Analysis
-
max time kernel
137s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 06:57
Behavioral task
behavioral1
Sample
7bd907430f7c2044924fbf7b41c74cd0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7bd907430f7c2044924fbf7b41c74cd0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
7bd907430f7c2044924fbf7b41c74cd0_NeikiAnalytics.exe
-
Size
1024KB
-
MD5
7bd907430f7c2044924fbf7b41c74cd0
-
SHA1
5fc9407d3955b2ea56a4bfedf0c078e2d4e3cd03
-
SHA256
b4d8eb2ced45ca0689534ce646f9740eacd97acf6dc1ee778377a98f6ca4c7f0
-
SHA512
ec6a4f67fb9783e7d7d24afb73f5a3cdf7fd7ade59d7266d2d6b112049cac966cb4597df8f49e12b76d8f2886ff4a4ed1f20f18c13f303bd58516e174c2ec6bf
-
SSDEEP
24576:/taSHFaZRBEYyqmaf2qwiHPKgRC4gvGZl6snARe:1aSHFaZRBEYyqmS2DiHPKQgmN
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Lnepih32.exeLcdegnep.exeLknjmkdo.exeMajopeii.exeMnfipekh.exeMgnnhk32.exeImdnklfp.exeKdaldd32.exeMkbchk32.exeMpaifalo.exeMcbahlip.exeNcihikcg.exeJdemhe32.exeLjnnch32.exeNceonl32.exeNnjbke32.exeNgcgcjnc.exeNjacpf32.exeLmccchkn.exeMkepnjng.exeMjcgohig.exeMnapdf32.exeMpdelajl.exeNqiogp32.exeKbapjafe.exeMkpgck32.exeMgidml32.exeJfaloa32.exeLpappc32.exeMciobn32.exeMcklgm32.exeImihfl32.exeLkgdml32.exeKpmfddnf.exeLgneampk.exeMncmjfmk.exeJmkdlkph.exeKkpnlm32.exeLaciofpa.exeLaalifad.exeNgpjnkpf.exeNgedij32.exeMdiklqhm.exeMdmegp32.exeNnhfee32.exeNcgkcl32.exeKmegbjgn.exeKcifkp32.exeNjljefql.exeIfjfnb32.exeLcmofolg.exeLddbqa32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnepih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdegnep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lknjmkdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Majopeii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnfipekh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnnhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imdnklfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdaldd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkbchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpaifalo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbahlip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncihikcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdemhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnnch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nceonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngcgcjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmccchkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkepnjng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjcgohig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnapdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpdelajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqiogp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbapjafe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkpgck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgidml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgnnhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqiogp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfaloa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpappc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mciobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcklgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcbahlip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imihfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkgdml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmfddnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpappc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgneampk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mncmjfmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmkdlkph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdemhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpnlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laciofpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laalifad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngpjnkpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngedij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdaldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdiklqhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mncmjfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdmegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnhfee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpjnkpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncgkcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmegbjgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcifkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mciobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njljefql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngedij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifjfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmegbjgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcmofolg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lddbqa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmegp32.exe -
