Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 23:18
Behavioral task
behavioral1
Sample
0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe
-
Size
768KB
-
MD5
0980c79f054f5681e404736dcae59090
-
SHA1
a0d9c0274e81bb53d9b0c791df44e05bef98af3a
-
SHA256
fd845b7fe9aa1c8d6e2c3f3d315a88aff5ba878847d4d749ad8b6fd1873b2457
-
SHA512
47d4814e98ed56ff3c4fb6cc32ebf3014d988d332e6896b97746ce6fe31b4afa4c7e7c2dd4f979141d96ef6b799e19ae5e0de4dcaaaa6bdafef4ff81733b2b68
-
SSDEEP
12288:xoRzvO6IveDVqvQ6IvYvc6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvO:xUaq5h3q5htaSHFaZRBEYyqmaf2qwiHP
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs
Processes:
Lkiqbl32.exeNddkgonp.exe0980c79f054f5681e404736dcae59090_NeikiAnalytics.exeNdidbn32.exeNgedij32.exeNklfoi32.exeMkepnjng.exeNdghmo32.exeNnolfdcn.exeMaaepd32.exeNkncdifl.exeNkqpjidj.exeNcldnkae.exeLpfijcfl.exeLiggbi32.exeNbkhfc32.exeMjeddggd.exeLaalifad.exeMglack32.exeMcbahlip.exeLnhmng32.exeMciobn32.exeNbhkac32.exeNnhfee32.exeNnjbke32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkiqbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndidbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngedij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklfoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nklfoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkepnjng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkepnjng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndghmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnolfdcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maaepd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkncdifl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkqpjidj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncldnkae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpfijcfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndidbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liggbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpfijcfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkqpjidj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbkhfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjeddggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laalifad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mglack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcbahlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbkhfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnhmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mciobn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkncdifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndghmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngedij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncldnkae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbhkac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkiqbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maaepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbhkac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjeddggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liggbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mciobn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mglack32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbahlip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjbke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnhmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnolfdcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laalifad.exe -
