Analysis
-
max time kernel
140s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 00:22
Behavioral task
behavioral1
Sample
12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe
-
Size
844KB
-
MD5
12c8ab088c0a5626aa61cd1d662acae0
-
SHA1
0c4d8145caebc2638fde29321b0999cf4a5ba9a6
-
SHA256
3ce0c6860a5b9ec98829dbf79b84c7d253562bdb3c2bfad220ac0fc927c49ce7
-
SHA512
62bc0ee49e2da5e4729c2e11c88cccc3f321a8f262cc9309fb0493357c6e6981d1a7f30731f0596a183fad79254c89d121ffa6a508fdb26c183ac717894ae533
-
SSDEEP
24576:J2ODH5W3TnbQihMpQnqrdX72LbY6x46uR/qYglMi:3DH5W3TbQihw+cdX2x46uhqllMi
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jdjfcecp.exeKgphpo32.exeMpolqa32.exe12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exeHpgkkioa.exeJfhbppbc.exeMaohkd32.exeNqklmpdd.exeIjdeiaio.exeJmnaakne.exeKbfiep32.exeKgdbkohf.exeLalcng32.exeNacbfdao.exeHpbaqj32.exeIpqnahgf.exeIfopiajn.exeNjogjfoj.exeIabgaklg.exeJbfpobpb.exeLcpllo32.exeKkkdan32.exeLiekmj32.exeMjhqjg32.exeNgedij32.exeIcljbg32.exeJmpngk32.exeLnepih32.exeLpfijcfl.exeMpmokb32.exeNjcpee32.exeJjbako32.exeJaljgidl.exeJjmhppqd.exeLcdegnep.exeIfmcdblq.exeKaqcbi32.exeKbapjafe.exeNbkhfc32.exeHmmhjm32.exeImpepm32.exeJaimbj32.exeHbanme32.exeImihfl32.exeJdemhe32.exeMjeddggd.exeLgkhlnbn.exeKdffocib.exeLphfpbdi.exeMgidml32.exeNklfoi32.exeNdghmo32.exeJjpeepnb.exeJbkjjblm.exeJfdida32.exeJkdnpo32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdjfcecp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgphpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpolqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpgkkioa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfhbppbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Maohkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqklmpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijdeiaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmnaakne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbfiep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgdbkohf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lalcng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nacbfdao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbaqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipqnahgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifopiajn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njogjfoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdeiaio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabgaklg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbfpobpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgphpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcpllo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkkdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liekmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjhqjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngedij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icljbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmpngk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnepih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpfijcfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njcpee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjbako32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaljgidl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjmhppqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdegnep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifmcdblq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kaqcbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbapjafe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqklmpdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbkhfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmmhjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Impepm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaimbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbapjafe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maohkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbanme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imihfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdemhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjeddggd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgkhlnbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdffocib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lphfpbdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgidml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklfoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndghmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndghmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjpeepnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbkjjblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjmhppqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjeddggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfdida32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkdnpo32.exe -
Malware Dropper & Backdoor - Berbew 32 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Hpbaqj32.exe family_berbew C:\Windows\SysWOW64\Hbanme32.exe family_berbew C:\Windows\SysWOW64\Hpgkkioa.exe family_berbew C:\Windows\SysWOW64\Hcedaheh.exe family_berbew C:\Windows\SysWOW64\Hmmhjm32.exe family_berbew C:\Windows\SysWOW64\Icgqggce.exe family_berbew C:\Windows\SysWOW64\Iffmccbi.exe family_berbew C:\Windows\SysWOW64\Impepm32.exe family_berbew C:\Windows\SysWOW64\Ibmmhdhm.exe family_berbew C:\Windows\SysWOW64\Icljbg32.exe family_berbew C:\Windows\SysWOW64\Iikopmkd.exe family_berbew C:\Windows\SysWOW64\Jfdida32.exe family_berbew C:\Windows\SysWOW64\Jdemhe32.exe family_berbew C:\Windows\SysWOW64\Jpjqhgol.exe family_berbew C:\Windows\SysWOW64\Jjmhppqd.exe family_berbew C:\Windows\SysWOW64\Jbfpobpb.exe family_berbew C:\Windows\SysWOW64\Jpgdbg32.exe family_berbew C:\Windows\SysWOW64\Imihfl32.exe family_berbew C:\Windows\SysWOW64\Ijkljp32.exe family_berbew C:\Windows\SysWOW64\Ifopiajn.exe family_berbew C:\Windows\SysWOW64\Idacmfkj.exe family_berbew C:\Windows\SysWOW64\Iabgaklg.exe family_berbew C:\Windows\SysWOW64\Ifmcdblq.exe family_berbew C:\Windows\SysWOW64\Idofhfmm.exe family_berbew C:\Windows\SysWOW64\Ipckgh32.exe family_berbew C:\Windows\SysWOW64\Imdnklfp.exe family_berbew C:\Windows\SysWOW64\Ijfboafl.exe family_berbew C:\Windows\SysWOW64\Ifjfnb32.exe family_berbew C:\Windows\SysWOW64\Ipqnahgf.exe family_berbew C:\Windows\SysWOW64\Iiffen32.exe family_berbew C:\Windows\SysWOW64\Ijdeiaio.exe family_berbew C:\Windows\SysWOW64\Ipnalhii.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Hpbaqj32.exeHbanme32.exeHpgkkioa.exeHcedaheh.exeHmmhjm32.exeIcgqggce.exeIffmccbi.exeImpepm32.exeIpnalhii.exeIbmmhdhm.exeIjdeiaio.exeIiffen32.exeIpqnahgf.exeIcljbg32.exeIfjfnb32.exeIjfboafl.exeImdnklfp.exeIpckgh32.exeIdofhfmm.exeIfmcdblq.exeIikopmkd.exeIabgaklg.exeIdacmfkj.exeIfopiajn.exeIjkljp32.exeImihfl32.exeJpgdbg32.exeJbfpobpb.exeJjmhppqd.exeJpjqhgol.exeJdemhe32.exeJfdida32.exeJjpeepnb.exeJmnaakne.exeJaimbj32.exeJdhine32.exeJbkjjblm.exeJjbako32.exeJmpngk32.exeJaljgidl.exeJdjfcecp.exeJfhbppbc.exeJkdnpo32.exeJmbklj32.exeJpaghf32.exeJfkoeppq.exeJiikak32.exeKaqcbi32.exeKbapjafe.exeKkihknfg.exeKacphh32.exeKdaldd32.exeKgphpo32.exeKkkdan32.exeKaemnhla.exeKdcijcke.exeKbfiep32.exeKknafn32.exeKmlnbi32.exeKdffocib.exeKgdbkohf.exeKibnhjgj.exeKajfig32.exeKpmfddnf.exepid process 4804 Hpbaqj32.exe 4064 Hbanme32.exe 1064 Hpgkkioa.exe 4608 Hcedaheh.exe 4544 Hmmhjm32.exe 5104 Icgqggce.exe 3328 Iffmccbi.exe 4044 Impepm32.exe 5028 Ipnalhii.exe 