Analysis
-
max time kernel
137s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 02:03
Behavioral task
behavioral1
Sample
72af6fb0570b365749de92450e9d0700_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
72af6fb0570b365749de92450e9d0700_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
72af6fb0570b365749de92450e9d0700_NeikiAnalytics.exe
-
Size
94KB
-
MD5
72af6fb0570b365749de92450e9d0700
-
SHA1
e0650d5d172267e413c7b1201b83d4db2d7ef41e
-
SHA256
35a54d2eec0a011c00ece0cf6b2e11bbc93241dae5dfe3472da4cd5c07f34b12
-
SHA512
4c1e89d1819ab17205a8c604ca9ffe96b0a49da7a8cf56ff1f05a367391412eec878a5af4a7b7f9f62c3214cf1d41c0a22888250eb81672d517ef70778f146e1
-
SSDEEP
1536:PdalDCI+wTZr2cVgVolCtGAsJbIK2LHaIZTJ+7LhkiB0MPiKeEAgv:PkJCI+wTZr2cVgV8CtPsKXHaMU7uihJd
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mpdelajl.exeNcgkcl32.exeGppekj32.exeLcgblncm.exeMnocof32.exeNnhfee32.exeHaggelfd.exeJbhmdbnp.exeKmegbjgn.exeMpolqa32.exeGpklpkio.exeHpbaqj32.exeIinlemia.exeNqklmpdd.exe72af6fb0570b365749de92450e9d0700_NeikiAnalytics.exeHmfbjnbp.exeHmioonpn.exeMcbahlip.exeGifmnpnl.exeNklfoi32.exeJmbklj32.exeNkncdifl.exeHbckbepg.exeNgcgcjnc.exeLddbqa32.exeGameonno.exeLnepih32.exeMpmokb32.exeMdpalp32.exeJmkdlkph.exeIcljbg32.exeKibnhjgj.exeKckbqpnj.exeLilanioo.exeLaefdf32.exeMkbchk32.exeMnapdf32.exeIidipnal.exeNqfbaq32.exeJaljgidl.exeKmlnbi32.exeLmccchkn.exeMpkbebbf.exeNcihikcg.exeHcedaheh.exeHjhfnccl.exeJjmhppqd.exeKaemnhla.exeLcbiao32.exeMcklgm32.exeJkfkfohj.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpdelajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncgkcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gppekj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcgblncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnocof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haggelfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbhmdbnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmegbjgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpolqa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbhmdbnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpklpkio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpbaqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iinlemia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqklmpdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 72af6fb0570b365749de92450e9d0700_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmfbjnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmioonpn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbahlip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifmnpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nklfoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbklj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkncdifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbckbepg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngcgcjnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkncdifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lddbqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gameonno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnepih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdpalp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haggelfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmkdlkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpmokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icljbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kibnhjgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kckbqpnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lilanioo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laefdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkbchk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnapdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iidipnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqfbaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbckbepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaljgidl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmlnbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kckbqpnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmccchkn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkbebbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnapdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpklpkio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncihikcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcedaheh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmlnbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnocof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklfoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhfnccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjmhppqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaemnhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcbiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcklgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkbchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjhfnccl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkfkfohj.exe -
