Analysis
-
max time kernel
96s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 00:43
Behavioral task
behavioral1
Sample
15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exe
-
Size
177KB
-
MD5
15ce2b6211deafd088bb8718a6225480
-
SHA1
ad670e4ac9f9171163915c1d84d48aa036a0b62a
-
SHA256
bd2d1333f8edaf73d2a5dd623de91c302ff2585145d46b00641724d1e6b478ef
-
SHA512
9a66d145cd0acf768db25c50ce9979f4a215f999f2dc4328feac64e27a4f510296c043efd261f5727e00a590fe65c0c9d9d31bfd4397c325c26b33e82d2612a7
-
SSDEEP
3072:4fQxG2zrqwDOCx4b7g3q/haR5sS+vfvLHhjh8g1eGFyOsa:4fQYG/c7ga/harSvLHh98gwG0ON
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mnocof32.exeMcpebmkb.exeMdfofakp.exeLgbnmm32.exeNjacpf32.exeIjhodq32.exeNddkgonp.exeIabgaklg.exeKkihknfg.exeLmccchkn.exeLkgdml32.exeLcdegnep.exeMjjmog32.exeNceonl32.exeNqklmpdd.exeIcjmmg32.exeNdidbn32.exeJangmibi.exeKdffocib.exeLdkojb32.exeLgkhlnbn.exeImihfl32.exeKpccnefa.exeIjfboafl.exeIfmcdblq.exeJplmmfmi.exeJiikak32.exeMdpalp32.exeImdnklfp.exeIbagcc32.exeKagichjo.exeMcklgm32.exeMaaepd32.exeIjdeiaio.exeKbapjafe.exeLkdggmlj.exeLaalifad.exeMkpgck32.exe15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exeKpepcedo.exeLdmlpbbj.exeLnjjdgee.exeNgedij32.exeNjcpee32.exeIpqnahgf.exeMpmokb32.exeMdkhapfj.exeNkjjij32.exeIdacmfkj.exeLphfpbdi.exeKaemnhla.exeLcmofolg.exeLaciofpa.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnocof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcpebmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdfofakp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgbnmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njacpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijhodq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iabgaklg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkihknfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmccchkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkgdml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdegnep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjjmog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqklmpdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icjmmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndidbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jangmibi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdffocib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldkojb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgkhlnbn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imihfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpccnefa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijfboafl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifmcdblq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jplmmfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiikak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdpalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icjmmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imdnklfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibagcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kagichjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcklgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maaepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maaepd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdeiaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbapjafe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kagichjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkdggmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laalifad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdegnep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkpgck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpccnefa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpepcedo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldmlpbbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjjdgee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcklgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngedij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njcpee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipqnahgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jangmibi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpmokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdkhapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkjjij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idacmfkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lphfpbdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdkhapfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njacpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaemnhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcmofolg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laciofpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgbnmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkjjij32.exe -