Malware Dropper & Backdoor - Berbew 32 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Ifjfnb32.exe family_berbew C:\Windows\SysWOW64\Imdnklfp.exe family_berbew C:\Windows\SysWOW64\Imihfl32.exe family_berbew C:\Windows\SysWOW64\Jfaloa32.exe family_berbew C:\Windows\SysWOW64\Jmkdlkph.exe family_berbew C:\Windows\SysWOW64\Jdemhe32.exe family_berbew C:\Windows\SysWOW64\Jbocea32.exe family_berbew C:\Windows\SysWOW64\Kmegbjgn.exe family_berbew C:\Windows\SysWOW64\Kbapjafe.exe family_berbew C:\Windows\SysWOW64\Kdaldd32.exe family_berbew C:\Windows\SysWOW64\Kcifkp32.exe family_berbew C:\Windows\SysWOW64\Kkpnlm32.exe family_berbew C:\Windows\SysWOW64\Kgfoan32.exe family_berbew C:\Windows\SysWOW64\Kkbkamnl.exe family_berbew C:\Windows\SysWOW64\Lgkhlnbn.exe family_berbew C:\Windows\SysWOW64\Lnepih32.exe family_berbew C:\Windows\SysWOW64\Laalifad.exe family_berbew C:\Windows\SysWOW64\Lkiqbl32.exe family_berbew C:\Windows\SysWOW64\Ldaeka32.exe family_berbew C:\Windows\SysWOW64\Ljnnch32.exe family_berbew C:\Windows\SysWOW64\Lgpagm32.exe family_berbew C:\Windows\SysWOW64\Lcdegnep.exe family_berbew C:\Windows\SysWOW64\Laciofpa.exe family_berbew C:\Windows\SysWOW64\Lnhmng32.exe family_berbew C:\Windows\SysWOW64\Lgneampk.exe family_berbew C:\Windows\SysWOW64\Lkgdml32.exe family_berbew C:\Windows\SysWOW64\Ldmlpbbj.exe family_berbew C:\Windows\SysWOW64\Lpappc32.exe family_berbew C:\Windows\SysWOW64\Lmccchkn.exe family_berbew C:\Windows\SysWOW64\Lcmofolg.exe family_berbew C:\Windows\SysWOW64\Lalcng32.exe family_berbew C:\Windows\SysWOW64\Kpmfddnf.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Ifjfnb32.exeImdnklfp.exeImihfl32.exeJfaloa32.exeJmkdlkph.exeJdemhe32.exeJbocea32.exeKmegbjgn.exeKbapjafe.exeKdaldd32.exeKcifkp32.exeKkpnlm32.exeKpmfddnf.exeKgfoan32.exeKkbkamnl.exeLalcng32.exeLcmofolg.exeLmccchkn.exeLpappc32.exeLdmlpbbj.exeLgkhlnbn.exeLkgdml32.exeLnepih32.exeLaalifad.exeLgneampk.exeLkiqbl32.exeLnhmng32.exeLaciofpa.exeLdaeka32.exeLcdegnep.exeLgpagm32.exeLjnnch32.exeLnjjdgee.exeLaefdf32.exeLddbqa32.exeLcgblncm.exeLknjmkdo.exeMjqjih32.exeMahbje32.exeMdfofakp.exeMciobn32.exeMkpgck32.exeMjcgohig.exeMajopeii.exeMdiklqhm.exeMcklgm32.exeMkbchk32.exeMnapdf32.exeMamleegg.exeMdkhapfj.exeMgidml32.exeMkepnjng.exeMncmjfmk.exeMpaifalo.exeMdmegp32.exeMglack32.exeMjjmog32.exeMnfipekh.exeMpdelajl.exeMcbahlip.exeMgnnhk32.exeNjljefql.exeNnhfee32.exeNqfbaq32.exepid process 2484 Ifjfnb32.exe 4484 Imdnklfp.exe 2324 Imihfl32.exe 3100 Jfaloa32.exe 3264 Jmkdlkph.exe 1716 Jdemhe32.exe 344 Jbocea32.exe 700 Kmegbjgn.exe 1616 Kbapjafe.exe 3312 Kdaldd32.exe 4900 Kcifkp32.exe 3524 Kkpnlm32.exe 5104 Kpmfddnf.exe 4860 Kgfoan32.exe 1064 Kkbkamnl.exe 5096 Lalcng32.exe 2000 Lcmofolg.exe 4488 Lmccchkn.exe 1588 Lpappc32.exe 1692 Ldmlpbbj.exe 4168 Lgkhlnbn.exe 3612 Lkgdml32.exe 2716 Lnepih32.exe 2032 Laalifad.exe 5048 Lgneampk.exe 1852 Lkiqbl32.exe 4980 Lnhmng32.exe 1292 Laciofpa.exe 2416 Ldaeka32.exe 2800 Lcdegnep.exe 2360 Lgpagm32.exe 2600 Ljnnch32.exe 1408 Lnjjdgee.exe 1256 Laefdf32.exe 4108 Lddbqa32.exe 3772 Lcgblncm.exe 3120 Lknjmkdo.exe 1600 Mjqjih32.exe 4400 Mahbje32.exe 4480 Mdfofakp.exe 1912 Mciobn32.exe 4028 Mkpgck32.exe 1260 Mjcgohig.exe 4776 Majopeii.exe 4072 Mdiklqhm.exe 2700 Mcklgm32.exe 4568 Mkbchk32.exe 1488 Mnapdf32.exe 4288 Mamleegg.exe 4408 Mdkhapfj.exe 3640 Mgidml32.exe 3096 Mkepnjng.exe 4048 Mncmjfmk.exe 4592 Mpaifalo.exe 1280 Mdmegp32.exe 2284 Mglack32.exe 1264 Mjjmog32.exe 4920 Mnfipekh.exe 3928 Mpdelajl.exe 1284 Mcbahlip.exe 5028 Mgnnhk32.exe 1964 Njljefql.exe 3040 Nnhfee32.exe 4208 