Malware Dropper & Backdoor - Berbew 35 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Gpklpkio.exe family_berbew C:\Windows\SysWOW64\Gidphq32.exe family_berbew C:\Windows\SysWOW64\Gpnhekgl.exe family_berbew C:\Windows\SysWOW64\Gfhqbe32.exe family_berbew C:\Windows\SysWOW64\Gifmnpnl.exe family_berbew C:\Windows\SysWOW64\Gameonno.exe family_berbew C:\Windows\SysWOW64\Gppekj32.exe family_berbew C:\Windows\SysWOW64\Hpbaqj32.exe family_berbew C:\Windows\SysWOW64\Hjhfnccl.exe family_berbew C:\Windows\SysWOW64\Hmfbjnbp.exe family_berbew C:\Windows\SysWOW64\Hbckbepg.exe family_berbew C:\Windows\SysWOW64\Hmioonpn.exe family_berbew C:\Windows\SysWOW64\Hccglh32.exe family_berbew C:\Windows\SysWOW64\Hfachc32.exe family_berbew C:\Windows\SysWOW64\Haggelfd.exe family_berbew C:\Windows\SysWOW64\Hcedaheh.exe family_berbew C:\Windows\SysWOW64\Hfcpncdk.exe family_berbew C:\Windows\SysWOW64\Ipldfi32.exe family_berbew C:\Windows\SysWOW64\Iidipnal.exe family_berbew C:\Windows\SysWOW64\Imbaemhc.exe family_berbew C:\Windows\SysWOW64\Icljbg32.exe family_berbew C:\Windows\SysWOW64\Imdnklfp.exe family_berbew C:\Windows\SysWOW64\Ipckgh32.exe family_berbew C:\Windows\SysWOW64\Ifmcdblq.exe family_berbew C:\Windows\SysWOW64\Iabgaklg.exe family_berbew C:\Windows\SysWOW64\Ibccic32.exe family_berbew C:\Windows\SysWOW64\Iinlemia.exe family_berbew C:\Windows\SysWOW64\Jpgdbg32.exe family_berbew C:\Windows\SysWOW64\Jjmhppqd.exe family_berbew C:\Windows\SysWOW64\Jiphkm32.exe family_berbew C:\Windows\SysWOW64\Jfaloa32.exe family_berbew C:\Windows\SysWOW64\Jbfpobpb.exe family_berbew C:\Windows\SysWOW64\Kinemkko.exe family_berbew C:\Windows\SysWOW64\Lnhmng32.exe family_berbew C:\Windows\SysWOW64\Mpmokb32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Gpklpkio.exeGidphq32.exeGpnhekgl.exeGfhqbe32.exeGifmnpnl.exeGameonno.exeGppekj32.exeHpbaqj32.exeHjhfnccl.exeHmfbjnbp.exeHbckbepg.exeHmioonpn.exeHccglh32.exeHfachc32.exeHaggelfd.exeHcedaheh.exeHfcpncdk.exeIpldfi32.exeIidipnal.exeImbaemhc.exeIcljbg32.exeImdnklfp.exeIpckgh32.exeIfmcdblq.exeIabgaklg.exeIbccic32.exeIinlemia.exeJpgdbg32.exeJbfpobpb.exeJfaloa32.exeJjmhppqd.exeJiphkm32.exeJmkdlkph.exeJagqlj32.exeJpjqhgol.exeJbhmdbnp.exeJfdida32.exeJaljgidl.exeJbmfoa32.exeJigollag.exeJmbklj32.exeJdmcidam.exeJkfkfohj.exeKmegbjgn.exeKpccnefa.exeKkihknfg.exeKacphh32.exeKdaldd32.exeKinemkko.exeKaemnhla.exeKknafn32.exeKmlnbi32.exeKgdbkohf.exeKibnhjgj.exeKckbqpnj.exeKgfoan32.exeLalcng32.exeLdkojb32.exeLgikfn32.exeLmccchkn.exeLdmlpbbj.exeLijdhiaa.exeLnepih32.exeLpcmec32.exepid process 4472 Gpklpkio.exe 1776 Gidphq32.exe 3932 Gpnhekgl.exe 216 Gfhqbe32.exe 4572 Gifmnpnl.exe 3808 Gameonno.exe 2908 Gppekj32.exe 2724 Hpbaqj32.exe 3576 Hjhfnccl.exe 3988 Hmfbjnbp.exe 1616 Hbckbepg.exe 4580 Hmioonpn.exe 3000 Hccglh32.exe 3716 Hfachc32.exe 1108 Haggelfd.exe 3892 Hcedaheh.exe 752 Hfcpncdk.exe 2072 Ipldfi32.exe 1540 Iidipnal.exe 1888 Imbaemhc.exe 4000 Icljbg32.exe 3860 Imdnklfp.exe 116 Ipckgh32.exe 392 Ifmcdblq.exe 1816 Iabgaklg.exe 2700 Ibccic32.exe 4084 Iinlemia.exe 4688 Jpgdbg32.exe 3012 Jbfpobpb.exe 2692 Jfaloa32.exe 4408 Jjmhppqd.exe 3720 Jiphkm32.exe 3208 Jmkdlkph.exe 2732 Jagqlj32.exe 3136 Jpjqhgol.exe 3852 Jbhmdbnp.exe 4920 Jfdida32.exe 3676 Jaljgidl.exe 2632 Jbmfoa32.exe 4872 Jigollag.exe 880 Jmbklj32.exe 1532 Jdmcidam.exe 3600 Jkfkfohj.exe 4640 Kmegbjgn.exe 3828 Kpccnefa.exe 2456 Kkihknfg.exe 4136 Kacphh32.exe 1852 Kdaldd32.exe 1728 Kinemkko.exe 4524 Kaemnhla.exe 228 Kknafn32.exe 2644 Kmlnbi32.exe 1000 Kgdbkohf.exe 4884 Kibnhjgj.exe 2468 Kckbqpnj.exe 3376 Kgfoan32.exe 2100 Lalcng32.exe 2980 Ldkojb32.exe 1176 Lgikfn32.exe 2856 Lmccchkn.exe 3240 Ldmlpbbj.exe 2876 Lijdhiaa.exe 4856 Lnepih32.exe 3656 Lpcmec32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Gidphq32.exeJbmfoa32.exeLnepih32.exeNjcpee32.exeJbfpobpb.exeLpcmec32.exeMpmokb32.exeMgidml32.exeMglack32.exeJmkdlkph.exeKibnhjgj.exeNkncdifl.exeHccglh32.exeJpjqhgol.exeLddbqa32.exeLknjmkdo.exeMcbahlip.exeNqiogp32.exeGifmnpnl.exeIcljbg32.exeJjmhppqd.exeLmccchkn.exeNcihikcg.exeJfdida32.exeMdkhapfj.exeJigollag.exeIfmcdblq.exeLdkojb32.exeMdpalp32.exeNklfoi32.exeNcldnkae.exeJbhmdbnp.exeLdmlpbbj.exeLnhmng32.exeLcgblncm.exeMcklgm32.exeMpdelajl.exeNkjjij32.exeNnhfee32.exeIbccic32.exeKknafn32.exeNqklmpdd.exe72af6fb0570b365749de92450e9d0700_NeikiAnalytics.exeJaljgidl.exeIpckgh32.exeLilanioo.exeMdmegp32.exeGfhqbe32.exeLaefdf32.exeHaggelfd.exeImdnklfp.exeJkfkfohj.exeMpolqa32.exedescription ioc process File created C:\Windows\SysWOW64\Lpacnb32.dll Gidphq32.exe File created C:\Windows\SysWOW64\Jigollag.exe Jbmfoa32.exe File opened for modification C:\Windows\SysWOW64\Lpcmec32.exe Lnepih32.exe File created C:\Windows\SysWOW64\Cknpkhch.dll Njcpee32.exe File created C:\Windows\SysWOW64\Jfaloa32.exe Jbfpobpb.exe File opened for modification C:\Windows\SysWOW64\Lcbiao32.exe Lpcmec32.exe File created C:\Windows\SysWOW64\Mcklgm32.exe Mpmokb32.exe File created C:\Windows\SysWOW64\Fneiph32.dll