f8f8119cf2dad8bb66a83bdd556a03943ae235c2685971be05e34641fafa0f764c0e99c5f303b
-
Filesize
94KB
MD580f0d10b9c39995fcb5837257cc790b0
SHA17c989e231198b896207fc0d8ae6a2c857f8c1a0b
SHA256ecf5d7aac2465d28eae951871c731ff424ac5dfc4d124106497ba7d4335193e8
SHA512ba37458f23da2daf12cba9858ee33cee5ead0e26945b2d7e0044a8fd44b451a57ab8c2be6e7766b3399f157098c71c8a33eaff136bb832743548f3694a8b72f7
-
Filesize
94KB
MD53fc45ad0271017ef8b5f33d66696ae12
SHA115572a570499ceaa0e90df5f7999b0f01ffb84a4
SHA256d5fad35700e3668e4f7fa001cc574ca664eaafa09357cb507816fb193d9d2b5e
SHA512dbddb89ce90070d755a407a542b04faff9b5067654b3c6901676968cb5b9f01f15d884d369e87e43a7edd460e9caf5ede78c5a0765b8518932fb20841c0b33d5
-
Filesize
94KB
MD5c6f061e12260c486f44705415818ec48
SHA1006a02c7bf4372d583cdf744de34dc7575235b2b
SHA256d53b4796d187c1df3993ca1ef9828fd0f6fc0123f75c39348eff6d1d8af2b85f
SHA5128c5164d3bb3e0c3309ee50d77e84375090762d09cc7d068055180e488929ccab3164cfb65fb38471d51eda1e16eca7a7b13f9dafbc946813f007a785a57acfa3
-
Filesize
94KB
MD561301b936e081a9f472a27868d37220a
SHA106681383915b13226b0804151a38dafc525076a9
SHA2561e0f79f23ac9d745a8e9712ba9836c18194207bc2d184a47e73b196f06db8d42
SHA512be9ee10fb16aa5e1e5ad7f7af0d8e464d9e4a38aa7c0a1fe84ca619e425199cb6e5a6baf122837f1d502e04e96beb0bc69565b365abbf89a1183a9effd186dab
-
Filesize
94KB
MD59829b8c1e3f82c773e115c57dbabef8d
SHA1982ab856b07f0785b4feb5b14612069963a0ce3e
SHA2567ccc6a8332afff08f99423c9fe210a9ddb99df64e934b98906ced23f581f7bbf
SHA5129dfbb2d09205668a25061119f4eed54bd51841c1ea7680ed7f8708ead82bad2eccfeb12c9cc22d1701315acfb2fdb8a11f3213bf58c421ac4efe8e036636df6f
-
Filesize
94KB
MD5fdf18a10ed6d4e4a242596d92963a63a
SHA1416e2c1d6ff9c7f210c897c67d69447ab8e3a9b8
SHA2566d7ee86707dc3b5164203eed411fada26b78802c4cd429e30a442de20bd3436e
SHA5122f11378abdfc3d72ecd16b1ee816950efd23ce18c513b89e1e87bf71238e297a3a151197bf65546880ee72d37831f83d70d90f3fbd15ab0caf48e4afdc78e8ca
-
Filesize
94KB
MD5573cae81453c8267d6f5466a4c463168
SHA1d0984996dcd91acf707db8d9706cefb840e00ee1
SHA256741a6bb80d0e4f722c3ed9c94fda1ff34caac7f45741b11460d782915e252ee2
SHA5129d1009bd9fc7d7008a9c68d5f6b43ed2f2595f10cba3ffe9607679e9d7d3f9fc6467026853a66d6673aac2caa62ad382891abb63d9af5c0bd3b9fcee83c38a77
-
Filesize
94KB
MD51a1ce7c9f494a8442b88fe615c1487ff
SHA175c0255331575a437bcda7e6b7dff866fecc189f
SHA25664f5bf4324f49ff5992ee765969ddba35f4f4f0362987f6260f8abc52fea81be
SHA5122802e095e9804de03d44af173bedf5333080d4d9b0d8054fe2fba4f4abcf0cd210dbeff34602f6ba57baec604d2c74e0d6fb9d79a87305ca73f092aee3875b10
-
Filesize
94KB
MD5bdff419b4e075883bcf5d97a5c6408e7
SHA1e331d78cd6d52d47df5443dee9ad416b548f465f
SHA2560475a3d565ad257ac26e0ba72db96422f70a6c0284f35108b2cf452aecf49afd
SHA5122cfa752fd219c57b927d463197208d3993d9753900bd25ea8e08f83f0023be5c76d5f89ea1bdca6a4c95f89fb8fc06fb67a28415c7584eceec26b3bb1e04086a
-
Filesize
94KB
MD5fd3383df9056bc8ebc058a94f118daaf
SHA131d5d4ab3d71ad8e259b661e2ef91bf948d67a7c
SHA256dbd9b3f9520e7301ee7b3be2e0fe9aa80baacac12ff3c3c57542bdb1d81a59aa
SHA5125f4ad4907e38b9a7587a091d9ca557ce98f06860864a73a40bb21680abda76e104f1abb250288f1b981297eb34a2bbabd8b863f45db58da3d1ddbcb7e8803e1d