Malware Dropper & Backdoor - Berbew 25 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Liggbi32.exe family_berbew C:\Windows\SysWOW64\Laalifad.exe family_berbew C:\Windows\SysWOW64\Lkiqbl32.exe family_berbew C:\Windows\SysWOW64\Lnhmng32.exe family_berbew C:\Windows\SysWOW64\Lpfijcfl.exe family_berbew C:\Windows\SysWOW64\Mciobn32.exe family_berbew C:\Windows\SysWOW64\Mjeddggd.exe family_berbew C:\Windows\SysWOW64\Mkepnjng.exe family_berbew C:\Windows\SysWOW64\Mglack32.exe family_berbew C:\Windows\SysWOW64\Maaepd32.exe family_berbew C:\Windows\SysWOW64\Mcbahlip.exe family_berbew C:\Windows\SysWOW64\Nnhfee32.exe family_berbew C:\Windows\SysWOW64\Nklfoi32.exe family_berbew C:\Windows\SysWOW64\Nnjbke32.exe family_berbew C:\Windows\SysWOW64\Nddkgonp.exe family_berbew C:\Windows\SysWOW64\Nkncdifl.exe family_berbew C:\Windows\SysWOW64\Ndghmo32.exe family_berbew C:\Windows\SysWOW64\Nkqpjidj.exe family_berbew C:\Windows\SysWOW64\Nbkhfc32.exe family_berbew C:\Windows\SysWOW64\Nkcmohbg.exe family_berbew C:\Windows\SysWOW64\Ncldnkae.exe family_berbew C:\Windows\SysWOW64\Ndidbn32.exe family_berbew C:\Windows\SysWOW64\Nnolfdcn.exe family_berbew C:\Windows\SysWOW64\Ngedij32.exe family_berbew C:\Windows\SysWOW64\Nbhkac32.exe family_berbew -
Executes dropped EXE 25 IoCs
Processes:
Liggbi32.exeLaalifad.exeLkiqbl32.exeLnhmng32.exeLpfijcfl.exeMciobn32.exeMjeddggd.exeMkepnjng.exeMglack32.exeMaaepd32.exeMcbahlip.exeNnhfee32.exeNklfoi32.exeNnjbke32.exeNddkgonp.exeNkncdifl.exeNbhkac32.exeNdghmo32.exeNgedij32.exeNkqpjidj.exeNnolfdcn.exeNbkhfc32.exeNdidbn32.exeNcldnkae.exeNkcmohbg.exepid process 4504 Liggbi32.exe 1268 Laalifad.exe 2216 Lkiqbl32.exe 2344 Lnhmng32.exe 1276 Lpfijcfl.exe 4844 Mciobn32.exe 4968 Mjeddggd.exe 3676 Mkepnjng.exe 868 Mglack32.exe 1900 Maaepd32.exe 1540 Mcbahlip.exe 948 Nnhfee32.exe 3344 Nklfoi32.exe 1212 Nnjbke32.exe 860 Nddkgonp.exe 1116 Nkncdifl.exe 1808 Nbhkac32.exe 1644 Ndghmo32.exe 444 Ngedij32.exe 2876 Nkqpjidj.exe 4488 Nnolfdcn.exe 2244 Nbkhfc32.exe 2052 Ndidbn32.exe 3056 Ncldnkae.exe 1876 Nkcmohbg.exe -
Drops file in System32 directory 64 IoCs
Processes:
Lkiqbl32.exeMjeddggd.exeNnjbke32.exeNgedij32.exeNkncdifl.exeNkqpjidj.exeNdidbn32.exeNbkhfc32.exe0980c79f054f5681e404736dcae59090_NeikiAnalytics.exeLiggbi32.exeLnhmng32.exeMglack32.exeLpfijcfl.exeMkepnjng.exeNddkgonp.exeNklfoi32.exeNnhfee32.exeMciobn32.exeNdghmo32.exeLaalifad.exeMaaepd32.exeNcldnkae.exeNnolfdcn.exeMcbahlip.exeNbhkac32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Lnhmng32.exe Lkiqbl32.exe File opened for modification C:\Windows\SysWOW64\Mkepnjng.exe Mjeddggd.exe File created C:\Windows\SysWOW64\Jlnpomfk.dll Nnjbke32.exe File opened for modification C:\Windows\SysWOW64\Nkqpjidj.exe Ngedij32.exe File opened for modification C:\Windows\SysWOW64\Nbhkac32.exe Nkncdifl.exe File created C:\Windows\SysWOW64\Nnolfdcn.exe Nkqpjidj.exe File created C:\Windows\SysWOW64\Ncldnkae.exe Ndidbn32.exe File created C:\Windows\SysWOW64\Ndidbn32.exe Nbkhfc32.exe File created C:\Windows\SysWOW64\Liggbi32.exe 0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Laalifad.exe Liggbi32.exe