Malware Dropper & Backdoor - Berbew 35 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Icjmmg32.exe family_berbew C:\Windows\SysWOW64\Ijdeiaio.exe family_berbew C:\Windows\SysWOW64\Ipqnahgf.exe family_berbew C:\Windows\SysWOW64\Ifjfnb32.exe family_berbew C:\Windows\SysWOW64\Imdnklfp.exe family_berbew C:\Windows\SysWOW64\Ijfboafl.exe family_berbew C:\Windows\SysWOW64\Ibagcc32.exe family_berbew C:\Windows\SysWOW64\Ijhodq32.exe family_berbew C:\Windows\SysWOW64\Ifmcdblq.exe family_berbew C:\Windows\SysWOW64\Iabgaklg.exe family_berbew C:\Windows\SysWOW64\Idacmfkj.exe family_berbew C:\Windows\SysWOW64\Ijkljp32.exe family_berbew C:\Windows\SysWOW64\Imihfl32.exe family_berbew C:\Windows\SysWOW64\Jpgdbg32.exe family_berbew C:\Windows\SysWOW64\Jfaloa32.exe family_berbew C:\Windows\SysWOW64\Jmkdlkph.exe family_berbew C:\Windows\SysWOW64\Jdemhe32.exe family_berbew C:\Windows\SysWOW64\Jbhmdbnp.exe family_berbew C:\Windows\SysWOW64\Jplmmfmi.exe family_berbew C:\Windows\SysWOW64\Jbkjjblm.exe family_berbew C:\Windows\SysWOW64\Jjbako32.exe family_berbew C:\Windows\SysWOW64\Jaljgidl.exe family_berbew C:\Windows\SysWOW64\Jbmfoa32.exe family_berbew C:\Windows\SysWOW64\Jkdnpo32.exe family_berbew C:\Windows\SysWOW64\Jangmibi.exe family_berbew C:\Windows\SysWOW64\Jbocea32.exe family_berbew C:\Windows\SysWOW64\Jiikak32.exe family_berbew C:\Windows\SysWOW64\Kpccnefa.exe family_berbew C:\Windows\SysWOW64\Kbapjafe.exe family_berbew C:\Windows\SysWOW64\Kkihknfg.exe family_berbew C:\Windows\SysWOW64\Kpepcedo.exe family_berbew C:\Windows\SysWOW64\Kkkdan32.exe family_berbew C:\Windows\SysWOW64\Kbfiep32.exe family_berbew C:\Windows\SysWOW64\Laciofpa.exe family_berbew C:\Windows\SysWOW64\Nkcmohbg.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Icjmmg32.exeIjdeiaio.exeIpqnahgf.exeIfjfnb32.exeIjfboafl.exeImdnklfp.exeIbagcc32.exeIfmcdblq.exeIjhodq32.exeIabgaklg.exeIdacmfkj.exeIjkljp32.exeImihfl32.exeJpgdbg32.exeJfaloa32.exeJmkdlkph.exeJdemhe32.exeJbhmdbnp.exeJplmmfmi.exeJbkjjblm.exeJjbako32.exeJaljgidl.exeJbmfoa32.exeJkdnpo32.exeJangmibi.exeJbocea32.exeJiikak32.exeKpccnefa.exeKbapjafe.exeKkihknfg.exeKpepcedo.exeKkkdan32.exeKaemnhla.exeKbfiep32.exeKipabjil.exeKagichjo.exeKdffocib.exeKgdbkohf.exeKmnjhioc.exeKajfig32.exeKdhbec32.exeKkbkamnl.exeLmqgnhmp.exeLdkojb32.exeLcmofolg.exeLkdggmlj.exeLmccchkn.exeLdmlpbbj.exeLgkhlnbn.exeLkgdml32.exeLaalifad.exeLdohebqh.exeLilanioo.exeLaciofpa.exeLcdegnep.exeLklnhlfb.exeLnjjdgee.exeLphfpbdi.exeLgbnmm32.exeMnlfigcc.exeMdfofakp.exeMkpgck32.exeMnocof32.exeMpmokb32.exepid process 4416 Icjmmg32.exe 1940 Ijdeiaio.exe 4028 Ipqnahgf.exe 2900 Ifjfnb32.exe 972 Ijfboafl.exe 2232 Imdnklfp.exe 2196 Ibagcc32.exe 4404 Ifmcdblq.exe 3732 Ijhodq32.exe 3332 Iabgaklg.exe 4684 Idacmfkj.exe 372 Ijkljp32.exe 1900 Imihfl32.exe 3044 Jpgdbg32.exe 952 Jfaloa32.exe 2184 Jmkdlkph.exe 4500 Jdemhe32.exe 1056 Jbhmdbnp.exe 3492 Jplmmfmi.exe 1060 Jbkjjblm.exe 1896 Jjbako32.exe 2056 Jaljgidl.exe 2044 Jbmfoa32.exe 2928 Jkdnpo32.exe 4168 Jangmibi.exe 2624 Jbocea32.exe 4044 Jiikak32.exe 820 Kpccnefa.exe 2848 Kbapjafe.exe 3464 Kkihknfg.exe 1032 Kpepcedo.exe 2464 Kkkdan32.exe 1724 Kaemnhla.exe 5088 Kbfiep32.exe 4308 Kipabjil.exe 3700 Kagichjo.exe 716 Kdffocib.exe 3704 Kgdbkohf.exe 1912 Kmnjhioc.exe 5112 Kajfig32.exe 1520 Kdhbec32.exe 2908 Kkbkamnl.exe 2504 Lmqgnhmp.exe 3220 Ldkojb32.exe 2368 Lcmofolg.exe 1312 Lkdggmlj.exe 2492 Lmccchkn.exe 4536 Ldmlpbbj.exe 4136 Lgkhlnbn.exe 1476 Lkgdml32.exe 2552 Laalifad.exe 4444 Ldohebqh.exe 3528 Lilanioo.exe 4196 Laciofpa.exe 1844 Lcdegnep.exe 1864 Lklnhlfb.exe 4812 Lnjjdgee.exe 4612 Lphfpbdi.exe 4916 Lgbnmm32.exe 4872 Mnlfigcc.exe 492 Mdfofakp.exe 4820 Mkpgck32.exe 4376 Mnocof32.exe 4328 Mpmokb32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ipqnahgf.exeIjkljp32.exeMnocof32.exeIjfboafl.exeKgdbkohf.exeMjhqjg32.exeMdkhapfj.exeNnhfee32.exeJiikak32.exeKkihknfg.exeJfaloa32.exeLcdegnep.exeLnjjdgee.exeNcldnkae.exeIjdeiaio.exeIbagcc32.exeLaalifad.exeLaciofpa.exeNqklmpdd.exeJplmmfmi.exeJbocea32.exeLdkojb32.exeKmnjhioc.exeLklnhlfb.exeKkbkamnl.exeLkgdml32.exeMkpgck32.exeNnmopdep.exeJbkjjblm.exeJjbako32.exeJbmfoa32.exeMaaepd32.exeNjacpf32.exeLilanioo.exeMjjmog32.exeJangmibi.exeMcpebmkb.exeNceonl32.exeIdacmfkj.exeNklfoi32.exeIcjmmg32.exeKipabjil.exe15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exeMdfofakp.exeLdohebqh.exeJmkdlkph.exeKbfiep32.exeLmqgnhmp.exeMgidml32.exeMdpalp32.exeNgedij32.exeKdffocib.exedescription