Mgidml32.exe File created C:\Windows\SysWOW64\Mjjmog32.exe Mglack32.exe File created C:\Windows\SysWOW64\Ggcjqj32.dll Jmkdlkph.exe File created C:\Windows\SysWOW64\Kckbqpnj.exe Kibnhjgj.exe File created C:\Windows\SysWOW64\Ljfemn32.dll Nkncdifl.exe File opened for modification C:\Windows\SysWOW64\Hfachc32.exe Hccglh32.exe File created C:\Windows\SysWOW64\Jbhmdbnp.exe Jpjqhgol.exe File created C:\Windows\SysWOW64\Lcgblncm.exe Lddbqa32.exe File opened for modification C:\Windows\SysWOW64\Mnlfigcc.exe Lknjmkdo.exe File created C:\Windows\SysWOW64\Egqcbapl.dll Mcbahlip.exe File created C:\Windows\SysWOW64\Pipfna32.dll Nqiogp32.exe File created C:\Windows\SysWOW64\Gameonno.exe Gifmnpnl.exe File created C:\Windows\SysWOW64\Ekmihm32.dll Icljbg32.exe File created C:\Windows\SysWOW64\Jiphkm32.exe Jjmhppqd.exe File created C:\Windows\SysWOW64\Ldmlpbbj.exe Lmccchkn.exe File opened for modification C:\Windows\SysWOW64\Ngedij32.exe Ncihikcg.exe File created C:\Windows\SysWOW64\Paadnmaq.dll Ncihikcg.exe File opened for modification C:\Windows\SysWOW64\Jaljgidl.exe Jfdida32.exe File created C:\Windows\SysWOW64\Mgidml32.exe Mdkhapfj.exe File created C:\Windows\SysWOW64\Jmbklj32.exe Jigollag.exe File opened for modification C:\Windows\SysWOW64\Iabgaklg.exe Ifmcdblq.exe File created C:\Windows\SysWOW64\Lgikfn32.exe Ldkojb32.exe File created C:\Windows\SysWOW64\Mcbahlip.exe Mdpalp32.exe File created C:\Windows\SysWOW64\Nnjbke32.exe Nklfoi32.exe File opened for modification C:\Windows\SysWOW64\Nggqoj32.exe Ncldnkae.exe File created C:\Windows\SysWOW64\Jfdida32.exe Jbhmdbnp.exe File created C:\Windows\SysWOW64\Ogijli32.dll Ldmlpbbj.exe File opened for modification C:\Windows\SysWOW64\Lcdegnep.exe Lnhmng32.exe File opened for modification C:\Windows\SysWOW64\Lknjmkdo.exe Lcgblncm.exe File created C:\Windows\SysWOW64\Epmjjbbj.dll Mpmokb32.exe File created C:\Windows\SysWOW64\Mkbchk32.exe Mcklgm32.exe File created C:\Windows\SysWOW64\Mdpalp32.exe Mpdelajl.exe File opened for modification C:\Windows\SysWOW64\Nnhfee32.exe Nkjjij32.exe File opened for modification C:\Windows\SysWOW64\Nqfbaq32.exe Nnhfee32.exe File created C:\Windows\SysWOW64\Iinlemia.exe Ibccic32.exe File opened for modification C:\Windows\SysWOW64\Kmlnbi32.exe Kknafn32.exe File created C:\Windows\SysWOW64\Kmalco32.dll Nklfoi32.exe File created C:\Windows\SysWOW64\Ncihikcg.exe Nqklmpdd.exe File created C:\Windows\SysWOW64\Gpklpkio.exe 72af6fb0570b365749de92450e9d0700_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Anjekdho.dll Jbhmdbnp.exe File opened for modification C:\Windows\SysWOW64\Jbmfoa32.exe Jaljgidl.exe File created C:\Windows\SysWOW64\Npckna32.dll Nnhfee32.exe File created C:\Windows\SysWOW64\Ifmcdblq.exe Ipckgh32.exe File created C:\Windows\SysWOW64\Dnapla32.dll Lilanioo.exe File opened for modification C:\Windows\SysWOW64\Mglack32.exe Mdmegp32.exe File opened for modification C:\Windows\SysWOW64\Ncihikcg.exe Nqklmpdd.exe File created C:\Windows\SysWOW64\Gifmnpnl.exe Gfhqbe32.exe File created C:\Windows\SysWOW64\Jpgeph32.dll Laefdf32.exe File opened for modification C:\Windows\SysWOW64\Mdpalp32.exe Mpdelajl.exe File opened for modification C:\Windows\SysWOW64\Nnjbke32.exe Nklfoi32.exe File opened for modification C:\Windows\SysWOW64\Gameonno.exe Gifmnpnl.exe File created C:\Windows\SysWOW64\Hionfema.dll Haggelfd.exe File opened for modification C:\Windows\SysWOW64\Ipckgh32.exe Imdnklfp.exe File created C:\Windows\SysWOW64\Iljnde32.dll Jkfkfohj.exe File created C:\Windows\SysWOW64\Akanejnd.dll Kknafn32.exe File opened for modification C:\Windows\SysWOW64\Mdkhapfj.exe Mpolqa32.exe File created C:\Windows\SysWOW64\Gnbbnj32.dll Gfhqbe32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5588 5268 WerFault.exe Nkcmohbg.exe -
Modifies registry class 64 IoCs
Processes:
Gpklpkio.exeJigollag.exeLmccchkn.exeLilanioo.exeGifmnpnl.exeImdnklfp.exeNkjjij32.exeLalcng32.exeLddbqa32.exeLknjmkdo.exeMnlfigcc.exeNcgkcl32.exeKknafn32.exeLdmlpbbj.exeNqmhbpba.exeIidipnal.exeJpjqhgol.exeMdpalp32.exeNnhfee32.exeGppekj32.exeJmkdlkph.exeJmbklj32.exeKdaldd32.exeJdmcidam.exeKmlnbi32.exeMnfipekh.exeGameonno.exeLdkojb32.exeMpolqa32.exeHbckbepg.exeMnocof32.exeNcihikcg.exeNgedij32.exeMcbahlip.exe72af6fb0570b365749de92450e9d0700_NeikiAnalytics.exeLpcmec32.exeLcgblncm.exeNnjbke32.exeMglack32.exeNqklmpdd.exeHmfbjnbp.exeJpgdbg32.exeMdmegp32.exeMdkhapfj.exeHjhfnccl.exeHfachc32.exeIinlemia.exeKpccnefa.exeKaemnhla.