File created C:\Windows\SysWOW64\Lpfijcfl.exe Lnhmng32.exe File opened for modification C:\Windows\SysWOW64\Maaepd32.exe Mglack32.exe File created C:\Windows\SysWOW64\Bebboiqi.dll Mglack32.exe File created C:\Windows\SysWOW64\Lifenaok.dll Lpfijcfl.exe File created C:\Windows\SysWOW64\Mglack32.exe Mkepnjng.exe File created C:\Windows\SysWOW64\Nddkgonp.exe Nnjbke32.exe File created C:\Windows\SysWOW64\Nkncdifl.exe Nddkgonp.exe File opened for modification C:\Windows\SysWOW64\Nnolfdcn.exe Nkqpjidj.exe File created C:\Windows\SysWOW64\Nnjbke32.exe Nklfoi32.exe File opened for modification C:\Windows\SysWOW64\Nkncdifl.exe Nddkgonp.exe File created C:\Windows\SysWOW64\Jkeang32.dll Nddkgonp.exe File opened for modification C:\Windows\SysWOW64\Liggbi32.exe 0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Mdemcacc.dll Liggbi32.exe File created C:\Windows\SysWOW64\Mbaohn32.dll Lnhmng32.exe File created C:\Windows\SysWOW64\Maaepd32.exe Mglack32.exe File opened for modification C:\Windows\SysWOW64\Nklfoi32.exe Nnhfee32.exe File opened for modification C:\Windows\SysWOW64\Mjeddggd.exe Mciobn32.exe File opened for modification C:\Windows\SysWOW64\Mglack32.exe Mkepnjng.exe File created C:\Windows\SysWOW64\Ogpnaafp.dll Ngedij32.exe File created C:\Windows\SysWOW64\Ngedij32.exe Ndghmo32.exe File created C:\Windows\SysWOW64\Laalifad.exe Liggbi32.exe File created C:\Windows\SysWOW64\Lkiqbl32.exe Laalifad.exe File created C:\Windows\SysWOW64\Lelgbkio.dll Maaepd32.exe File created C:\Windows\SysWOW64\Fibjjh32.dll Nnhfee32.exe File opened for modification C:\Windows\SysWOW64\Nnjbke32.exe Nklfoi32.exe File opened for modification C:\Windows\SysWOW64\Mciobn32.exe Lpfijcfl.exe File created C:\Windows\SysWOW64\Opbnic32.dll Nbkhfc32.exe File created C:\Windows\SysWOW64\Hnibdpde.dll Ncldnkae.exe File opened for modification C:\Windows\SysWOW64\Nbkhfc32.exe Nnolfdcn.exe File created C:\Windows\SysWOW64\Gcgqhjop.dll 0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Ekiidlll.dll Laalifad.exe File created C:\Windows\SysWOW64\Lnhmng32.exe Lkiqbl32.exe File created C:\Windows\SysWOW64\Mciobn32.exe Lpfijcfl.exe File created C:\Windows\SysWOW64\Nnhfee32.exe Mcbahlip.exe File opened for modification C:\Windows\SysWOW64\Ndidbn32.exe Nbkhfc32.exe File opened for modification C:\Windows\SysWOW64\Lkiqbl32.exe Laalifad.exe File opened for modification C:\Windows\SysWOW64\Lpfijcfl.exe Lnhmng32.exe File opened for modification C:\Windows\SysWOW64\Mcbahlip.exe Maaepd32.exe File opened for modification C:\Windows\SysWOW64\Nnhfee32.exe Mcbahlip.exe File opened for modification C:\Windows\SysWOW64\Ndghmo32.exe Nbhkac32.exe File created C:\Windows\SysWOW64\Qcldhk32.dll Mjeddggd.exe File created C:\Windows\SysWOW64\Oaehlf32.dll Mkepnjng.exe File created C:\Windows\SysWOW64\Hlmobp32.dll Mcbahlip.exe File created C:\Windows\SysWOW64\Jjblifaf.dll Mciobn32.exe File created C:\Windows\SysWOW64\Mkepnjng.exe Mjeddggd.exe File created C:\Windows\SysWOW64\Kmalco32.dll Nklfoi32.exe File created C:\Windows\SysWOW64\Cknpkhch.dll Nkqpjidj.exe File created C:\Windows\SysWOW64\Lkfbjdpq.dll Nnolfdcn.exe File opened for modification C:\Windows\SysWOW64\Ncldnkae.exe Ndidbn32.exe File opened for modification C:\Windows\SysWOW64\Nkcmohbg.exe Ncldnkae.exe File created C:\Windows\SysWOW64\Mcbahlip.exe Maaepd32.exe File created C:\Windows\SysWOW64\Nklfoi32.exe Nnhfee32.exe File opened for modification C:\Windows\SysWOW64\Nddkgonp.exe Nnjbke32.exe File opened for modification C:\Windows\SysWOW64\Ngedij32.exe Ndghmo32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 4760 1876 WerFault.exe -