ioc process File created C:\Windows\SysWOW64\Ifjfnb32.exe Ipqnahgf.exe File created C:\Windows\SysWOW64\Jibpdc32.dll Ijkljp32.exe File created C:\Windows\SysWOW64\Bkankc32.dll Mnocof32.exe File opened for modification C:\Windows\SysWOW64\Imdnklfp.exe Ijfboafl.exe File created C:\Windows\SysWOW64\Oimhnoch.dll Kgdbkohf.exe File opened for modification C:\Windows\SysWOW64\Maohkd32.exe Mjhqjg32.exe File created C:\Windows\SysWOW64\Cnacjn32.dll Mdkhapfj.exe File created C:\Windows\SysWOW64\Fcdjjo32.dll Nnhfee32.exe File opened for modification C:\Windows\SysWOW64\Kpccnefa.exe Jiikak32.exe File opened for modification C:\Windows\SysWOW64\Kpepcedo.exe Kkihknfg.exe File opened for modification C:\Windows\SysWOW64\Jmkdlkph.exe Jfaloa32.exe File opened for modification C:\Windows\SysWOW64\Lklnhlfb.exe Lcdegnep.exe File created C:\Windows\SysWOW64\Mglppmnd.dll Lnjjdgee.exe File created C:\Windows\SysWOW64\Nkcmohbg.exe Ncldnkae.exe File created C:\Windows\SysWOW64\Mlilmlna.dll Ijdeiaio.exe File created C:\Windows\SysWOW64\Ifmcdblq.exe Ibagcc32.exe File created C:\Windows\SysWOW64\Ldohebqh.exe Laalifad.exe File opened for modification C:\Windows\SysWOW64\Lcdegnep.exe Laciofpa.exe File created C:\Windows\SysWOW64\Paadnmaq.dll Nqklmpdd.exe File created C:\Windows\SysWOW64\Hnibdpde.dll Ncldnkae.exe File created C:\Windows\SysWOW64\Jbkjjblm.exe Jplmmfmi.exe File opened for modification C:\Windows\SysWOW64\Jiikak32.exe Jbocea32.exe File created C:\Windows\SysWOW64\Offdjb32.dll Ldkojb32.exe File created C:\Windows\SysWOW64\Kajfig32.exe Kmnjhioc.exe File created C:\Windows\SysWOW64\Fldggfbc.dll Lklnhlfb.exe File opened for modification C:\Windows\SysWOW64\Lmqgnhmp.exe Kkbkamnl.exe File created C:\Windows\SysWOW64\Mdemcacc.dll Lkgdml32.exe File created C:\Windows\SysWOW64\Oedbld32.dll Mkpgck32.exe File created C:\Windows\SysWOW64\Ljfemn32.dll Nnmopdep.exe File created C:\Windows\SysWOW64\Feambf32.dll Jbkjjblm.exe File opened for modification C:\Windows\SysWOW64\Jaljgidl.exe Jjbako32.exe File created C:\Windows\SysWOW64\Qknpkqim.dll Jbmfoa32.exe File opened for modification C:\Windows\SysWOW64\Mdpalp32.exe Maaepd32.exe File opened for modification C:\Windows\SysWOW64\Nnmopdep.exe Njacpf32.exe File created C:\Windows\SysWOW64\Aaqnkb32.dll Ipqnahgf.exe File created C:\Windows\SysWOW64\Laciofpa.exe Lilanioo.exe File created C:\Windows\SysWOW64\Maaepd32.exe Mjjmog32.exe File created C:\Windows\SysWOW64\Gmlgol32.dll Jangmibi.exe File created C:\Windows\SysWOW64\Mjjmog32.exe Mcpebmkb.exe File created C:\Windows\SysWOW64\Nklfoi32.exe Nceonl32.exe File created C:\Windows\SysWOW64\Ijkljp32.exe Idacmfkj.exe File created C:\Windows\SysWOW64\Ibimpp32.dll Jplmmfmi.exe File opened for modification C:\Windows\SysWOW64\Jjbako32.exe Jbkjjblm.exe File opened for modification C:\Windows\SysWOW64\Nnjbke32.exe Nklfoi32.exe File opened for modification C:\Windows\SysWOW64\Ijdeiaio.exe Icjmmg32.exe File created C:\Windows\SysWOW64\Hefffnbk.dll Kipabjil.exe File opened for modification C:\Windows\SysWOW64\Nklfoi32.exe Nceonl32.exe File created C:\Windows\SysWOW64\Lcdegnep.exe Laciofpa.exe File created C:\Windows\SysWOW64\Icjmmg32.exe 15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Jmkdlkph.exe Jfaloa32.exe File created C:\Windows\SysWOW64\Jfbhfihj.dll Mdfofakp.exe File created C:\Windows\SysWOW64\Lilanioo.exe Ldohebqh.exe File created C:\Windows\SysWOW64\Kmalco32.dll Nklfoi32.exe File opened for modification C:\Windows\SysWOW64\Jdemhe32.exe Jmkdlkph.exe File opened for modification C:\Windows\SysWOW64\Kipabjil.exe Kbfiep32.exe File created C:\Windows\SysWOW64\Ldkojb32.exe Lmqgnhmp.exe File opened for modification C:\Windows\SysWOW64\Mjhqjg32.exe Mgidml32.exe File opened for modification C:\Windows\SysWOW64\Nkjjij32.exe Mdpalp32.exe File opened for modification C:\Windows\SysWOW64\Nceonl32.exe Nnhfee32.exe File created C:\Windows\SysWOW64\Njcpee32.exe Ngedij32.exe File created C:\Windows\SysWOW64\Ekmihm32.dll Ijfboafl.exe File created C:\Windows\SysWOW64\Kgdbkohf.exe Kdffocib.exe File opened for modification C:\Windows\SysWOW64\Ldkojb32.exe Lmqgnhmp.exe File created C:\Windows\SysWOW64\Pglanoaq.dll 15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3060 2064 WerFault.exe Nkcmohbg.exe -