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpklpkio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll" Jigollag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmccchkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lilanioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkhlo32.dll" Gifmnpnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imdnklfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll" Nkjjij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gifmnpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lalcng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lddbqa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lknjmkdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll" Mnlfigcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncgkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll" Kknafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll" Ldmlpbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll" Lilanioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll" Nqmhbpba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iidipnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll" Jpjqhgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll" Lknjmkdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdpalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnhfee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqmhbpba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inccjgbc.dll" Gppekj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmkdlkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll" Jmbklj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdaldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmccchkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdmcidam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll" Kmlnbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnfipekh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gameonno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldkojb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpolqa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbckbepg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnlfigcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll" Mnocof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncihikcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll" Ngedij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngedij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll" Mcbahlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 72af6fb0570b365749de92450e9d0700_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gifmnpnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lalcng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldkojb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpcmec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcgblncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnocof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnjbke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mglack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqklmpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehbccoaj.dll" Hmfbjnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpgdbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lknjmkdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll" Mpolqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll" Mdmegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mglack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll" Mdkhapfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldmlpbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjhfnccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceaklo32.dll" Hfachc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iinlemia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll" Kpccnefa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaemnhla.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
72af6fb0570b365749de92450e9d0700_NeikiAnalytics.exeGpklpkio.exeGidphq32.exeGpnhekgl.exeGfhqbe32.exeGifmnpnl.exeGameonno.exeGppekj32.exeHpbaqj32.exeHjhfnccl.exeHmfbjnbp.exeHbckbepg.exeHmioonpn.exeHccglh32.exeHfachc32.exeHaggelfd.exeHcedaheh.exeHfcpncdk.exeIpldfi32.exeIidipnal.exeImbaemhc.exeIcljbg32.exedescription pid process target process PID 3724 wrote to memory of 4472 3724 72af6fb0570b365749de92450e9d0700_NeikiAnalytics.exe Gpklpkio.exe PID 3724 wrote to memory of 4472 3724 72af6fb0570b365749de92450e9d0700_NeikiAnalytics.exe Gpklpkio.exe PID 3724 wrote to memory of 4472 3724 72af6fb0570b365749de92450e9d0700_NeikiAnalytics.exe Gpklpkio.exe PID 4472 wrote to memory of 1776 4472 Gpklpkio.exe Gidphq32.exe PID 4472 wrote to memory of 1776 4472 Gpklpkio.exe Gidphq32.exe PID 4472 wrote to memory of 1776 4472 Gpklpkio.exe Gidphq32.exe PID 1776 wrote to memory of 3932 1776 Gidphq32.exe Gpnhekgl.exe PID 1776 wrote to memory of 3932 1776 Gidphq32.exe Gpnhekgl.exe PID 1776 wrote to memory of 3932 1776 Gidphq32.exe Gpnhekgl.exe PID 3932 wrote to memory of 216 3932 Gpnhekgl.exe Gfhqbe32.exe PID 3932 wrote to memory of 216 3932 Gpnhekgl.exe Gfhqbe32.exe PID 3932 wrote to memory of 216 3932 Gpnhekgl.exe Gfhqbe32.exe PID 216 wrote to memory of 4572 216 Gfhqbe32.exe Gifmnpnl.exe PID 216 wrote to memory of 4572 216 Gfhqbe32.exe Gifmnpnl.exe PID 216 wrote to memory of 4572 216 Gfhqbe32.exe Gifmnpnl.exe PID 4572 wrote to memory of 3808 4572 Gifmnpnl.exe Gameonno.exe PID 4572 wrote to memory of 3808 4572 Gifmnpnl.exe Gameonno.exe PID 4572 wrote to memory of 3808 4572 Gifmnpnl.exe Gameonno.exe PID 3808 wrote to memory of 2908 