Modifies registry class 64 IoCs
Processes:
0980c79f054f5681e404736dcae59090_NeikiAnalytics.exeLaalifad.exeMglack32.exeNdidbn32.exeMcbahlip.exeNddkgonp.exeNkqpjidj.exeLpfijcfl.exeNklfoi32.exeNdghmo32.exeNkncdifl.exeMciobn32.exeMkepnjng.exeNnolfdcn.exeNcldnkae.exeLnhmng32.exeMaaepd32.exeNbhkac32.exeNnjbke32.exeLiggbi32.exeMjeddggd.exeNnhfee32.exeNgedij32.exeNbkhfc32.exeLkiqbl32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll" Laalifad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll" Mglack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndidbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll" Mcbahlip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll" Nkqpjidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll" Lpfijcfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mglack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nklfoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll" Ndghmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nklfoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nddkgonp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkncdifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkncdifl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laalifad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll" Mciobn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkepnjng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkqpjidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" Ncldnkae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncldnkae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnhmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maaepd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbhkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll" Liggbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpfijcfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjeddggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll" Mkepnjng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngedij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndidbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbkhfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkiqbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjeddggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mglack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll" Nklfoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbkhfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll" Ndidbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll" 0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mciobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll" Mjeddggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll" Nbhkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpfijcfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndghmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll" Nnjbke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngedij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncldnkae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liggbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkiqbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcbahlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll" Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll" Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll" Nbkhfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll" Lkiqbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll" Lnhmng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndghmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mciobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll" Ngedij32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0980c79f054f5681e404736dcae59090_NeikiAnalytics.exeLiggbi32.exeLaalifad.exeLkiqbl32.exeLnhmng32.exeLpfijcfl.exeMciobn32.exeMjeddggd.exeMkepnjng.exeMglack32.exeMaaepd32.exeMcbahlip.exeNnhfee32.exeNklfoi32.exeNnjbke32.exeNddkgonp.exeNkncdifl.exeNbhkac32.exeNdghmo32.exeNgedij32.exeNkqpjidj.exeNnolfdcn.exedescription pid process target process PID 1468 wrote to memory of 4504 1468 0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe Liggbi32.exe PID 1468 wrote to memory of 4504 1468 0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe Liggbi32.exe PID 1468 wrote to memory of 4504 1468 0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe Liggbi32.exe PID 4504 wrote to memory of 1268 4504 Liggbi32.exe Laalifad.exe PID 4504 wrote to memory of 1268 4504 Liggbi32.exe Laalifad.exe PID 4504 wrote to memory of 1268 4504 Liggbi32.exe Laalifad.exe PID 1268 wrote to memory of 2216 1268 Laalifad.exe Lkiqbl32.exe PID 1268 wrote to memory of 2216 1268 Laalifad.exe Lkiqbl32.exe PID 1268 wrote to memory of 2216 1268 Laalifad.exe Lkiqbl32.exe PID 2216 wrote to memory of 2344 2216 Lkiqbl32.exe Lnhmng32.exe PID 2216 wrote to memory of 2344 2216 Lkiqbl32.exe Lnhmng32.exe PID 2216 wrote to memory of 2344 2216 Lkiqbl32.exe Lnhmng32.exe PID 2344 wrote to memory of 1276 2344 Lnhmng32.exe Lpfijcfl.exe PID 2344 wrote to memory of 1276 2344 Lnhmng32.exe Lpfijcfl.exe PID 2344 wrote to memory of 1276 2344 Lnhmng32.exe Lpfijcfl.exe PID 1276 wrote to memory of 4844 1276 Lpfijcfl.exe Mciobn32.exe PID 1276 wrote to memory of 4844 1276 Lpfijcfl.exe Mciobn32.exe PID 1276 wrote to memory of 4844 1276 Lpfijcfl.exe Mciobn32.exe PID 4844 wrote to memory of 4968 4844 Mciobn32.exe Mjeddggd.exe PID 4844 wrote to memory of 4968 4844 Mciobn32.exe Mjeddggd.exe PID 4844 wrote to memory of 4968 4844 Mciobn32.exe Mjeddggd.exe PID 4968 wrote to memory of 3676 4968 Mjeddggd.exe Mkepnjng.exe PID 4968 wrote to memory of 3676 4968 Mjeddggd.exe Mkepnjng.exe PID 4968 wrote to memory of 3676 4968 Mjeddggd.exe Mkepnjng.exe PID 3676 wrote to memory of 868 3676 Mkepnjng.exe Mglack32.exe PID 3676 wrote to memory of 868 3676 Mkepnjng.exe Mglack32.exe PID 3676 wrote to memory of 868 3676 Mkepnjng.exe Mglack32.exe PID 868 wrote to memory of 1900 868 Mglack32.exe Maaepd32.exe PID 868 wrote to memory of 1900 868 Mglack32.exe Maaepd32.exe PID 868 wrote to memory of 1900 868 Mglack32.exe Maaepd32.exe PID 1900 wrote to memory of 1540 1900 Maaepd32.exe Mcbahlip.exe PID 1900 wrote to memory of 1540 1900 Maaepd32.exe Mcbahlip.exe PID 1900 wrote to memory of 1540 1900 Maaepd32.exe Mcbahlip.exe PID 1540 wrote to