5076 Ibmmhdhm.exe 4032 Ijdeiaio.exe 3024 Iiffen32.exe 4868 Ipqnahgf.exe 4688 Icljbg32.exe 4900 Ifjfnb32.exe 2132 Ijfboafl.exe 4308 Imdnklfp.exe 1140 Ipckgh32.exe 2600 Idofhfmm.exe 2140 Ifmcdblq.exe 3204 Iikopmkd.exe 388 Iabgaklg.exe 4820 Idacmfkj.exe 4216 Ifopiajn.exe 1540 Ijkljp32.exe 1688 Imihfl32.exe 800 Jpgdbg32.exe 2116 Jbfpobpb.exe 3188 Jjmhppqd.exe 4864 Jpjqhgol.exe 3544 Jdemhe32.exe 3872 Jfdida32.exe 4464 Jjpeepnb.exe 1852 Jmnaakne.exe 3228 Jaimbj32.exe 4376 Jdhine32.exe 1556 Jbkjjblm.exe 2748 Jjbako32.exe 3340 Jmpngk32.exe 2688 Jaljgidl.exe 3724 Jdjfcecp.exe 2020 Jfhbppbc.exe 3684 Jkdnpo32.exe 4812 Jmbklj32.exe 4896 Jpaghf32.exe 3472 Jfkoeppq.exe 3788 Jiikak32.exe 2216 Kaqcbi32.exe 1964 Kbapjafe.exe 3060 Kkihknfg.exe 3984 Kacphh32.exe 3820 Kdaldd32.exe 2016 Kgphpo32.exe 1060 Kkkdan32.exe 3520 Kaemnhla.exe 3592 Kdcijcke.exe 2448 Kbfiep32.exe 4516 Kknafn32.exe 3944 Kmlnbi32.exe 4196 Kdffocib.exe 3152 Kgdbkohf.exe 2112 Kibnhjgj.exe 4296 Kajfig32.exe 1188 Kpmfddnf.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ipnalhii.exeJfhbppbc.exeJmbklj32.exeKibnhjgj.exeLaopdgcg.exeNnmopdep.exeIpqnahgf.exeJfdida32.exeLklnhlfb.exeNqklmpdd.exeLiekmj32.exeLiggbi32.exeLkiqbl32.exeJbfpobpb.exeMpmokb32.exeJjpeepnb.exeLcgblncm.exeMnfipekh.exeNklfoi32.exeNddkgonp.exeHpgkkioa.exeImdnklfp.exeJdhine32.exeMkgmcjld.exeNbkhfc32.exeIjdeiaio.exeKdaldd32.exeMjcgohig.exeMpdelajl.exeJbkjjblm.exeKacphh32.exeKaemnhla.exeMpolqa32.exeMcpebmkb.exeHbanme32.exeIcgqggce.exeIffmccbi.exeJpaghf32.exeKgphpo32.exeKajfig32.exeLdkojb32.exeLgkhlnbn.exeLnjjdgee.exeMnlfigcc.exeMpkbebbf.exeNceonl32.exeNgedij32.exeIjfboafl.exeKaqcbi32.exeKdffocib.exeLpcmec32.exeLknjmkdo.exeMjhqjg32.exeMgghhlhq.exeNacbfdao.exeKdcijcke.exeNdidbn32.exedescription ioc process File created C:\Windows\SysWOW64\Gmbkmemo.dll Ipnalhii.exe File created C:\Windows\SysWOW64\Jkdnpo32.exe Jfhbppbc.exe File created C:\Windows\SysWOW64\Nilhco32.dll Jmbklj32.exe File created C:\Windows\SysWOW64\Lbhnnj32.dll Kibnhjgj.exe File created C:\Windows\SysWOW64\Ogndib32.dll Laopdgcg.exe File opened for modification C:\Windows\SysWOW64\Nqklmpdd.exe Nnmopdep.exe File opened for modification C:\Windows\SysWOW64\Icljbg32.exe Ipqnahgf.exe File opened for modification C:\Windows\SysWOW64\Jjpeepnb.exe Jfdida32.exe File opened for modification C:\Windows\SysWOW64\Lnjjdgee.exe Lklnhlfb.exe File created C:\Windows\SysWOW64\Ndghmo32.exe Nqklmpdd.exe File created C:\Windows\SysWOW64\Lalcng32.exe Liekmj32.exe File opened for modification C:\Windows\SysWOW64\Laopdgcg.exe Liggbi32.exe File created C:\Windows\SysWOW64\Dnapla32.dll Lkiqbl32.exe File created C:\Windows\SysWOW64\Jjmhppqd.exe Jbfpobpb.exe File opened for modification C:\Windows\SysWOW64\Lpappc32.exe Laopdgcg.exe File created C:\Windows\SysWOW64\Epmjjbbj.dll Mpmokb32.exe File created C:\Windows\SysWOW64\Omfnojog.dll Jjpeepnb.exe File opened for modification C:\Windows\SysWOW64\Lknjmkdo.exe Lcgblncm.exe File created C:\Windows\SysWOW64\Gbbkdl32.dll Mnfipekh.exe File opened for modification C:\Windows\SysWOW64\Njogjfoj.exe Nklfoi32.exe File created C:\Windows\SysWOW64\Ngcgcjnc.exe Nddkgonp.exe File created C:\Windows\SysWOW64\Hionfema.dll Hpgkkioa.exe File opened for modification C:\Windows\SysWOW64\Ipckgh32.exe Imdnklfp.exe File created C:\Windows\SysWOW64\Ibimpp32.dll Jdhine32.exe File opened for modification C:\Windows\SysWOW64\Mnfipekh.exe Mkgmcjld.exe File created C:\Windows\SysWOW64\Ndidbn32.exe Nbkhfc32.exe File created C:\Windows\SysWOW64\Gkillp32.dll Ijdeiaio.exe File created C:\Windows\SysWOW64\Nqjfoc32.dll Kdaldd32.exe File created C:\Windows\SysWOW64\Mpmokb32.exe Mjcgohig.exe File created C:\Windows\SysWOW64\Mcbahlip.exe Mpdelajl.exe File opened for modification C:\Windows\SysWOW64\Jjbako32.exe Jbkjjblm.exe File opened for