3808 Gameonno.exe Gppekj32.exe PID 3808 wrote to memory of 2908 3808 Gameonno.exe Gppekj32.exe PID 3808 wrote to memory of 2908 3808 Gameonno.exe Gppekj32.exe PID 2908 wrote to memory of 2724 2908 Gppekj32.exe Hpbaqj32.exe PID 2908 wrote to memory of 2724 2908 Gppekj32.exe Hpbaqj32.exe PID 2908 wrote to memory of 2724 2908 Gppekj32.exe Hpbaqj32.exe PID 2724 wrote to memory of 3576 2724 Hpbaqj32.exe Hjhfnccl.exe PID 2724 wrote to memory of 3576 2724 Hpbaqj32.exe Hjhfnccl.exe PID 2724 wrote to memory of 3576 2724 Hpbaqj32.exe Hjhfnccl.exe PID 3576 wrote to memory of 3988 3576 Hjhfnccl.exe Hmfbjnbp.exe PID 3576 wrote to memory of 3988 3576 Hjhfnccl.exe Hmfbjnbp.exe PID 3576 wrote to memory of 3988 3576 Hjhfnccl.exe Hmfbjnbp.exe PID 3988 wrote to memory of 1616 3988 Hmfbjnbp.exe Hbckbepg.exe PID 3988 wrote to memory of 1616 3988 Hmfbjnbp.exe Hbckbepg.exe PID 3988 wrote to memory of 1616 3988 Hmfbjnbp.exe Hbckbepg.exe PID 1616 wrote to memory of 4580 1616 Hbckbepg.exe Hmioonpn.exe PID 1616 wrote to memory of 4580 1616 Hbckbepg.exe Hmioonpn.exe PID 1616 wrote to memory of 4580 1616 Hbckbepg.exe Hmioonpn.exe PID 4580 wrote to memory of 3000 4580 Hmioonpn.exe Hccglh32.exe PID 4580 wrote to memory of 3000 4580 Hmioonpn.exe Hccglh32.exe PID 4580 wrote to memory of 3000 4580 Hmioonpn.exe Hccglh32.exe PID 3000 wrote to memory of 3716 3000 Hccglh32.exe Hfachc32.exe PID 3000 wrote to memory of 3716 3000 Hccglh32.exe Hfachc32.exe PID 3000 wrote to memory of 3716 3000 Hccglh32.exe Hfachc32.exe PID 3716 wrote to memory of 1108 3716 Hfachc32.exe Haggelfd.exe PID 3716 wrote to memory of 1108 3716 Hfachc32.exe Haggelfd.exe PID 3716 wrote to memory of 1108 3716 Hfachc32.exe Haggelfd.exe PID 1108 wrote to memory of 3892 1108 Haggelfd.exe Hcedaheh.exe PID 1108 wrote to memory of 3892 1108 Haggelfd.exe Hcedaheh.exe PID 1108 wrote to memory of 3892 1108 Haggelfd.exe Hcedaheh.exe PID 3892 wrote to memory of 752 3892 Hcedaheh.exe Hfcpncdk.exe PID 3892 wrote to memory of 752 3892 Hcedaheh.exe Hfcpncdk.exe PID 3892 wrote to memory of 752 3892 Hcedaheh.exe Hfcpncdk.exe PID 752 wrote to memory of 2072 752 Hfcpncdk.exe Ipldfi32.exe PID 752 wrote to memory of 2072 752 Hfcpncdk.exe Ipldfi32.exe PID 752 wrote to memory of 2072 752 Hfcpncdk.exe Ipldfi32.exe PID 2072 wrote to memory of 1540 2072 Ipldfi32.exe Iidipnal.exe PID 2072 wrote to memory of 1540 2072 Ipldfi32.exe Iidipnal.exe PID 2072 wrote to memory of 1540 2072 Ipldfi32.exe Iidipnal.exe PID 1540 wrote to memory of 1888 1540 Iidipnal.exe Imbaemhc.exe PID 1540 wrote to memory of 1888 1540 Iidipnal.exe Imbaemhc.exe PID 1540 wrote to memory of 1888 1540 Iidipnal.exe Imbaemhc.exe PID 1888 wrote to memory of 4000 1888 Imbaemhc.exe Icljbg32.exe PID 1888 wrote to memory of 4000 1888 Imbaemhc.exe Icljbg32.exe PID 1888 wrote to memory of 4000 1888 Imbaemhc.exe Icljbg32.exe PID 4000 wrote to memory of 3860 4000 Icljbg32.exe Imdnklfp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\72af6fb0570b365749de92450e9d0700_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\72af6fb0570b365749de92450e9d0700_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\Gpklpkio.exeC:\Windows\system32\Gpklpkio.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Gidphq32.exeC:\Windows\system32\Gidphq32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Gpnhekgl.exeC:\Windows\system32\Gpnhekgl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Gifmnpnl.exeC:\Windows\system32\Gifmnpnl.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Gameonno.exeC:\Windows\system32\Gameonno.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\Hmfbjnbp.exeC:\Windows\system32\Hmfbjnbp.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\Imdnklfp.exeC:\Windows\system32\Imdnklfp.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3860 -
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:116 -
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:392 -
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe26⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Ibccic32.exeC:\Windows\system32\Ibccic32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4084 -
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4688 -
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe31⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4408 -
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe33⤵
- Executes dropped EXE
PID:3720 -
C:\Windows\SysWOW64\Jmkdlkph.exeC:\Windows\system32\Jmkdlkph.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3208 -
C:\Windows\SysWOW64\Jagqlj32.exeC:\Windows\system32\Jagqlj32.exe35⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3136 -
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3852 -
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4920 -
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3676 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4872 -
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3600 -