memory of 948 1540 Mcbahlip.exe Nnhfee32.exe PID 1540 wrote to memory of 948 1540 Mcbahlip.exe Nnhfee32.exe PID 1540 wrote to memory of 948 1540 Mcbahlip.exe Nnhfee32.exe PID 948 wrote to memory of 3344 948 Nnhfee32.exe Nklfoi32.exe PID 948 wrote to memory of 3344 948 Nnhfee32.exe Nklfoi32.exe PID 948 wrote to memory of 3344 948 Nnhfee32.exe Nklfoi32.exe PID 3344 wrote to memory of 1212 3344 Nklfoi32.exe Nnjbke32.exe PID 3344 wrote to memory of 1212 3344 Nklfoi32.exe Nnjbke32.exe PID 3344 wrote to memory of 1212 3344 Nklfoi32.exe Nnjbke32.exe PID 1212 wrote to memory of 860 1212 Nnjbke32.exe Nddkgonp.exe PID 1212 wrote to memory of 860 1212 Nnjbke32.exe Nddkgonp.exe PID 1212 wrote to memory of 860 1212 Nnjbke32.exe Nddkgonp.exe PID 860 wrote to memory of 1116 860 Nddkgonp.exe Nkncdifl.exe PID 860 wrote to memory of 1116 860 Nddkgonp.exe Nkncdifl.exe PID 860 wrote to memory of 1116 860 Nddkgonp.exe Nkncdifl.exe PID 1116 wrote to memory of 1808 1116 Nkncdifl.exe Nbhkac32.exe PID 1116 wrote to memory of 1808 1116 Nkncdifl.exe Nbhkac32.exe PID 1116 wrote to memory of 1808 1116 Nkncdifl.exe Nbhkac32.exe PID 1808 wrote to memory of 1644 1808 Nbhkac32.exe Ndghmo32.exe PID 1808 wrote to memory of 1644 1808 Nbhkac32.exe Ndghmo32.exe PID 1808 wrote to memory of 1644 1808 Nbhkac32.exe Ndghmo32.exe PID 1644 wrote to memory of 444 1644 Ndghmo32.exe Ngedij32.exe PID 1644 wrote to memory of 444 1644 Ndghmo32.exe Ngedij32.exe PID 1644 wrote to memory of 444 1644 Ndghmo32.exe Ngedij32.exe PID 444 wrote to memory of 2876 444 Ngedij32.exe Nkqpjidj.exe PID 444 wrote to memory of 2876 444 Ngedij32.exe Nkqpjidj.exe PID 444 wrote to memory of 2876 444 Ngedij32.exe Nkqpjidj.exe PID 2876 wrote to memory of 4488 2876 Nkqpjidj.exe Nnolfdcn.exe PID 2876 wrote to memory of 4488 2876 Nkqpjidj.exe Nnolfdcn.exe PID 2876 wrote to memory of 4488 2876 Nkqpjidj.exe Nnolfdcn.exe PID 4488 wrote to memory of 2244 4488 Nnolfdcn.exe Nbkhfc32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Nkncdifl.exeC:\Windows\system32\Nkncdifl.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Nkcmohbg.exeC:\Windows\system32\Nkcmohbg.exe26⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 40027⤵
- Program crash
PID:4760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1876 -ip 18761⤵PID:3552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
768KB
MD53c31932bd782f9723b829fc0d3f77ab9
SHA15bb6542acfb84e874f395087ff33cf9a5a1402a3
SHA256cf94f4e63eb11017fccaae795fc5425c363d010dc34183dd2e13b7f3c6c3f79a
SHA512ff0362e09bf26374cd852ea616d6ffaecc9ca404052fad656fadc80250df4f635879975e5a3c580251a403eb018fb439befc177b60f018132610825ca8984fd1
-
Filesize
768KB
MD5f590316a0f7915a3be73e930fe4c5ce1
SHA196ed54324661c1307eb1d76145928638ed3ad3bf
SHA2568a3a52431a4c5b04991576b6276af05e8fb7eb462c1664d0fe922126ed47ea65
SHA51200fce62b648fae20395ddb6368c76d3412cb16db6cf1698ef3ad27c3fd6bf1f5dcd9209911208bf2171c53f082ce0c311f1e0b27aef82ec4c71043d6d82f2631
-
Filesize
768KB
MD57b37aa8a520617140a1c9c1812c24d87
SHA146f4511e7dab41da7f4b3d27e9391e508bbe2cfa
SHA256d09a9762a2c2e71feea21287059f0adf3ebf0aa8c73b3a4f3a3d972f2209dd8b
SHA51207a068ea0f094f9422a287228256236b2d37fc2bac7bff00d4c91691a7bb308ff46bcd947b29c9d65ccd9a42d5aa6233357a9bfa729c31b09b2acfa8844818ee
-
Filesize
768KB
MD58ffd4f2536b2a5bd737d952c0a9c2549