Modifies registry class 64 IoCs
Processes:
Jpgdbg32.exeKajfig32.exeMjjmog32.exeNjcpee32.exeIjdeiaio.exeJjbako32.exeJbmfoa32.exeNnjbke32.exeJbhmdbnp.exeMcklgm32.exeMaohkd32.exeIcjmmg32.exeKagichjo.exeLkdggmlj.exeLaciofpa.exeMpmokb32.exeMcpebmkb.exeNklfoi32.exeNdidbn32.exeLphfpbdi.exeMnapdf32.exeIjfboafl.exeJdemhe32.exeJiikak32.exeMnocof32.exeKkihknfg.exeNcldnkae.exeKmnjhioc.exeNddkgonp.exeKgdbkohf.exeLdkojb32.exeNjacpf32.exeIdacmfkj.exeJfaloa32.exeJbkjjblm.exeJkdnpo32.exeMdfofakp.exeNkjjij32.exeNgedij32.exeIfjfnb32.exeNqklmpdd.exeJbocea32.exeMgidml32.exeIpqnahgf.exeIjkljp32.exeJaljgidl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpgdbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll" Kajfig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjjmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll" Mjjmog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njcpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijdeiaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll" Jjbako32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll" Jbmfoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll" Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll" Jbhmdbnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll" Mcklgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maohkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngfmkdl.dll" Icjmmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kagichjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkdggmlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijdeiaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll" Lkdggmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll" Laciofpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpmokb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcpebmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcpebmkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nklfoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll" Nklfoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll" Ndidbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lphfpbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll" Mnapdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijfboafl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdemhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiikak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnocof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiikak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll" Kkihknfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll" Maohkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncldnkae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmnjhioc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll" Kgdbkohf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll" Ldkojb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll" Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll" Ijdeiaio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcklgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" Ncldnkae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll" Idacmfkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll" Jfaloa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbhmdbnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll" Jbkjjblm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkdnpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laciofpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll" Mdfofakp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll" Nkjjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngedij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifjfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll" Nqklmpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njcpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll" Jbocea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kajfig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll" Mgidml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipqnahgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibpdc32.dll" Ijkljp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll" Jaljgidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll" Jkdnpo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exeIcjmmg32.exeIjdeiaio.exeIpqnahgf.exeIfjfnb32.exeIjfboafl.exeImdnklfp.exeIbagcc32.exeIfmcdblq.exeIjhodq32.exeIabgaklg.exeIdacmfkj.exeIjkljp32.exeImihfl32.exeJpgdbg32.exeJfaloa32.exeJmkdlkph.exeJdemhe32.exeJbhmdbnp.exeJplmmfmi.exeJbkjjblm.exeJjbako32.exedescription