Nqfbaq32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Lcmofolg.exeLkiqbl32.exeMncmjfmk.exeMpaifalo.exeNceonl32.exeNgcgcjnc.exeKpmfddnf.exeLdaeka32.exeMcklgm32.exeMkepnjng.exeNnhfee32.exeMnfipekh.exeNgpjnkpf.exeNbkhfc32.exeLknjmkdo.exeMkpgck32.exeKcifkp32.exeLmccchkn.exeLnepih32.exeLddbqa32.exeKgfoan32.exeLcgblncm.exeMglack32.exeMjqjih32.exeMgidml32.exeNqiogp32.exeNjacpf32.exe7bd907430f7c2044924fbf7b41c74cd0_NeikiAnalytics.exeLgpagm32.exeMdfofakp.exeMajopeii.exeLgkhlnbn.exeMnapdf32.exeNjljefql.exeMpdelajl.exeNqklmpdd.exeNcihikcg.exeJdemhe32.exeLaefdf32.exeNnmopdep.exeKmegbjgn.exeKkpnlm32.exeLnjjdgee.exeMgnnhk32.exeLnhmng32.exeMamleegg.exeMjcgohig.exeIfjfnb32.exeImihfl32.exedescription ioc process File created C:\Windows\SysWOW64\Lmccchkn.exe Lcmofolg.exe File created C:\Windows\SysWOW64\Dnapla32.dll Lkiqbl32.exe File opened for modification C:\Windows\SysWOW64\Mpaifalo.exe Mncmjfmk.exe File created C:\Windows\SysWOW64\Mdmegp32.exe Mpaifalo.exe File opened for modification C:\Windows\SysWOW64\Ngpjnkpf.exe Nceonl32.exe File created C:\Windows\SysWOW64\Njacpf32.exe Ngcgcjnc.exe File opened for modification C:\Windows\SysWOW64\Kgfoan32.exe Kpmfddnf.exe File created C:\Windows\SysWOW64\Lcdegnep.exe Ldaeka32.exe File created C:\Windows\SysWOW64\Gqffnmfa.dll Mcklgm32.exe File opened for modification C:\Windows\SysWOW64\Mncmjfmk.exe Mkepnjng.exe File created C:\Windows\SysWOW64\Nqfbaq32.exe Nnhfee32.exe File opened for modification C:\Windows\SysWOW64\Njacpf32.exe Ngcgcjnc.exe File created C:\Windows\SysWOW64\Mpaifalo.exe Mncmjfmk.exe File created C:\Windows\SysWOW64\Gbbkdl32.dll Mnfipekh.exe File created C:\Windows\SysWOW64\Lfcbokki.dll Ngpjnkpf.exe File opened for modification C:\Windows\SysWOW64\Ndidbn32.exe Nbkhfc32.exe File opened for modification C:\Windows\SysWOW64\Mjqjih32.exe Lknjmkdo.exe File created C:\Windows\SysWOW64\Lppbjjia.dll Lknjmkdo.exe File created C:\Windows\SysWOW64\Lmbnpm32.dll Ngcgcjnc.exe File opened for modification C:\Windows\SysWOW64\Mjcgohig.exe Mkpgck32.exe File created C:\Windows\SysWOW64\Kkpnlm32.exe Kcifkp32.exe File created C:\Windows\SysWOW64\Lpappc32.exe Lmccchkn.exe File opened for modification C:\Windows\SysWOW64\Laalifad.exe Lnepih32.exe File opened for modification C:\Windows\SysWOW64\Lcgblncm.exe Lddbqa32.exe File created C:\Windows\SysWOW64\Gcdihi32.dll Kgfoan32.exe File created C:\Windows\SysWOW64\Jnngob32.dll Lcgblncm.exe File created C:\Windows\SysWOW64\Geegicjl.dll Mglack32.exe File created C:\Windows\SysWOW64\Ibhblqpo.dll Mjqjih32.exe File created C:\Windows\SysWOW64\Qcldhk32.dll Mgidml32.exe File opened for modification C:\Windows\SysWOW64\Ncgkcl32.exe Nqiogp32.exe File created C:\Windows\SysWOW64\Nnmopdep.exe Njacpf32.exe File opened for modification C:\Windows\SysWOW64\Ifjfnb32.exe 7bd907430f7c2044924fbf7b41c74cd0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Ljnnch32.exe Lgpagm32.exe File opened for modification C:\Windows\SysWOW64\Mciobn32.exe Mdfofakp.exe File opened for modification C:\Windows\SysWOW64\Mdiklqhm.exe Majopeii.exe File opened for modification C:\Windows\SysWOW64\Lkgdml32.exe Lgkhlnbn.exe File opened for modification C:\Windows\SysWOW64\Mamleegg.exe Mnapdf32.exe File created C:\Windows\SysWOW64\Hlmobp32.dll Njljefql.exe File created C:\Windows\SysWOW64\Lelgbkio.dll Mpdelajl.exe File created C:\Windows\SysWOW64\Ciiqgjgg.dll Mkepnjng.exe File created C:\Windows\SysWOW64\Ngpjnkpf.exe Nceonl32.exe File opened for modification C:\Windows\SysWOW64\Ncihikcg.exe Nqklmpdd.exe File created C:\Windows\SysWOW64\Paadnmaq.dll Ncihikcg.exe File opened for modification C:\Windows\SysWOW64\Jbocea32.exe Jdemhe32.exe File created C:\Windows\SysWOW64\Gmlgol32.dll Jdemhe32.exe File opened for modification C:\Windows\SysWOW64\Kkpnlm32.exe Kcifkp32.exe File created C:\Windows\SysWOW64\Lddbqa32.exe Laefdf32.exe File created C:\Windows\SysWOW64\Mciobn32.exe Mdfofakp.exe File opened for modification C:\Windows\SysWOW64\Mkbchk32.exe Mcklgm32.exe File created C:\Windows\SysWOW64\Ljfemn32.dll Nnmopdep.exe File created C:\Windows\SysWOW64\Kbapjafe.exe Kmegbjgn.exe File created C:\Windows\SysWOW64\Kpmfddnf.exe Kkpnlm32.exe File opened for modification C:\Windows\SysWOW64\Laefdf32.exe Lnjjdgee.exe File opened for modification C:\Windows\SysWOW64\Lknjmkdo.exe Lcgblncm.exe File opened for modification C:\Windows\SysWOW64\Mahbje32.exe Mjqjih32.exe File created C:\Windows\SysWOW64\Njljefql.exe Mgnnhk32.exe File created C:\Windows\SysWOW64\Laciofpa.exe Lnhmng32.exe File created C:\Windows\SysWOW64\Njcqqgjb.dll Mamleegg.exe File created C:\Windows\SysWOW64\Mdemcacc.dll Lnepih32.exe File created C:\Windows\SysWOW64\Lnohlokp.dll Mjcgohig.exe File opened for modification C:\Windows\SysWOW64\Mdmegp32.exe Mpaifalo.exe File opened for modification C:\Windows\SysWOW64\Njljefql.exe Mgnnhk32.exe File opened for modification C:\Windows\SysWOW64\Imdnklfp.exe Ifjfnb32.exe File created C:\Windows\SysWOW64\Aajjaf32.dll Imihfl32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 5468 5380 WerFault.exe -