SHA12a76255ead787290111e3edf31c3c5a58559ee1f
SHA2561769748b43a0bc28b7be1dbbd012336d99e71ccfabe5bd5fc66861758533c462
SHA5129390eecd7376bb3368b885158b98fbe4f34962074fc9e0e02a417e4dfd1c94829ce0d6efa5514e12c73e4c94dadbd19ec3f82d48e85340d29475b968400d7f02
-
Filesize
768KB
MD5db9a96f5715cca603a4e94c92e4cec55
SHA1797b80efc09f00e666797e98e9b473d76696292c
SHA2566d6d13845caf689444bb16b43f0391f9069bdb5a1127fb255441381f3f2425b6
SHA5126ff22609da282e26af21d75ccf6bf5ab815143cc1f658a7d09f7364d427ec862e7a7d1e6f1dca1f5dec31213231b6c25d9bbd762c9226c1e85808d49b59a6a31
-
Filesize
768KB
MD59f7ca3fd964ef491123290d2e6c97da6
SHA124d420b66e0130c0fbd9552123cbfd7c8f46d177
SHA2562e61cab514950dd560c6736284bac0968097d0cc7d6d322f3727dc440c8e94af
SHA5124c0ca707345c1a6c1446ea9636b7c74a7dcefc5c10e527dbbde53c264d387b8a6a2f49abb935f253f1447621321982506ea0dfcadc603c00131cfe26dba92d54
-
Filesize
768KB
MD53c524fa02ce17c0b6bc8b03df0d8a989
SHA1809ed32dc45106781697fd9cfe237e70725ba21e
SHA25690ea67d03304031da06c9e7693dce1f4c7eb21d8f3096ffef7334aa422e1cc26
SHA512f06b79ceaa1862e70567f98796fc4367a1355757b50380075bc72825b22b266c1c0b28de611902076d1f7b1344281d2613b53b9fec6436dc51c03e733798755b
-
Filesize
768KB
MD501eff9ad5ebb6fa8db3b0aa436071e99
SHA1382a28cc56469f08490bd6dd65291fcecf5054dd
SHA25648a646f59487a8889ec6b291ac5713091218a732f0af98b475580084822eab2c
SHA5122a287c961d20a043331f3a671c933165a72aa1c657b4f5f10a72797bdc785a7c69c5e9bb7d594c6152be4183f945b5c74fdaa5d5984ec48bd1762e73239593a2
-
Filesize
768KB
MD53bac0fa979c942eeeb8172b03fc41bc1
SHA1f121b434e4b6e9e83b3b04100e7fb70e70fd8c58
SHA25609e6309618fe4b387bef2055fe873f977785f5bce52a3498da7a9a6c084279a6
SHA512b495a790d54ff21d3f7baf88bb286cec8792771d4d1f4d28a7188968160625dbae03dd5fc8560f7e42206b05d899c04b7b7cc8a64884dd22466df1edc82ae7da
-
Filesize
768KB
MD50effe23fa00efbc5cd68d72cbf356e9e
SHA1685eba06922bd0bcb513c2d52839abd225e80cc8
SHA256923647e4cb3e2db4b09d6a33f61a0f0f09171da3738f3eb5ec77a2c5eda79ab2
SHA512ef1cba34ae919845b832873f73ee50cf31156adbecce1b82584cee6126849937166159c9e963db1d3e20d48d6db9d00d18aed9bcdb6eb9c8739bac8468568e8a
-
Filesize
768KB
MD5d8976aef1da8cab0e4bb1c8cef8cf66a
SHA10f9d305f1d7515ab153d150dc97a4defadc8c42b
SHA256925343b7452e360afcc3ff0e1f66e34849e04ac5919f002969f5d2f693fa7d21
SHA512eae89a76f598abf1b9ccff8ab31c552b20e3c267c18aedda69e298b4ec79b19b0e8f41047059fb4ae15c89da7a2553ed998aa6836bfadacc9fab33538f22cbc8
-
Filesize
768KB
MD5723b0920da76f2331502100f98a45edf
SHA1e0dbbfc8545b830f6093dbfc31c77b7b8027708a
SHA256953880b4f65763701c8b2cd5d6ab023fc1e3fcbc2ffe8d87ac410fe97da9afb0
SHA512957f356cedd380b109fd0a54b0d1dece2de00906c30bbc0e70b24dda540a0bfbd20b888b9fe2002c351265ef83203d97b25884e858027590627f7da7030db5b5
-
Filesize
768KB
MD50d75049eb7b8f284f333d6f799aac9a3
SHA105dec32b1ca99128ff62855ee50c992f1f263f15
SHA25654a6ccbb6711a71da16969f6d8b9bdc9d5a85327bac89ed5390f89ead38bb283
SHA512a248f24792691efb2e4d9608cc6177988c4b0c6116f49aa8a34109db94ce100c19c14ccee6ee157d68cc161b3e4c09c12039f91a1661a5d785c461a7c51b3975
-
Filesize
768KB
MD534247876e52e31416d18ac33fcbc5d5d
SHA1aeb7d26fbdcdbb64879e10f1fe1fdac1a646495d
SHA256a81775004bbc1131df722997746fc4d6afa034e5e91d997b48f867be4e652c43
SHA5124471fdc4acb6d861529c0f3ce4c9b8715f1ff1b3c1b03a622abe4c99bf8d8970cc51305bbae66a8d1d1280ba7018ee59732154e5a5e20b00e98d505e8804cc0b
-
Filesize
768KB