pid process target process PID 3388 wrote to memory of 4416 3388 15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exe Icjmmg32.exe PID 3388 wrote to memory of 4416 3388 15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exe Icjmmg32.exe PID 3388 wrote to memory of 4416 3388 15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exe Icjmmg32.exe PID 4416 wrote to memory of 1940 4416 Icjmmg32.exe Ijdeiaio.exe PID 4416 wrote to memory of 1940 4416 Icjmmg32.exe Ijdeiaio.exe PID 4416 wrote to memory of 1940 4416 Icjmmg32.exe Ijdeiaio.exe PID 1940 wrote to memory of 4028 1940 Ijdeiaio.exe Ipqnahgf.exe PID 1940 wrote to memory of 4028 1940 Ijdeiaio.exe Ipqnahgf.exe PID 1940 wrote to memory of 4028 1940 Ijdeiaio.exe Ipqnahgf.exe PID 4028 wrote to memory of 2900 4028 Ipqnahgf.exe Ifjfnb32.exe PID 4028 wrote to memory of 2900 4028 Ipqnahgf.exe Ifjfnb32.exe PID 4028 wrote to memory of 2900 4028 Ipqnahgf.exe Ifjfnb32.exe PID 2900 wrote to memory of 972 2900 Ifjfnb32.exe Ijfboafl.exe PID 2900 wrote to memory of 972 2900 Ifjfnb32.exe Ijfboafl.exe PID 2900 wrote to memory of 972 2900 Ifjfnb32.exe Ijfboafl.exe PID 972 wrote to memory of 2232 972 Ijfboafl.exe Imdnklfp.exe PID 972 wrote to memory of 2232 972 Ijfboafl.exe Imdnklfp.exe PID 972 wrote to memory of 2232 972 Ijfboafl.exe Imdnklfp.exe PID 2232 wrote to memory of 2196 2232 Imdnklfp.exe Ibagcc32.exe PID 2232 wrote to memory of 2196 2232 Imdnklfp.exe Ibagcc32.exe PID 2232 wrote to memory of 2196 2232 Imdnklfp.exe Ibagcc32.exe PID 2196 wrote to memory of 4404 2196 Ibagcc32.exe Ifmcdblq.exe PID 2196 wrote to memory of 4404 2196 Ibagcc32.exe Ifmcdblq.exe PID 2196 wrote to memory of 4404 2196 Ibagcc32.exe Ifmcdblq.exe PID 4404 wrote to memory of 3732 4404 Ifmcdblq.exe Ijhodq32.exe PID 4404 wrote to memory of 3732 4404 Ifmcdblq.exe Ijhodq32.exe PID 4404 wrote to memory of 3732 4404 Ifmcdblq.exe Ijhodq32.exe PID 3732 wrote to memory of 3332 3732 Ijhodq32.exe Iabgaklg.exe PID 3732 wrote to memory of 3332 3732 Ijhodq32.exe Iabgaklg.exe PID 3732 wrote to memory of 3332 3732 Ijhodq32.exe Iabgaklg.exe PID 3332 wrote to memory of 4684 3332 Iabgaklg.exe Idacmfkj.exe PID 3332 wrote to memory of 4684 3332 Iabgaklg.exe Idacmfkj.exe PID 3332 wrote to memory of 4684 3332 Iabgaklg.exe Idacmfkj.exe PID 4684 wrote to memory of 372 4684 Idacmfkj.exe Ijkljp32.exe PID 4684 wrote to memory of 372 4684 Idacmfkj.exe Ijkljp32.exe PID 4684 wrote to memory of 372 4684 Idacmfkj.exe Ijkljp32.exe PID 372 wrote to memory of 1900 372 Ijkljp32.exe Imihfl32.exe PID 372 wrote to memory of 1900 372 Ijkljp32.exe Imihfl32.exe PID 372 wrote to memory of 1900 372 Ijkljp32.exe Imihfl32.exe PID 1900 wrote to memory of 3044 1900 Imihfl32.exe Jpgdbg32.exe PID 1900 wrote to memory of 3044 1900 Imihfl32.exe Jpgdbg32.exe PID 1900 wrote to memory of 3044 1900 Imihfl32.exe Jpgdbg32.exe PID 3044 wrote to memory of 952 3044 Jpgdbg32.exe Jfaloa32.exe PID 3044 wrote to memory of 952 3044 Jpgdbg32.exe Jfaloa32.exe PID 3044 wrote to memory of 952 3044 Jpgdbg32.exe Jfaloa32.exe PID 952 wrote to memory of 2184 952 Jfaloa32.exe Jmkdlkph.exe PID 952 wrote to memory of 2184 952 Jfaloa32.exe Jmkdlkph.exe PID 952 wrote to memory of 2184 952 Jfaloa32.exe Jmkdlkph.exe PID 2184 wrote to memory of 4500 2184 Jmkdlkph.exe Jdemhe32.exe PID 2184 wrote to memory of 4500 2184 Jmkdlkph.exe Jdemhe32.exe PID 2184 wrote to memory of 4500 2184 Jmkdlkph.exe Jdemhe32.exe PID 4500 wrote to memory of 1056 4500 Jdemhe32.exe Jbhmdbnp.exe PID 4500 wrote to memory of 1056 4500 Jdemhe32.exe Jbhmdbnp.exe PID 4500 wrote to memory of 1056 4500 Jdemhe32.exe Jbhmdbnp.exe PID 1056 wrote to memory of 3492 1056 Jbhmdbnp.exe Jplmmfmi.exe PID 1056 wrote to memory of 3492 1056 Jbhmdbnp.exe Jplmmfmi.exe PID 1056 wrote to memory of 3492 1056 Jbhmdbnp.exe Jplmmfmi.exe PID 3492 wrote to memory of 1060 3492 Jplmmfmi.exe Jbkjjblm.exe PID 3492 wrote to memory of 1060 3492 Jplmmfmi.exe Jbkjjblm.exe PID 3492 wrote to memory of 1060 3492 Jplmmfmi.exe Jbkjjblm.exe PID 1060 wrote to memory of 1896 1060 Jbkjjblm.exe Jjbako32.exe PID 1060 wrote to memory of 1896 1060 Jbkjjblm.exe Jjbako32.exe PID 1060 wrote to memory of 1896 1060 Jbkjjblm.exe Jjbako32.exe PID 1896 wrote to memory of 2056 1896 Jjbako32.exe Jaljgidl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Ijdeiaio.exeC:\Windows\system32\Ijdeiaio.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\Imdnklfp.exeC:\Windows\system32\Imdnklfp.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Ijhodq32.exeC:\Windows\system32\Ijhodq32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Jmkdlkph.exeC:\Windows\system32\Jmkdlkph.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Jdemhe32.exeC:\Windows\system32\Jdemhe32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4168 -