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:3828 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe47⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Kacphh32.exeC:\Windows\system32\Kacphh32.exe48⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe50⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4524 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:228 -
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe54⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4884 -
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe57⤵
- Executes dropped EXE
PID:3376 -
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe60⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3240 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe63⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4856 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3656 -
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1604 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe67⤵PID:1028
-
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3924 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe69⤵
- Drops file in System32 directory
PID:3940 -
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe70⤵PID:4500
-
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe71⤵PID:3192
-
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3384 -
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4412 -
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4484 -
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe76⤵
- Modifies registry class
PID:4796 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3468 -
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe78⤵PID:780
-
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe79⤵PID:3612
-
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4396 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4160 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4952 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3244 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:3328 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe87⤵
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:4112 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:5132 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe90⤵PID:5168
-
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe91⤵
- Modifies registry class
PID:5216 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5260 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5308 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5356 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:5408 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5452 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5512 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe98⤵PID:5556
-
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5600 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe100⤵
- Modifies registry class
PID:5640 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe101⤵
- Drops file in System32 directory
PID:5700 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5744 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5788 -
C:\Windows\SysWOW64\Nkncdifl.exeC:\Windows\system32\Nkncdifl.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5828 -
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5872 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5912 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe107⤵
- Modifies registry class
PID:5960 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe108⤵
- Drops file in System32 directory
PID:6000 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe109⤵PID:6048
-
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe110⤵
- Modifies registry class
PID:6096 -
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe111⤵
- Drops file in System32 directory
PID:6136 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe112⤵PID:5180
-
C:\Windows\SysWOW64\Nkcmohbg.exeC:\Windows\system32\Nkcmohbg.exe113⤵PID:5268
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5268 -s 400114⤵
- Program crash
PID:5588
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5268 -ip 52681⤵PID:5440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD5f9ebc8794b5af5f8b7161a197beea588
SHA12fb1724a69b824576bfd88bf043fde4213d31387
SHA256c709fc9a00d8bbcca427e0994710870923890c72a198e4014206d033ad35b30e
SHA512bd9a706a425c34f0652ecb3eec6a8b6ca9517a46518f467e1e2abe9857088e534a0e475ca7a438042fd9093f8ad35ee9a60b460f7fb5827ad7f92cc79794f1e2
-
Filesize
94KB
MD5a11093f4f64e230ce0564a6135a935b0
SHA1ca79bca70f2c359e1f217599680f9a40e4f8e82a
SHA25615359abdb35fb40ff6b2957199d8a56bf60b9181cf9ebe38a627330ba4185c37
SHA512898ab1d66dfe39942246261e63df9cbe3effb0e3c05a13d43e7b555486d2c5cf5ada1793ff3ed552514e63df632bb8d0e0db62e9d4b88983426964b06c1bdadf
-
Filesize
94KB
MD5103efddd01ea610bc23a4aa58c3be384
SHA143d4b9e0ea5aaacb715bfeb642cb9419b18267bb
SHA256dc8474ee23e88bbb1d3284532746185f3c9e67babe5aa1c5ecf6658787c0c14b
SHA5126cdf7617cd87acb5601fde16fb228034bf4c20d6cf8fc962ad871ec893a80c95123e3be1872950977b123e4bc7f8b74db32a4873f69c75261eea9e932adff5e6