MD51b94ff9c263f422b82742f1998a481e0
SHA1a9cb6cf55e853b05fe269bf0db7a36a35b46e154
SHA256d2c6108d43a113e1270c61bfab2070f63cedc2283fe8607d409d2517102cfb1f
SHA512e0f2c4591602b27cdf32b3fd42a89ee654896c8649afc298dfc4b6a76f79650b49e3f54252ed4d3ed4a7cdc86b4182fa1634e0aa5c5130e6526c7640f2123ace
-
Filesize
768KB
MD573eb075999980ee6cad8abe11d44a7dd
SHA121bb5e112ea5f9faf1294093c79445ab598c387e
SHA2568efe4a58f0beff58549ba72fc301bbdc3943ed1e684a6d2f97cafc3860e062e0
SHA512f9dfb17f137b52079f7939f27801ee0332d1d65b483dd3bc984fb20ddcf458806f280f39f0659bbc119c7326f1eeb123c9f04c91233adf77b3e2a4d804d26dde
-
Filesize
768KB
MD520e61612dbd2e7f3efd15e2b87e0eb5c
SHA16ca1faca838399066a7cef134e6fb628344f5d82
SHA256581691cb98209dd513fbde313987223b0dfc75e5371126db5eb172f8eb3f5455
SHA51209dcc2661b1c4f123f8babb1505c55e8a059be0677cecdd97e80dd4bf23a0bcd8be8832dd7a21d6bc5cb02cec8211e5186fd1a2801650c8080570835932c65e4
-
Filesize
768KB
MD57a885308c85c6fa18c3d738b13af2a50
SHA12992e0cdad4373696b62eeab66f0827b8622a495
SHA2569c8fdc31fb6fe7973566652921130c974c17062665ccd902b67d7bc604644ccc
SHA512808d5b4f214c4e2bdd3a3368b4d98b65b5b25a89c771a958084f3de7b542fa2777e10d24af77ce46884f6d4731934e83e50c087fa6b18938427d8aceabceeb22
-
Filesize
768KB
MD5ef30b1c25caa3b72752308af0d6d38db
SHA1b2206ef09ff0e291011ae29f31f06c712825f650
SHA256ecbed464db25c8be935dc825e7d6989a2ddc10b3751521a40318d103532483a2
SHA5122966dcf17f7d08b23f84c912454ab68ab965176944f42de80da92be5b606d473f3c6dc29823cd330c8522590f6f17e65633536fdc221f57b3de7f2e1e9eb6511
-
Filesize
768KB
MD503bd06f47c4213c6975be82e821a41bc
SHA18b81fade30ac57a283d527c114f4c3dcb71c5bb9
SHA256cebd316f508a6ecc128bba141d78a69d2397130cd7aee54d9057b61eda2007b2
SHA512cdc78c2c32f484685b8e610feb6107a2d1373b8615ae6fa5df101ea2d8406de82195424cc7550b33cd6b6243688ec5215fd7dc9d64a95b325651a200686f4177
-
Filesize
768KB
MD58132036c5548f06e6ef9ed3bf472807c
SHA1fa3f72043547571a302f951c3e0325997bc74bd8
SHA256cdd0b0ad7cecce9be3c7222f2b59688fd08a9e79ffe7f6dc242cfd6c169e5952
SHA5127361b1b95398e7c14f72cb7aba5b84d058b4205e62022b1d828f8d20a3c58d561adc17857c9cda7a1d5e461b287e1b7ec9b4a9779a98e98bb877f102298fb5e4
-
Filesize
768KB
MD5ea8bbadb272ade35f8b0f36e11529254
SHA1faab84ec6d091abcf76feab8a01a629544f0aeaf
SHA25633d884ff8db335e4545d2e5ec9603c63448400deed5c4e42498c431b1fb58254
SHA5122d57474e0c333b296b2d1acf3a3b490134c8aa30d90f029e0fde6c23bfeaf96a1fb059536cddfa3b3ab64659b3230b43d0ffb8b9f9ad8b735686b7f9f862ec96
-
Filesize
768KB
MD552b8928624f6571cd6671e3771914ceb
SHA1145f81555814da01c41f283415d7d44caa4b55b7
SHA256778e3e7c5441145db896dce0ce692972e9ddbcd6c4b442b436eeed19345e72ef
SHA51254b6ed50bd5113aec9cbbf494bc79f17f64669018b47c68dbc751d7106866a1bc62be9e173fa30770f0e4b2390df3f169e227a5eb1f6544902227067d5c8d79b
-
Filesize
768KB
MD5caf91a26e55c564d633f295cb3489242
SHA103adc2c48cfed67ce406bfc8e19a4d299f119d18
SHA25610e79b13c718697d83dea2ca346b77a5f5bfcb5d7219df35c52d895f48f99e03
SHA512fbca761d8503497a770a2366d108308d964689fdf0dca44cabccd0a434bee45c868c5fcf455eb8f4dda0dd4c6f08806361341c3c4767ae4a09eae67cb86f673b
-
Filesize
768KB
MD5eb95cb2b1f2d5c99ecfbeb9416c00c1b
SHA153abd2c8e5abd19559973b485a0f898304212fed
SHA256cf56932e0150a6b5218ec44e97a58f2d0d5d9e269a064a200cc2ff7501bb835c
SHA512e2658a2f5e4ac0dc26e009f2f24050ce900b87f4d6f25075aff1e0bef684a1f307b3a148b15948e80dcd12e952586c0039eb839f356fc35978536eed9bb5cd4b