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4044 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3464 -
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe33⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5088 -
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4308 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3700 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:716 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3704 -
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:5112 -
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe42⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3220 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4444 -
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3528 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4196 -
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1844 -
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4812 -
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4612 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe61⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:492 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4820 -
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4376 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4328 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4360 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe67⤵PID:3496
-
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe68⤵
- Modifies registry class
PID:4384 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:3228 -
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe71⤵
- Drops file in System32 directory
PID:3320 -
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe72⤵
- Modifies registry class
PID:4064 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4748 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe78⤵
- Drops file in System32 directory
PID:3380 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe81⤵
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:32 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe84⤵
- Drops file in System32 directory
PID:4464 -
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3392 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4348 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:4700 -
C:\Windows\SysWOW64\Nkcmohbg.exeC:\Windows\system32\Nkcmohbg.exe90⤵PID:2064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 40091⤵
- Program crash
PID:3060
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2064 -ip 20641⤵PID:2420
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
177KB
MD5c61044aafd9c869b80b2b4b0369c504e
SHA1e240c1a4255deb9b43c09c364c5e9070f2d9e096
SHA256ef2ca77f80cd51afa2c166b4e06f8040bf99e558ec2d9fea25328eb4e384e259
SHA512347900e4d47a7c7e2f0cdd8a45f8e2dc3bbdb507133ee5a19153ff6b19d53f05b31ea4c8e5a3f84aa728eb3a2b9180cf176cec05e75ef9a71ca124f0311a7005
-
Filesize
177KB
MD556b46ab45ca9967eb846538966e2b6e8
SHA190187b984157f0d8c991485a00a48406c8733402
SHA2562d34b2e9b44846f80c230cdee0649203af7ea9e51a0bdaa1543ef8900213c4b1
SHA51250072601aeea3cd0b8c4b44d3faadc06b2cb5c1a3bf623114ac28fd0f0da4baec851fea1cbd4fdfdc634e6d02904c2468befc950dfcda7c3d5f127cc63c3c665
-
Filesize
177KB
MD569b206b75920f7c2ef9b17defbdc1bb4
SHA1e8cf216d0656d95b1abb6a8b27d366f2a154cd0f
SHA256c4e2f6c9e4ec3db9420cbfc3887c1265dbdcb027f7dc2f7db10ada08bc4f4bdf
SHA512a234ee7aea613b5d84fcba0c46830a8af005b077a4ad406e04ffc9bd4da2fe0251a9b5b628e43af3c37ddd61c5be18786f72be9acd32c7f30b412169866260f5
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
177KB
MD53601c45e08560f0d009b7191ea95c011
SHA1053e8d544124f9dc027fc921ca686029eab51f98
SHA25662d0b04f58ace87b70aec18cb55a948170e34793d4164a8a1edf0d6368e4495f
SHA5122349fb877fa40da3e397e95c4fdec59605f108f82d5867fed7445a7818e09b5281857216f3076334e81ee17d56aeb72edfa4e02db20d70bb7acef822b676c31b
-
Filesize
177KB
MD504f401464c9c566f6edc3984c6fa69b2
SHA19b878e074931557183a932753b7c0c5ea322c19f
SHA256e59ba12202afc9158d59cbb4a771219c78dc4e3b3dad2e2274614a238453f8c5
SHA512e681ae15c298a1c3aabbf93ce4d30587522f1da00701c4e511e91d5e6a8a1ace7554acf5715817bbfd9471c4476c8495c47e82872db16e76eb77625a34e94d38
-
Filesize
177KB
MD590cb98e5457699213ed439a1085e4194
SHA161bfbe955f96792a965f75ed047b9fcdacdfa58c