Modifies registry class 64 IoCs
Processes:
Laalifad.exeMpaifalo.exeNceonl32.exeNcihikcg.exeJfaloa32.exeJdemhe32.exeKpmfddnf.exeKkbkamnl.exeLkgdml32.exeNnjbke32.exeImdnklfp.exeLdaeka32.exeLddbqa32.exeMcbahlip.exeMamleegg.exeNcldnkae.exeLcmofolg.exeLgneampk.exeMahbje32.exeMciobn32.exeMnapdf32.exeNqfbaq32.exeIfjfnb32.exeKkpnlm32.exeMajopeii.exeLpappc32.exeMkbchk32.exeKmegbjgn.exeLaciofpa.exeLnhmng32.exeLdmlpbbj.exeLjnnch32.exeMgnnhk32.exeLaefdf32.exeMjjmog32.exeMnfipekh.exeJbocea32.exeLknjmkdo.exeMkepnjng.exeNjcpee32.exeLgpagm32.exeLnjjdgee.exeNgedij32.exeNdidbn32.exeImihfl32.exeKgfoan32.exeMdiklqhm.exeNcgkcl32.exeNjacpf32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laalifad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpaifalo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nceonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll" Ncihikcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfaloa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdemhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpmfddnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkbkamnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkgdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imdnklfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll" Ldaeka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lddbqa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcbahlip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnjbke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mamleegg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncldnkae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcmofolg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll" Laalifad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgneampk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mahbje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll" Mciobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mciobn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnapdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqfbaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncihikcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifjfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkpnlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldaeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mahbje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Majopeii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll" Lpappc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkbchk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmegbjgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll" Laciofpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll" Jfaloa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpmfddnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll" Kpmfddnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpappc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnhmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldmlpbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll" Ljnnch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll" Mgnnhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpappc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll" Laefdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjjmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnfipekh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbocea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll" Ldmlpbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll" Lknjmkdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll" Mkepnjng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnfipekh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njcpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll" Lgpagm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnjjdgee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laefdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkepnjng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngedij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndidbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imihfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll" Kgfoan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdiklqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll" Ncgkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll" Njacpf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7bd907430f7c2044924fbf7b41c74cd0_NeikiAnalytics.exeIfjfnb32.exeImdnklfp.exeImihfl32.exeJfaloa32.exeJmkdlkph.exeJdemhe32.exeJbocea32.exeKmegbjgn.exeKbapjafe.exeKdaldd32.exeKcifkp32.exeKkpnlm32.exeKpmfddnf.exeKgfoan32.exeKkbkamnl.exeLalcng32.exeLcmofolg.exeLmccchkn.exeLpappc32.exeLdmlpbbj.exeLgkhlnbn.exedescription