-
Filesize
94KB
MD5ef224a9b87cd5309807fc7f655383c4e
SHA171ac17005d4da7ccc8a0ff47fb04506c52c11641
SHA2562ad36db7eecbe5b31f6965b45023ec1c8df9e3b1e9ce16cf0112e2639f2a506a
SHA512ec8f513a20428dac28da1fab62a623ff597f460ac3ec0446bc9216f7626883e5a673b7eb95750258939c9627cc1bbd226d82075d2dc26c464411dcdf18bae333
-
Filesize
94KB
MD529b542a9371a828a2962e71e0d007764
SHA1000f9e5f7fa4c5a41ff7a5ddc6a9db235b8f5498
SHA256ef8ff1c9503e51f7e65b66584afe35751bde21ef86dac0dfa5981169e714cd17
SHA512afcdfea994b9de2168a4d63246fb8f785dedec78083f537941b27b286101224b71b57c11d1c1870c3b27b332fa7c7b43670c6c4e6d3ea39bd3bb84f4776e2d4e
-
Filesize
94KB
MD5a71e6e3d966d5ea6d2b37ad580ff9709
SHA135af853ee936c7f7b2dd52956171b9c10a3031b3
SHA2560b2ed1699838ac5efffd73e1278ac915f1fb5f9c8c3fc354bbd2fba0fea64a5d
SHA512b72440a878fa66542f5ac5b346f8a575e735d3927397fd0c0dd21823024d3718ae5aec420beb30c3541e15d3cc92678d532ace359ddefeca1e5d92dad8c3bdb7
-
Filesize
94KB
MD51c879ee8d5d0ae7e76e17779c6697ab1
SHA15eedcf2c206a84eb519506121a4ad8dab0af5c5b
SHA2569b15b4648735d6449c1bf5b4361d704aa4c95ac928e93cf0a9a43f6a4ede41cd
SHA512672f737250b4aef7533e24772154d746f856e8b5b08a6d3c35a7804f6f962b8437bac2e72a6745d34211abc92c880d4f162a78895c12326ac37bc4dd19beabd7
-
Filesize
94KB
MD5e5c88eb90b95302b92841813be8bbcdf
SHA19e438fdf5ce7e80e2ff212c03ce270d74f4fbd60
SHA2564abe53b1e4b10f2de064fc61f4cc2e1963baaa1a9b7d02de28bff2c7a128351b
SHA512d0bfe8182cd954b00fe85e13d8c8625714b01e23bcfb7af9d08fef577457e493d3f25e274de40b73bfda127d94e256f844de03f580dfec2b8e028fc899eda140
-
Filesize
94KB
MD56a3f44499ecb2b1a24db56867ec6b600
SHA1a9966f529b418e50330d157adfa5ffd3a1ffd00c
SHA2562250e595d4e58e052fc64a0e56ea42818906badb80f9cd5f2549a0ee68061e1f
SHA5122aac320a9aa45f232a42719e08bd5b17fc6ac003d05aa58032e4f0e09b5a8bea2e394717046e79b8f31cf0ef6f4deb3e322a8cb9cdc382ece241a5a848f81c7f
-
Filesize
94KB
MD58723e7813e44bce79fbc107dc128950b
SHA198cbb75dd543dad1fb75c1b4a1a791d36ec97848
SHA256adfd274648719824de0ebfa613d067dcdd061d177ab85a3dd68426f49a906ff8
SHA5124944d790111f74d39e071a617817849b23ac8b2fba7dea799308ddb7249b8aa8904ed5dd2cbfc512ea31bb0898bfe3b362fed35fe82d46e8352ed0b288e6bd4c
-
Filesize
94KB
MD5e6ac7781dc2d271a608462946fe6ef34
SHA1341e1778ea7d1412d161d57003bb121fbfe4258f
SHA256492e4b52af0da76617f93c9b973393f2bf72dd94deeba901b5a393826648d48a
SHA512a2656ab6e76d935a207d0b6edf5df055144ae9677e1f231fff23d4f3de7016f4800453b8f1d401fa266d6db65fc3117cc28c6f929eca7b74e55c881208615c9e
-
Filesize
94KB
MD5ecc39adef8b98acf404c901a6ca75436
SHA1d632e95ad26dfe76b02f10f9438c1e916b08e106
SHA256bbf2a907e323dbe962c38355f8ac3061a96da91e66f6a8d07aa000a0459b01ea
SHA5125724c3a13bd7e8e7bda00483dc98adb45ccb9df5e51ce786d83a09296314f8eaa7870aa7a7a36f2061f30d01b89f175637419c146277b3f2a442c5914caedd57
-
Filesize
94KB
MD50637844c152430033b88f82251a9a007
SHA13ef715129380c7e791de5479a87e4222f5823b9c
SHA256fa10a4eab32ed54784e9d96261fea3e507a926db1f215ee7eec35d64eaca523d
SHA512ab02893004536dadee21b538dc88a275aa722d24be6b80ad5ba35e91758a22b2c64f1c4a05d1c9d8777f7825e3291e39e1f8dac7d2b0fa0356a084e48e5cd6f0
-
Filesize
94KB
MD53348ebec1dc0ec3e215c3095f77c9614
SHA167b65cf975458d3a6641fcbf6eca30590e11aab5
SHA2567dcdd26fe8127e44d18f52fbeb3a98ea1b4159d52eee6f8b5513940ba1278ae7
SHA512b6fe738386cc6641631bf00a0f4e3260646f0b06b5ae802bf5868aa0219ac487e7d6f6b5ec853bb056f9b355d8658b5b6778623462c82c4fefabfd44f1b2e542
-
Filesize
94KB
MD55839e684d3b70dafeb8cd576b1989af2
SHA150c6769de97f782fb85dc1ab83073b3ca560cd0c
SHA25691100ae6df447edbc41ff78cad394a1b8c38e14c1567c9c9174d34a78fea0094
SHA512fcf3a5e1fec0f4a87865ca08dc59c4bb1ebd9b3803f88bdc58882a1d4f8c010b45b550a3d4b9a04eef047c3ed58e1529b21dfad374327d3d8c1bb54ea3373c87
-
Filesize
94KB
MD52f53ff6fb886505c4e7f7e85d3875873
SHA14e88a74aff2e8a078a231c2f37edcad8f0fb2829
SHA256923036369258ab893add68b51f276aeedef5dc966640be651093186bdb9e70f2
SHA5120e80bd58e9f704e2b245976ae101b8d0cc239ec9cdc10b997575619b4f8ae4f662bb7d30821156b24ab377fe4819626ae73607dfe97d5c400f136578fbf033a6
-
Filesize
94KB
MD5953da8e77467ce144c29092427535562
SHA182c8cb6022fe14c71c3870fed546df0b72b61698
SHA256c578bbb35d06e23101d2cab480017accc28d0c8a6ddcb46cffd35af6f544a3b2
SHA512b364971abd341eb6ef1a948e52b089a863fe19a36a208b257f575bc0c1a78d0fc4cebf3a236cf489471bc48cd0a202b84193283c2dc294a8781b7df0625a82cc
-
Filesize
94KB
MD5d005b5f06395b00a9162ba861ec3fe22
SHA1e93e4a3c9dbef601de06a4f3a74e13cf119bc633
SHA2566f5d699e1cf15735adf61fc46176f14ce7193854257170d270dfcfa178cbe232
SHA512e6e5115a08a97f581c35367a942b6bba3305e8b89d1d1eb8f5bce915293606c2bcf1e9156bec2aed79c130fa3fc12e062f71f4055f6c6579e3c836a19abafd21
-
Filesize
94KB
MD52fbd1e677c4a049a28caed98cd55d6c5
SHA175eec4e655f3434ea98eb2a9f018575e824542bf
SHA2568f5524819fbcf4d22209c73771e1989cb4987b9630a32c342a6a97e00a8750fa
SHA512b31819d838cbf927f4afe05025a4ffebae61d4f3e66097d7afb0e55fd508b928ecb1df5f3e6339db1937f3e33c4fae8dc9c6b3c5e162fbbdd0cf165e877a6a85
-
Filesize
94KB
MD50ac31f68a946ffdf489b8ccf95fc349a
SHA16984fe8ce92f677f9141d823746323a3547d3f55