SHA256925a37d51910a25c0ef4159cf441bda2aaa6e8c79197de4f2310911f34c6bd83
SHA512cd0701540b4525258aeef6823b8514be5bcfd720b9592b801a88e81f16934e6fb72640a3c02a47ca5ef76ed46436357525222bb1831824be083a98900405f593
-
Filesize
177KB
MD5cdd2119ab5edac9f51bbdf666750b0dd
SHA1e80ceb62bf7cd0d64c6b25e2afbd08d073194f52
SHA25683f6b7b30ad531d4ddf685ff772609f4060be910eda27bf562ef56bc7d576111
SHA5123bdf41fc756326f1b45a118ff37ce79f3516cc280abb11d7cc07e8d452739cb408b737aa6b396546033d757a60704cb8f0992292e3045cc6b8adff24180e1e06
-
Filesize
177KB
MD5e60ef04ff5442bbabfeafa2c3ffb81c4
SHA124a2c75f945322d91a0946e1eed67537dd383de1
SHA256a37ca11e4fbd9a37d05641f5609308d0dd43797b90cec1b1ddb4e6926eea2e9d
SHA5125d3390dc41e193ed62e3c6b8ba0933fef33ffa61754b42c01b62d34d4f82b8481e997d88e42ae590568a04c03e1f2ece8a29bf063d2d8ef11291589b76a9dda8
-
Filesize
177KB
MD58d2e83525fe01d56bc887d4476809499
SHA1d64cbd67a10b8a307b14ef2d0fbbc59f99b2c0b9
SHA256b393dae54cc5198dc4bca44031449f0cd882678a750ad5a5a11f257e90b53761
SHA5125fecaa660e3f5275225624d9e8236cda8e8b92f067fea9303f0be6802700d851d5f9032b00d30d875b117c17facde7509ab3bc46adb0c97faa55b5a09dd49caa
-
Filesize
177KB
MD59586517f559e2e46c62c60d85332c8f5
SHA168f6fe5089bd264b8711337c95488f5b2834b038
SHA25613be25961b50498802ee4848889e614bd8d5402cae78f8046554874152241991
SHA512b18363ab9199d29c7a56c23256f973ff3ab939b60b36ff38d4895c79092125558718760c399549d28c4916aaa626fa41a0d8eed939856c5a7cbaec1073274053
-
Filesize
177KB
MD5a21012f449128331ea4a988e64a73f2f
SHA1abe6dc08a3b34e81f798dba94d2865dca68255dd
SHA256c4d64477293a0427b7a93a3ee38154d530c675287f4f3c7f7f14ab6044371bc1
SHA51247ce81bd43c7f77415145f417aa36dd4609cd09302dc58ea71bdcef5e002d7e7e9e4556b6485029de833c9daae1fdbb57f74ed9e15b56d3e54617f655aeaf165
-
Filesize
177KB
MD5182cb75a6c5b916c339f1b9fb2792b64
SHA1ea8e3a3a924e92f4500228e6a3dd75da80c080bb
SHA25653d8e744d034879580176061583bee3fbb68777e465c04fd4c454e4d93b61a3d
SHA5126df4c90c39657bc659aecdd7fb08fa88026bddae0548c52d8a468154d5d0bfa99d27badb206ac36b8cbdd52f8e021b9a7391a53251e4d42cb3cd7f86d92705f6
-
Filesize
177KB
MD59f80298a423e11f323849f53e7cb0dc7
SHA12b8f94f5f82fb5e0b3485e9e391a6070cc4fcefc
SHA256ce6c58b72828cea985028b8e5f771ff376a0f77dabffb456a0f49f651c6b4a85
SHA512c6492b5a06a606c374e9794e8ecf27d6d12b96b100ea5116a27dabb8f68754c036274aed6f8264e1eac143759c4a609a3f383c25596f40ed3a3233d167a84fd6
-
Filesize
177KB
MD5f92b803000fc2707ddd703080168ba08
SHA11a04370913a0ef7c643f30d08db72dee1bdf89e6
SHA25696dcedd41dca8d2177740a433120ee0e8952e07118c9a45dad4dc74f0f95cc31
SHA51284d00d9e35e01f886befde947d5d54e664f5ca145394eb411d5a893c69fa40dac4687a542db889a7df4c130c5aa9c30696d6d9f85fd59414bfbf90a8c6ca2a1b
-
Filesize
177KB
MD56362397cc502aefd16f44bb7e146323b
SHA122b52f033e59ffdc3116cb05d1b0ccfb947f359b
SHA2561dedced773b8403832099b69d8aa0e91da3c51241b3bdb78c61323cb8e6601e8
SHA512c5e308e6c72eec1cb909ef04221bbbae4fb0ce445c8b1b9d31e00fdc09892fe0b24b22ea10a18238cfb7b1d13f3619ebcf861ba54c0c62f30e1fba618e1d0689
-
Filesize
177KB
MD53eef5bf7c26b56b2908ee7197bc430bb
SHA1acfb9121065da9d19005f69e701f35e907df0a5c
SHA2564d41764d58bc40ca322f6f9da1f288fb8d3c7c1c326ede86d421250b00c9479f
SHA512b9389ad95e741a7f8ff60e98c1a2800f9407bf4dd075484982bab62e78f77db117baf7c2525b46ae509dfe40567ae53ba9537379118703ac14bfb1b878044117
-
Filesize
177KB
MD503dde97aadb090d6f22d6e957553d57e
SHA1b34f4707cd91e6dd3c66d9998f95345a437ffffc
SHA256b6cbaa91da6b9fa560328bbe8582dfe666fb65c3ffbf5bfba78f0b09a4443a85
SHA5126fa89c0c3ad989cd3af701284a8e22d08ff0927b8602638520575506eef986e87b31ca4286be4a47a8738731b1f4bf7f4b3ab237fd47fdd14888424acff03d69
-
Filesize
177KB
MD54e9b54604f20ef162315a743e87fd8c4
SHA16708bdb3d735a4809fc3220e2f4a2b00b05998ce
SHA25697d1b92104dd3a74a83cc2d518640db1b8b1c8f1d567fae42996bc6eb7f0f648
SHA512c215d7b2f5c4b149ef8ab2056f01e6ab13904f6a00b872ca76404bbc4d14b952133bd77a520ccb0e4239cdf3a76c005cd3b5bf4942525bd81c0b969b7ddef99a
-
Filesize
177KB
MD5260e3b1f265e5e7caeb6c0ee4b72d091
SHA14f607e9eab304bffd1f8d6017eb55bc22bf7113c
SHA25677a1ba241cf1f60876f8846395d230f96ec604a3df4d84ba6fdf2b2e1e88fce9
SHA5129df0b91589122a479fe848dacd69369c9a609260958954fa26464c4d86a096949a25911ff9a414fd3b472c92787e51669eb5bf84f9e978d53de8354b53e55b52
-
Filesize
177KB
MD5612a7f6206307d0d2a26d3b4ae48fead
SHA106493789f9e27fc3589fe7440ed10e9c3e896168
SHA2562b163f1382d57810eaa76ed41e31803e17bdc30b21ee7ce0a8aed6fe3c0d0cc0
SHA512d387d3a2df55603875e4bd1404eb2c58d3fd1dc4070f77bf41eb20f071d64c5b24118517736fb35b340dc745026885197f7a08826e5ffa8a1bd1f0b05c97f5e9
-
Filesize
177KB
MD5ee2b8fa854b033d2998755924f5fcc08