pid process target process PID 2328 wrote to memory of 2484 2328 7bd907430f7c2044924fbf7b41c74cd0_NeikiAnalytics.exe Ifjfnb32.exe PID 2328 wrote to memory of 2484 2328 7bd907430f7c2044924fbf7b41c74cd0_NeikiAnalytics.exe Ifjfnb32.exe PID 2328 wrote to memory of 2484 2328 7bd907430f7c2044924fbf7b41c74cd0_NeikiAnalytics.exe Ifjfnb32.exe PID 2484 wrote to memory of 4484 2484 Ifjfnb32.exe Imdnklfp.exe PID 2484 wrote to memory of 4484 2484 Ifjfnb32.exe Imdnklfp.exe PID 2484 wrote to memory of 4484 2484 Ifjfnb32.exe Imdnklfp.exe PID 4484 wrote to memory of 2324 4484 Imdnklfp.exe Imihfl32.exe PID 4484 wrote to memory of 2324 4484 Imdnklfp.exe Imihfl32.exe PID 4484 wrote to memory of 2324 4484 Imdnklfp.exe Imihfl32.exe PID 2324 wrote to memory of 3100 2324 Imihfl32.exe Jfaloa32.exe PID 2324 wrote to memory of 3100 2324 Imihfl32.exe Jfaloa32.exe PID 2324 wrote to memory of 3100 2324 Imihfl32.exe Jfaloa32.exe PID 3100 wrote to memory of 3264 3100 Jfaloa32.exe Jmkdlkph.exe PID 3100 wrote to memory of 3264 3100 Jfaloa32.exe Jmkdlkph.exe PID 3100 wrote to memory of 3264 3100 Jfaloa32.exe Jmkdlkph.exe PID 3264 wrote to memory of 1716 3264 Jmkdlkph.exe Jdemhe32.exe PID 3264 wrote to memory of 1716 3264 Jmkdlkph.exe Jdemhe32.exe PID 3264 wrote to memory of 1716 3264 Jmkdlkph.exe Jdemhe32.exe PID 1716 wrote to memory of 344 1716 Jdemhe32.exe Jbocea32.exe PID 1716 wrote to memory of 344 1716 Jdemhe32.exe Jbocea32.exe PID 1716 wrote to memory of 344 1716 Jdemhe32.exe Jbocea32.exe PID 344 wrote to memory of 700 344 Jbocea32.exe Kmegbjgn.exe PID 344 wrote to memory of 700 344 Jbocea32.exe Kmegbjgn.exe PID 344 wrote to memory of 700 344 Jbocea32.exe Kmegbjgn.exe PID 700 wrote to memory of 1616 700 Kmegbjgn.exe Kbapjafe.exe PID 700 wrote to memory of 1616 700 Kmegbjgn.exe Kbapjafe.exe PID 700 wrote to memory of 1616 700 Kmegbjgn.exe Kbapjafe.exe PID 1616 wrote to memory of 3312 1616 Kbapjafe.exe Kdaldd32.exe PID 1616 wrote to memory of 3312 1616 Kbapjafe.exe Kdaldd32.exe PID 1616 wrote to memory of 3312 1616 Kbapjafe.exe Kdaldd32.exe PID 3312 wrote to memory of 4900 3312 Kdaldd32.exe Kcifkp32.exe PID 3312 wrote to memory of 4900 3312 Kdaldd32.exe Kcifkp32.exe PID 3312 wrote to memory of 4900 3312 Kdaldd32.exe Kcifkp32.exe PID 4900 wrote to memory of 3524 4900 Kcifkp32.exe Kkpnlm32.exe PID 4900 wrote to memory of 3524 4900 Kcifkp32.exe Kkpnlm32.exe PID 4900 wrote to memory of 3524 4900 Kcifkp32.exe Kkpnlm32.exe PID 3524 wrote to memory of 5104 3524 Kkpnlm32.exe Kpmfddnf.exe PID 3524 wrote to memory of 5104 3524 Kkpnlm32.exe Kpmfddnf.exe PID 3524 wrote to memory of 5104 3524 Kkpnlm32.exe Kpmfddnf.exe PID 5104 wrote to memory of 4860 5104 Kpmfddnf.exe Kgfoan32.exe PID 5104 wrote to memory of 4860 5104 Kpmfddnf.exe Kgfoan32.exe PID 5104 wrote to memory of 4860 5104 Kpmfddnf.exe Kgfoan32.exe PID 4860 wrote to memory of 1064 4860 Kgfoan32.exe Kkbkamnl.exe PID 4860 wrote to memory of 1064 4860 Kgfoan32.exe Kkbkamnl.exe PID 4860 wrote to memory of 1064 4860 Kgfoan32.exe Kkbkamnl.exe PID 1064 wrote to memory of 5096 1064 Kkbkamnl.exe Lalcng32.exe PID 1064 wrote to memory of 5096 1064 Kkbkamnl.exe Lalcng32.exe PID 1064 wrote to memory of 5096 1064 Kkbkamnl.exe Lalcng32.exe PID 5096 wrote to memory of 2000 5096 Lalcng32.exe Lcmofolg.exe PID 5096 wrote to memory of 2000 5096 Lalcng32.exe Lcmofolg.exe PID 5096 wrote to memory of 2000 5096 Lalcng32.exe Lcmofolg.exe PID 2000 wrote to memory of 4488 2000 Lcmofolg.exe Lmccchkn.exe PID 2000 wrote to memory of 4488 2000 Lcmofolg.exe Lmccchkn.exe PID 2000 wrote to memory of 4488 2000 Lcmofolg.exe Lmccchkn.exe PID 4488 wrote to memory of 1588 4488 Lmccchkn.exe Lpappc32.exe PID 4488 wrote to memory of 1588 4488 Lmccchkn.exe Lpappc32.exe PID 4488 wrote to memory of 1588 4488 Lmccchkn.exe Lpappc32.exe PID 1588 wrote to memory of 1692 1588 Lpappc32.exe Ldmlpbbj.exe PID 1588 wrote to memory of 1692 1588 Lpappc32.exe Ldmlpbbj.exe PID 1588 wrote to memory of 1692 1588 Lpappc32.exe Ldmlpbbj.exe PID 1692 wrote to memory of 4168 1692 Ldmlpbbj.exe Lgkhlnbn.exe PID 1692 wrote to memory of 4168 1692 Ldmlpbbj.exe Lgkhlnbn.exe PID 1692 wrote to memory of 4168 1692 Ldmlpbbj.exe Lgkhlnbn.exe PID 4168 wrote to memory of 3612 4168 Lgkhlnbn.exe Lkgdml32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7bd907430f7c2044924fbf7b41c74cd0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7bd907430f7c2044924fbf7b41c74cd0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Imdnklfp.exeC:\Windows\system32\Imdnklfp.