SHA256942e3075a9e8942da24b6ac7d8f69f1cc734b21390e09cd157a986e75eb79dca
SHA512177a27dd09c11079ac3050e67a1b23005a89c3e3c91502c7055730667f8f3a6b8824eeecab615149286f6e9d5447db23cd22badf980b57668e25a8735da87890
-
Filesize
94KB
MD5bb8bd409673a7c9f89a27fa40bc09edd
SHA19ef7a4549a31934ef36614c3d38d4b28f80eda50
SHA25629803ea31efc58f04ef1a89c5c58a96693f4e8b2e5ceb580efd6989445ff698c
SHA512574fff3b85775d41daba73cdf5e8d1c83b34c329dd20b8c22f24d9fe7dc594fb887818476dbc38a193f7fb8af6f85700538aaa1a66fc4765ca0c0838475225b8
-
Filesize
94KB
MD5473465fddb54707e37a25eb535b4d8af
SHA15169ce8a24541641438c9600e303a732bb32e630
SHA256a2a8d2214428a94181b1ea5e63b64ddbe7467a253932998eb149444ceabe1a2f
SHA512075eb30c0ebb34eb12326aa1351abd51295bd47e849336f464fa786488bcc8b946619e54ab6ff9b97a4cabd7dc1eaf2eea53c91344092cc0603a5cc921aa758a
-
Filesize
94KB
MD51bc4c9d019c93369caf5d37b7bac7724
SHA1e79a5fa31f2c9c031fd821543ea9be348627a636
SHA25619b96bf0c8a022e93c4cbc2489700f66c489d47a5f01b4e53cb5d9a4ea066401
SHA5124afb795f860c777da784482dfb8356941c43cdfbac4eebd23a50e870a39278858727e62a15351d8443f90506ad72d4656be625c249961bb31dae1d4bd00d4e55
-
Filesize
94KB
MD5c5d5816eb79b7f4f2066610064b5ca63
SHA176a4099b38ad05a84399e386652c4d0412eb3484
SHA25617dc3597612359138048784456e5d2c0f51dcb21cb4041411e5b9ad11eadf6f0
SHA51200870a6ca8f783e84cfe7d4055f7301ff1178bbe2dc2025ae50d559500b90a883158a9bee3149a10dd4c4f27a44b8164d36ae72f2ccc6ae9654f0ec0ad6f22fb
-
Filesize
94KB
MD53dc3069fdf6311cff265bc459da0e2c7
SHA1ae65a7bb0a58272b089817455cc38c20af240e51
SHA25642c55ff695500ece28c51f58a1a6b016064adca89f552818df5da9ac76d4fdf0
SHA512438f8822d240e3a10700ead1b3bbde596e87281c3cdf7c73fa371e50f0a06598496d03ac6a0da01497d9e7a5f10abe9edc833e40b7a83f71d825d5f63c347734
-
Filesize
94KB
MD531b0e96aef7f7ef97f5fc95bf46b348f
SHA15afcda03e8fd1dec74cb62edb4960e8df34901e6
SHA2569cc640ee810718b58651f59316fc55221e9f894b80aa8b098b119dc2155e94eb
SHA51212173bc1ccb2813c7c8301d8edef8cc513b682a2dc93f29e47e07ea6a418f9bce25ac7c2a353419d40fc8eeb66d4b65872fa57690696ac7c80f74c6f369d389b
-
Filesize
94KB
MD564083f39ca1cc4e7317287c15010799c
SHA1cd566c4f49c9a91214f50c8515a72eeb9b808bb9
SHA2569a7635fb1f91851b8fbb0ef3d7b160a3ecc809db1104935658018bc7107abac1
SHA512d74495fe919c79a503301cbd7fdda258068a1cddaa480a7e80ed10e863cd5000202199a989a99c5e74334f733ad75f187e2a68f3750279b952ea6eff89c1fd53
-
Filesize
94KB
MD5b4ad6b47a9c8a1e7f2f55b737aaf1e8c
SHA19daf4b888f6adf2448bb13568804d6e54c7d56ed
SHA256305b2f3bf2212f811d0e6331d563a2d0e9620afed5b68c82590ada02b1670381
SHA5120e051f23d77574297ff29683ac5b366d4f25ed0e285d59e02774b15db6e5d420acc55481dcf067455cf7d5d8c67300c637cf2d4505e82052b02d61cb672395f4
-
Filesize
94KB
MD5ca87e3e9d9d622974e11e3a3bb514b4f
SHA1629240aac70ccff301ede9802294e489a901e29d
SHA256f39aa18dd0e20a737c975c4d657752a4dca5c722eed6b4f13cfac39e8eb26fb4
SHA512ba3a8e8cf476c28ee5b9cd066f307e489a6ec66b624ac5e333c87ea4f7cc2ed829c0e89d7f593f03d786f69add3a37da51ec05c1e3eb6e23fcc740c00bd57ea3
-
Filesize
94KB
MD547bb76d20e2acd299a6ce2fc5f366cec
SHA14b2ab4de9b4224087ff466efff017ec485b5e3f2
SHA25694bdf805bba01e74f8afd315d3d6e9cd0d286a48ccac5bb5a871f8808b01d757
SHA5120f1d74a16c0f5b8e094cd70c0c2550672d09ebe5b184c70ba1779bacd2bf2513617ac03d9409a4ba9ca5512e331f7ecc48c0880631e7d02dd116e540e843e705
-
Filesize
94KB
MD52ff123abaa9f8322e48e16bb75a1651e
SHA135e1d4ea912784e6ef6dad2aa095d93c600748a2
SHA256376433a35f8d8a2ed2ca6ef63317b93cc724bc5e3df63edc6fa71df670cd66a1
SHA5125405993c39e0d749ab59d8479b87a1695fc12c2b7563c9488cb2d70cdda34d9c9c46f3200e3b834529fa4bdcf99872830063ea347fbf28b9c10cec635fc5676a
-
Filesize
94KB
MD500e33d8b78f052c26b266079aa97601b
SHA1ebc05f8354330ed239700baed2485d596c0dc87b
SHA2561d30c46fba5285aef05a928f5a7cc968e4895928f4c9ad8374becf4eae91ced1
SHA512be8fcd97acdb88434856985cde836943a96a3a5b269bb594e82dd457b1894c02fd5e43cd6e947b6813bc111d3931ad3d1bad70693462eb2597e35e2d9d2d0f37
-
Filesize
94KB
MD5344da5a600d05221cdd75373a82b3a96
SHA1198420b66a95596df5503e81f2e2dd9b15ee9b83
SHA2561aed6fb3d12b8e1bce681201704ccb4850ee50314b8c8f20e93b377d53271b5c
SHA512c77d0ac4b3c00cdb7c293962f2a1d637aecc47bc4c0e940981afcbfda26885eaae922acf72f904b1b1ed541c32ba46a758cb322e6941fb870e760e1dbc5151a7
-
Filesize
94KB
MD5fdf18a10ed6d4e4a242596d92963a63a
SHA1416e2c1d6ff9c7f210c897c67d69447ab8e3a9b8
SHA2566d7ee86707dc3b5164203eed411fada26b78802c4cd429e30a442de20bd3436e
SHA5122f11378abdfc3d72ecd16b1ee816950efd23ce18c513b89e1e87bf71238e297a3a151197bf65546880ee72d37831f83d70d90f3fbd15ab0caf48e4afdc78e8ca
-
Filesize
94KB
MD5d1cf9534323c84657f6ab99b03b6a05f
SHA1c66a35089a7573174ae3278a53d462577c0adf03
SHA256e3ae7c60e11c523756687659ac8ea4413aaaef963711e972c8b7fff0154fb85a
SHA512e0aece85c9b536f9371607fad69044c54581b9a2c6df83b5d8803cc4efa3a40ce9e3cde0bddf69d1275dd41dfd50a3b35490e9f1eacdb8e92582c6586dfc937d
-
Filesize
64KB
MD53628ce8caf8c2c5fccb12000b6c3ae81
SHA1deef35492b6bc5da0b1cdecdfad3fd80a5eca9e4
SHA2562a85d1537e93c4a80cfcdab13d67cb348c4eb33547b7c6a92eaeb5949424f0aa
SHA5122c20093a96bf701a3954352dfd8bb1f2d073fe14e97d0682e74a2b90b7c8c7e8fa05c033d00eed941c9a1759b270f5f2348a0d900a39e2b5e9557b1411b5fe4d