SHA1df0fbf13359d18de78a4c513c1d2bd2435d5c13f
SHA2561ee5ffbacef4f7178c63464de9aaae8c66f706daeb9d1cc0e121a257f4a973e7
SHA5124f31591c9ff1b73a9bd5330b8b6bc9be20618633c9472a56dab83c83375ecdfb6b9dd0afcb6e77f8ff6cdb5b087411916dfa21aa2bcde76b53afe2348085135c
-
Filesize
177KB
MD5219d2e302af59dc33e117c8ca67758d1
SHA1863fd8b64a1e4a92b0b66eb564bb0c3575c8ebb1
SHA256220f8e30f56ee0f47bee11fb6dcbb1e1d2b0aae21d1d9f56b2a1634b8eb9d712
SHA512db1abbda13304a50cf0ee203d25919582306371b811ed48a674728dbbce0f1c06c6cfb94a0b48b8918e90df4e94b76e9ce5887acb3c839636a2db23e36832e1c
-
Filesize
177KB
MD523d56ea7ed3e0bc8a84377f6acadc15b
SHA19a2602bd6fbd2aaa3bfd50f375167f685b82ebfa
SHA2569e145a286db055d48aa6ebbb156015ed1038a2ddc6bd8836395cc46899befd6c
SHA51272f3e05b8ad3702a893745a82733ff6bee67b9a116f1d2505b2df8c4276de3669e878c4ed0c03145c4ac4157179bcec02473aff797e542e0813baefc8ac28dee
-
Filesize
177KB
MD5c1f6443b7512583ec00ef3cbda692e11
SHA17fc3a1690a7eb92b75355a72d8ee7508f7014382
SHA256be39fee7930157aea2ff4dc911218242d4513e36cd06bf1e3f7cdd021d3a74d9
SHA5120e0d2361a20f49f336c310f81b192a86bcb6cc76258c707396c5ab91cd41ae219bc3c776997e9c866ccc98319f3ea8fcaad3c94d8e468221d64c40dc5686dc7b
-
Filesize
177KB
MD5fca0ea8dbc1076f2c2c30e1da97db6aa
SHA11e97b5a9d2ce017165a6d135825145a17b1c60cc
SHA2563ac31546fe02547b7c69e6176e4df11ac65ac845812bef82bd05121c26f37ab7
SHA512986a5d3b7e0992d4329ac34d1cfcbecb4ba460d6e868ad5ff742acb4ef2d5d89859437cff636b26e5517704c3d76539d696dddb017255473a54c77cb2fe078a6
-
Filesize
177KB
MD58baa0c48743e3088f58bc3cfc1a90a14
SHA15bef98ed6000c45ec38b678d7d619bbcb5d529e4
SHA2560895c8502002427c64f67d1d5f20729b72a6231a02df93b42e6a2847aa4e29c8
SHA512965e18680902182875f7c2b7c6ad6220a4366e7d710121222f821977edff61bca16d0d124bc7df11231ad8bea1ac57d4150f0bcd0ec4fd5ab7ca9fa812f3865e
-
Filesize
177KB
MD50076f751ea7d5a71b460ca04c27d83ff
SHA1c42cc0fd6c014772a02f7b5b12d3ea48bbdc3fcf
SHA256033449ee232f8b3f1edfab42c49d538c18e972ea107bff930774f2253e77622b
SHA512d48b960251b37d90381969930908d7bff23955a5202c51950131060a3594619dc7f5b536b7085e5a5c795d37a022f698225b7811c7828952b49b6b18604a6f18
-
Filesize
177KB
MD57eaa3f964ad77d372028ed73abab93ff
SHA1584b179d7e0b38a085002b21e303b997a2db7ab3
SHA256520bb9f2ddd4135c73ece7dcdb33ce3742cce246728049ab5c88938999b945cc
SHA5124bcca2ba1529889c60e725f361b27f3f859149323635c27e2c086c40b72347dceb3b53c21f7f56c564ee504867283fd579b56bd5d7ab64940957a1e81ecf71d3
-
Filesize
177KB
MD5d85727ae83dd22ac99472d5afa9c5703
SHA19fdf8f3bc2a36465d511c400d66c735b29a10858
SHA256f7a3953e7f831e8675f712354e786d4489e5428bdc0e308893a3a4f72f51278e
SHA512e87b6cc362d220d5a672fd66cf35f9090a8948014116c8fcb802505df4b645ea49692c7022ec6504d36d541a6f47c0ebe1ace266823ad426e322fe964d604f76
-
Filesize
177KB
MD56d9d8a8411c7e7a80b153cb642836a89
SHA18be909c7e585040fc15643f5f88a821ba686fd44
SHA256b148e985a3f9c34210dcf050aa1c4c420e93843add8f02c72ad4997ae924d441
SHA512382ed515ac0ef2bf33aa91a93da22a1212cdaa7f8e4111329187a1dad48f10085cfbf3673cb8c43d3ec39e65f37abd40b71ec22d5d81410dddbb02e6b922d8aa
-
Filesize
177KB
MD54f24713165a614747160143b3fa9d581
SHA1a562bfb44b963fa7521e265364b256ae8e60f61d
SHA25670af42bdd8ca261859ad4d2fb3b52a7e87c8b5a006942ac354c54718158dc297
SHA51213bf2b43910c7b0975380e6deeb74bd595740116694ff717c2df1e51e69377dd61b36f1607c4ecd75baf3891c26c3258529cbc35ee04cf4753d75a27a9b11ec9
-
Filesize
177KB
MD58f7e400d5131e5483d5e255493601e8d
SHA12626d66d9b3a13ab23e7460c9e74e713aa1a1a10
SHA25678a1c83e9189a89c3a4d6ad2e9d020a72374239cac7fed24f54ba321d3fc8fa2
SHA512298c49401dc7fe3f66b36d52a5169a7b14e35011a44209e85975ce73a34a4827fd3928f8871c448baee1966f93d7244c1546b775d6eb61c77c5b6d39057b75c7
-
Filesize
177KB
MD5cb822e5b76526e7a413a2e236df5904f
SHA16da4568f221d34fd06b628e6d009c901b352fbf4
SHA25638b07d052ff9e4e59b0448747afbda475e8c74a95e8b0a9853aaa0a6f2f0e656
SHA512f335fd9698342e117ea4140af78455f7a9057abeb094e822b77b956da34f0df64af90b3c96a8f7efb7a1ded428f6c4e678d5c20f76b26b10ae4c554e81ae5719
-
Filesize
177KB
MD58d718d57a8e56d45cf5db1e977087294
SHA1d3639bf88a91522c23b4dacbce38750e063c3308
SHA256b796a6edea207682c63c74cbcf7fc2256c3ecdc35d8695d955621524632f4ca2
SHA512f11cbde3043e1544364bf2353f2086fa83b71df406e0558405bee1faa2cdc2e61bd408a02a6efcafe12773bf5324a077316a7593ef5937cb88437c41f7a6e0d7
-
Filesize
177KB
MD52b6cee5fc59ee2e4eecf806184194df8
SHA1a89ae9d16dcd4530666a0ca680e4188acac4fe2e
SHA25624e5f267b0cbe53c53a87159617b4552b8a80dfc2db3a21027b7982bbbf34e17
SHA5120b3a430dd35c2aea24f040b63fc05c87f9b934d5e4253c6c9b6fd3873f56890282497dd202dbe9140f79ef66b8046cb6ee9e8c11f983b53a730b06b4705f248b