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\Jmkdlkph.exeC:\Windows\system32\Jmkdlkph.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Jdemhe32.exeC:\Windows\system32\Jdemhe32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3612 -
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5048 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4980 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4108 -
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3772 -
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3120 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:4400 -
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4480 -
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4028 -
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1260 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4776 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4072 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4568 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4288 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe51⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3640 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3096 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4048 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4592 -
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1264 -
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4920 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3928 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1284 -
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5028 -
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:4208 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3248 -
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3724 -
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe68⤵PID:4008
-
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1848 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3544 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4352 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4868 -
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe74⤵
- Drops file in System32 directory
PID:4132 -
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe75⤵
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5164 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5200 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe78⤵
- Modifies registry class
PID:5236 -
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe79⤵
- Drops file in System32 directory
PID:5272 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe80⤵
- Modifies registry class
PID:5308 -
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe81⤵
- Modifies registry class
PID:5344 -
C:\Windows\SysWOW64\Nkcmohbg.exeC:\Windows\system32\Nkcmohbg.exe82⤵PID:5380
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 40083⤵
- Program crash
PID:5468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5380 -ip 53801⤵PID:5440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD58f85fa0d42f4196461944d62491eeb4f
SHA1ccc6d32399b57eca432f3ec762ee98fd2828703d
SHA256cfbd6a464a13fc6178b2f302f15c159913252640b8d364841d93bd8d9432ea31
SHA5122f92e87216badc2c665361b411a0e969f72514729e0c0986bd2900987ec01727e61902ea5fa2b3ff5a1b91191a1d2d268cf9ea7f267a10097b01ac69f9038cbc
-
Filesize
1024KB
MD5dc28218d8399bb148c8e3057df9a2f89
SHA196fb49ae3a91aff8919a7f873efc87abfb5e8939
SHA2566547052f40cc8e6200a027c05aadc68e0a31b71b3e657f70feb95643777be8cb
SHA5120a97c810474aeb27e1fd40820e78ce9bff1c4232ed7917ecb1b17eba29081f34dd58e0d00ccb463859dfd32f3219f6c71561c039055819f33826fc6ff63c29c5
-
Filesize
1024KB
MD592a31bc84e8021f8bba1f9707656d181
SHA1eb5e1f39136faa2fc4a50e44f236ccd1cd18d1af
SHA25687ec994f55e3e6fab431de8c59b67585c30e0d7bcbd6cf16711c27053957a969
SHA51246315f68a44de2c95e3caa1ca16bc5a0cf775d35fb94f21a140c44cc98a92774f8b2bb91e6e5ed41e67c3d1b64a7ae9e744573ff30f1624006417ef1fe9499fc
-
Filesize
1024KB
MD567682bebad0c4d5b187157c2e44f0511
SHA1439cd5d8e131f70407f9d4690801bbe9a56996c0
SHA256c3c4537a8b443501a18ee3b5ea61766757006b6fb2e2db77ee3a3e35f3ee590d
SHA51254cdeb8317bfc5a79e2a3f9ebb44478c66e9ad4210bc285cb52f8712cac2ab59985234e127ff43e4901fa6af6883357866ef088f860dcb8659f1bbc391778ab9
-
Filesize
1024KB
MD5fcae81ac4cf11e7cc05c363c7b50dcdd
SHA109a8eda1ec1bfa2b5b827f6b7bc240b182cb0930
SHA256dd352ddb097eb5e894043e35e8dc9bb124e02bb1711497f01d47f5a8aa9c5d5e
SHA5122fae484fbdfd7fb22f9b2581e11a559d3c82d15453ba03af0c0563edabdb7359fe7ed5ad2ab6848b96ce91d25e13b229c3f162ce1511a63f944e485af0c42a67
-
Filesize
1024KB
MD5f1a9c224d02c648234421924311e4099
SHA1fa5a8a1b45aaa51706deff0730f9a26e3593a3c9
SHA256938a86485847b900bba38ea9347e1cb3717f6ca98d8b605f0d30b412015fd49f
SHA5128466b821af4033e6d992d60abdd48f24fcac74724950e997d4ae4e0aa767f799a4d6b69c4fcedd0b0e510f53d6bbe0e3ddae31967a29cb215f616332f2868d9f
-
Filesize
1024KB
MD5af01ee60e7049a4545d9f301884b7e26
SHA1420b4c7514c9faec4bf538724f8d27bcf041718c
SHA2565256093286e80491e4338c831e56335d1cf702804e8402fd58402fed04e6f5e4
SHA51266e1298aff7b9e2f531beab87c1dfcae8034eaa8099931305f31f3c190b83c4ff217c884c4519fadaf96d0fae1a8d20176155e1266af8de88dfe2beab77ff291
-
Filesize
1024KB
MD549c5e9a0cbbeb2d2e8f467ff212db95b
SHA1d420aa99962559cb3d5c03180d62181d2a66dcfa
SHA2561c61df93996b1306afc3fa857690825a504937afa190811f60e51bd84a9ad4a6
SHA5122b3ce07bc6ddd723908bdb6817b5bcc5d2c4da8c4fe0c157e24d30fd7139c106d349da22d55fe7529373896cb0ff0717015f6e25b3f4ebc00b33d9e5be7fa80b
-
Filesize
1024KB
MD51107be9228ad0bce2400efbdaac73e71
SHA1730740c6fc6418e06fe07ee20f4e1b756e1c3c66
SHA2565fb552eb940ceac0863e7bfef7243db398a9db4e3c5a704bf755d60b95aa6eba
SHA512456caeac294cbe7ae34a94c843adfb6e417cc55568f2cfae38b44a0e147918d1a1260eae86ee6b32b300e16faa3478ace3fab8f5cab3f5c96b27cb8ccf4fc1bd
-
Filesize
1024KB
MD5d9ba3db67e78287a12d5fc433f184af5
SHA16ca2071a5fc225c0d1e3716342ece798fc2ed124
SHA256e712ff2071a9d65dc6380dc48698c6d2a4af6817fedd48ca598aad200c2ca3bd
SHA512042893c00195203ca0279876eb3d6655398acf02a7f32caa3f840646c84d7890f79052bd2e4b91099815ecbd4a8764f9881d18fe3d4d68f3ef25e04c3a4dd405
-
Filesize
1024KB
MD599fec70927481ce8ae3212a9cbbc6d3f
SHA1a0c69a5101bfa14c0751a3cb64b88e5a79eac88b
SHA2568654ab1e454cb6c46aae84dddb905442654baa49d975af245e54aa965b592c18
SHA51278f4871277c9438ebbfda83adf87c2e024a22c49b5fb9d626e49b023d63e04d4ecf6a2d5676d672341bebb01f4df3ee714ad29382760625be65de097388fc113
-
Filesize
1024KB
MD5969cc03fef16200e32dd4b04ef0dec5b
SHA1f1ab08020a8eb3beda0d26171ad1f8fa10408ce3
SHA2568415fedeb33cbbd63fc327b4b724d9bff71718c0cbbaa07a1021a5c936a27b08
SHA5129bb9d6b6a2d5f904fd92a5eefe24b90ecb81c2923eea0f6a9b7a5afa77a5ddca5d10467c443834bfba93b91cc8d5feea00d5b6f0a82b94b7957bf8d393da1135
-
Filesize
1024KB
MD5513fc218c13e57eebe7bdf64587ad322
SHA1df72145effde862ec567335e6ddb1db4828132c2
SHA2569e6892f0c5d21f1bf9bb322091d62931cc94ff59c1fedac131cdc138b90f9cd4
SHA5128c84ded02dd763cad50b80cfe1492c8ff4a8419a0904fce31264b6f0fcffae91b4c0004b64e03216f72ea9d8179fc39a07a12d79c94f4bbebcdf1d3badc9a8ac
-
Filesize
1024KB
MD5bed67e072e3405a7d02e86bd9d97d74a
SHA1b20e9656c70847ecc1815032d01dbdef552a8a9c
SHA256d27433984ae02a42a21a9850b3dac449bddfe1940aeef6d57a2cfc7da8006f20
SHA5125f305f7f902d52f3b988549fac19b5702dcc890a4a615254cd2afe4317a122d76876f0e329b264c1fc0ec301d594cd465cb622b99b9ac21ba7daf88dc3846d19
-
Filesize
1024KB
MD5b3738accb9e8de290adb579fa879f215
SHA19c4c61d0a922eed69fcc64dc2965018351b6034d
SHA2562c7f2044afeceb6b3dd9d6fa545af49ef22c2015ab9685a8927490b34367ce15
SHA512bf848fa0eb0d77662bff277401380543b535d7b404f5968a96b207e0288f734225ae500b2e5dfe2d566f1ef62267c95b959f416874d75066459976f00fb694b1
-
Filesize
1024KB
MD58b7289f95baf86d362d0b3ffbc3dcb7f
SHA1088dbb293327ac7c6fd8bcf37a58d7375e1b9cf2
SHA256c3fca705073756b95b6be3c7433cf27f69cade5e072381f7b4876c6c1e672265
SHA5121edf0c22419ae81b3cbbf1aadee4c5074d29ad8d922d1a3b649a31f065af2cb9e1b7a68787e4ef61ea1af50dabc7bd9eb75711b0b7c4925a9ad9193fcc6b832c
-
Filesize
1024KB
MD5f02e82a59eb781a849a639b524fcd4c1
SHA19d97c37aaa1000194fae6bc372a76d3fbdbc68a2
SHA25614de09897aa0fc14937ad4b97437942cda0978b16c80d3058ee80b58705d943e
SHA5127fec711561f21c917f451772f48a5d8a3520153f0eecb65b4b093873afbaca3a4628458e5ac9577f59e4b1158d27ebccc0f860d72852bb5c0bfaaa75c9f4cc7d
-
Filesize
1024KB
MD5ceab80830ac287a638679cb9859f5a0b
SHA13b04bda63b9a05f873176693b7d50f1f22c78eb2
SHA25672c34cf154d947dda8cc062e55c2f67f5f387fffec39bfea227f2871e7f6ca80
SHA51218f0834e40dce8488fb68b51191e854de72bf5bc35af750c3259ab251e1f8c3b4b19cf0d7b2a2a311f6b3bb6e140d73b6be205b3940dd53a6cd2ebe01f01741a
-
Filesize
1024KB
MD56079a59a2fac4ee92fe355a88fb9caac
SHA123f8902e1700851a6c6a296673ed2c7a316fcf58
SHA256f863d2cfdbb61dda3d19dbc2d88a218b24bd93dba1637c00ede5382728f26a2d
SHA512cd2a642c04e12c139c89d995e0f3a76d4a29c68ea4113bcbe0d7c84a6104dc37b0ca888be8c4f7e4ca35c1bb763aa54ee864fa92c3300ca05499b4bb2add555b
-
Filesize
1024KB
MD564c89812bb51a240d03c60975870bd07
SHA15335aebcebdae59676bf571ade1c8f3e00a01897
SHA2560ac6776457966c08edff61fff06017a178cfbb97236748cd7e3216f3217b6e8c
SHA5129a122b0f743f91c9a6b9626e28d2a8498d6bcc821bae4c9762ff6a553ae0fbe8762f9311e33cea4be2074498b5ae53a029d0fd918c5111c7af2b43f922c4476c
-
Filesize
1024KB
MD5dce9fd11ea7799e58457a1511405463e
SHA103ac93d8e260b9a7595147ee9428d027a81ef2b1
SHA256b84f7260debf0a8e5fefe62c07d327855c39250581f2f381ec5f1881a0a81590
SHA5128170dc2b93fcba43a440c9d5eef39e860a3e10cb078a1afad450a61ee05fb4dee1578473ae806657c4b189f46ec8aaded230fc48913f0195d8cbc6176669ac1d
-
Filesize
1024KB
MD586f731d3c3e7f263c228152098299312
SHA121b9d268e40e3cb943a5c25f2957e885cfe826bf
SHA256ffb24fa4cbaccf340b994d1ddc3c49af1b78891d142841b05be8eae8a57ccb53
SHA51236bbb3fca22b2baf2891320aefc39b392d590496936ff7894e84a5904b1d756f1bbc64f89816a133cfda55f9389dd4356b3c3a2c838c83deed398cad82eb74e4
-
Filesize
1024KB
MD5eab68f806e11c9df4823aecafbab1bb1
SHA1c843ebe6e7eb4f7adbc0f9348ae469c6f5e4af41
SHA256dfbd38cc7525937f6009be0cd4a801fd3eb6feece4fd8e869af7978936081cf9
SHA5124d60beb0c9a86f7a9e8489ad976ff036a14f24edf6c233d3bd5ec1f3168c427cad3d65c1fc84e6bb5f9cf535c41982673fc755fcccec7b80148d56a31f90c471
-
Filesize
1024KB
MD57291a65d9e1aac107d5a3638e0b9a213
SHA116bbf0d69aabe29076f25c6d69da49016e3ce593
SHA25622420e613592d11e2af4d76615b803901c840cbfe6bf84d403f740fa7241b40f
SHA512ccc1655b8a57751b6a6dca052de12820235c08b2aedc3e9ea3f49da4ecb21b5284ff88756df49978f56db3bd3da20472eda7591ef9106fc36afd0bc7d6268eaf
-
Filesize
1024KB
MD5faef2813e95fc6fdc59d6376fd831588
SHA11970f971571359c14c88fd572eefd572c863fd0c
SHA256ea86e46c94f86ad2953e5a396458d39218f42ee1efbde2d3222a1e1101d83f8f
SHA512903a233866020658a6544dcc1606106d703400683b4bcfead64334e2bf1b6e86c9a6986b609e73aeb065d3ddfc7204d32b509297b0836e7048b1ac9852e5cd84
-
Filesize
1024KB
MD5ef10ad8e6328454a9013f6b239f72d4c
SHA1a42339fb5f315332a602a59a9bffdaa27ec37156
SHA2566cda31c35b6d2c23779a1cde2b39b6ae2e88260ffb3323e99af422311a10f229
SHA512a4636493a49e9d7c32025209a113583f578ae49e5d6e2c43e83c8a0b3e0280c808f016b5892cd11530a28497796af4aed13f5d3da4982903c06ec272133ac0b7
-
Filesize
1024KB
MD5341459b5aad74906ef1dafc44a2240db
SHA191d237563e1df4c58c5501b9c56fa72614149543
SHA25627a30cf027470d6e2d017919c802a0f942c557b946dc2656139125aa4a737a9a
SHA512c883fe91fb8a0faa858c4fd4da1fb5b67cd1ad4d8739861a7bc76eb9683dbb2c91e099bb3e67afea3a9e829d0329128d8c275446225e6373e0955df00390d703
-
Filesize
1024KB
MD59c92edf7306357ae5e6c67867e570082
SHA1e3e7a8e2f86e175ae1dfcc0baf498d52983a9cd3
SHA25665c37525e55cb6926c012b3acf1e6e41615679144ce68cfefdc9218e43da1e39
SHA5120d1227ab7b9ecb2c769a00d316267c4f70db0a205b79408edf68291b525ca43f2464b0164d9e24335e1fca1376356f00470318857118223827e80e84241d680e
-
Filesize
1024KB
MD55596ee972da14cb1c2f8e4e6c6b1091e
SHA14c4abdddf961ea4509243e212f1c7c1e9237b0a8
SHA2560456d74bc41c9dfce9fba783cb45eb317431208c222058a80b3b67c2b28855ca
SHA512db8254cdbaa57d00109efda89982da2e9e271a9040bbddc0d8b95e2368e07f92df88d3b07be6860b9e8683c3659d2c074f5ee1386008fc31002e77b38941de8b
-
Filesize
1024KB
MD55cbbc4a6249e92340487761e36c74f45
SHA15c003e41e9d0fee97ed271bf41699ddf3dcf4553
SHA256953039515f6622a2d0e2755b6cdecca1db676efa2be0da100756fd9f4dc39890
SHA5123052cbd97f24ea42dd45360ff7910e2968ade481d29a90c2059a65c7fff11812271b037f3ac746582742d53b485910b3f4aeecac859a0f3b2d830f47bbcf8343
-
Filesize
1024KB
MD5d8ddba267f1a5654e55c1fdfa05ff8af
SHA1fd6b3c699f8629677b01cc3f3cb69768c10b85e6
SHA256fcef9b1ccfda56e537452fa80ba4b077bc17f569232babda4f0f9fe797fd73bf
SHA512b15922cafb0f9924a95fec6d07779e8686c4840e0480f78e0ce08c1f10ed3b258a8c1d8a1254303633346d0b67a4ed4232a4a5e062d2e1a85cb4deb4a5c3abd4
-
Filesize
1024KB
MD5b2135829a2e76f60663757febe97161c
SHA1a70abb264e508457114cd63e1b7a39c04c6b7e21
SHA256611174b042e7ca64cd007842e5a2119aba68586bf2e7514f18b7b93320f2b581
SHA5128f54937574fb79695cfe7b291c63d18f26a4854530b3bc91a160c773f4795fd6455e03501687f3121deec288962e6eae750c4ad2bed8be32600b89285f4c686b