modification C:\Windows\SysWOW64\Kdaldd32.exe Kacphh32.exe File opened for modification C:\Windows\SysWOW64\Kdcijcke.exe Kaemnhla.exe File created C:\Windows\SysWOW64\Mcnhmm32.exe Mpolqa32.exe File created C:\Windows\SysWOW64\Ekipni32.dll Mcpebmkb.exe File opened for modification C:\Windows\SysWOW64\Hpgkkioa.exe Hbanme32.exe File opened for modification C:\Windows\SysWOW64\Iffmccbi.exe Icgqggce.exe File created C:\Windows\SysWOW64\Impepm32.exe Iffmccbi.exe File opened for modification C:\Windows\SysWOW64\Impepm32.exe Iffmccbi.exe File created C:\Windows\SysWOW64\Mfpoqooh.dll Jpaghf32.exe File created C:\Windows\SysWOW64\Kkkdan32.exe Kgphpo32.exe File created C:\Windows\SysWOW64\Bnjdmn32.dll Kajfig32.exe File created C:\Windows\SysWOW64\Dnkdikig.dll Ldkojb32.exe File opened for modification C:\Windows\SysWOW64\Lnepih32.exe Lgkhlnbn.exe File opened for modification C:\Windows\SysWOW64\Lphfpbdi.exe Lnjjdgee.exe File created C:\Windows\SysWOW64\Kmdigkkd.dll Mnlfigcc.exe File created C:\Windows\SysWOW64\Mgekbljc.exe Mpkbebbf.exe File opened for modification C:\Windows\SysWOW64\Nklfoi32.exe Nceonl32.exe File created C:\Windows\SysWOW64\Njcpee32.exe Ngedij32.exe File created C:\Windows\SysWOW64\Iffmccbi.exe Icgqggce.exe File created C:\Windows\SysWOW64\Imdnklfp.exe Ijfboafl.exe File created C:\Windows\SysWOW64\Kbapjafe.exe Kaqcbi32.exe File created C:\Windows\SysWOW64\Kgdbkohf.exe Kdffocib.exe File created C:\Windows\SysWOW64\Bgcomh32.dll Lpcmec32.exe File created C:\Windows\SysWOW64\Lknjmkdo.exe Lcgblncm.exe File created C:\Windows\SysWOW64\Bidjkmlh.dll Lknjmkdo.exe File created C:\Windows\SysWOW64\Pbcfgejn.dll Mjhqjg32.exe File opened for modification C:\Windows\SysWOW64\Ngcgcjnc.exe Nddkgonp.exe File created C:\Windows\SysWOW64\Ekmihm32.dll Ijfboafl.exe File opened for modification C:\Windows\SysWOW64\Mjeddggd.exe Mgghhlhq.exe File created C:\Windows\SysWOW64\Npckna32.dll Nacbfdao.exe File opened for modification C:\Windows\SysWOW64\Ndidbn32.exe Nbkhfc32.exe File created C:\Windows\SysWOW64\Ppaaagol.dll Kdcijcke.exe File opened for modification C:\Windows\SysWOW64\Ncldnkae.exe Ndidbn32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5436 4780 WerFault.exe Nkcmohbg.exe -
Modifies registry class 64 IoCs
Processes:
Mkgmcjld.exeNjacpf32.exeKacphh32.exeLphfpbdi.exeIjdeiaio.exeMcbahlip.exeJmpngk32.exeJdjfcecp.exeLnhmng32.exeKknafn32.exeIfopiajn.exeJkdnpo32.exeKdaldd32.exeNqfbaq32.exeKckbqpnj.exeLgkhlnbn.exeLdkojb32.exeLgikfn32.exeJaljgidl.exeNjogjfoj.exeLklnhlfb.exeMgghhlhq.exeLknjmkdo.exeKgphpo32.exeMgidml32.exeMjcgohig.exeIjfboafl.exeIcgqggce.exeIdacmfkj.exeLcpllo32.exeMpmokb32.exeMjeddggd.exeJfhbppbc.exeKpmfddnf.exeLgneampk.exeMpolqa32.exeIpckgh32.exeIikopmkd.exeJbkjjblm.exeLalcng32.exeMcpebmkb.exeIfmcdblq.exeKpjjod32.exeNdghmo32.exeJpaghf32.exeNjljefql.exeJpjqhgol.exeKgdbkohf.exe12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exeJjbako32.exeNddkgonp.exeKbfiep32.exeImpepm32.exeIiffen32.exeNkjjij32.exeImihfl32.exeLnjjdgee.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkgmcjld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll" Kacphh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll" Lphfpbdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijdeiaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcbahlip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmpngk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdjfcecp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnhmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll" Kknafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll" Lnhmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifopiajn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdjfcecp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkdnpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdaldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqfbaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kckbqpnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgkhlnbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldkojb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll" Lgikfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jaljgidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll" Njogjfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lklnhlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgghhlhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lknjmkdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgphpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll" Mgidml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll" Mjcgohig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijfboafl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icgqggce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idacmfkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcpllo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgikfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpmokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjeddggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfhbppbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll" Kpmfddnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgneampk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll" Mpolqa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipckgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll" Iikopmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll" Jbkjjblm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpmfddnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll" Lalcng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcpebmkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifmcdblq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpjjod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll" Ndghmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpaghf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njljefql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpjqhgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgdbkohf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjbako32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll" Kbfiep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lklnhlfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Impepm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iiffen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifopiajn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll" Nkjjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijdeiaio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imihfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnjjdgee.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exeHpbaqj32.exeHbanme32.exeHpgkkioa.exeHcedaheh.exeHmmhjm32.exeIcgqggce.exeIffmccbi.exeImpepm32.exeIpnalhii.exeIbmmhdhm.exeIjdeiaio.exeIiffen32.exeIpqnahgf.exeIcljbg32.exeIfjfnb32.exeIjfboafl.exeImdnklfp.exeIpckgh32.exeIdofhfmm.exeIfmcdblq.exeIikopmkd.exedescription pid process target process PID 4980 wrote to memory of 4804 4980 12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe Hpbaqj32.exe PID 4980 wrote to memory of 4804 4980 12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe Hpbaqj32.exe PID 4980 wrote to memory of 4804 4980 12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe Hpbaqj32.exe PID 4804 wrote to memory of 4064 4804 Hpbaqj32.exe Hbanme32.exe PID 4804 wrote to memory of 4064 4804 Hpbaqj32.exe Hbanme32.exe PID 4804 wrote to memory of 4064 4804 Hpbaqj32.exe Hbanme32.exe PID 4064 wrote to memory of 1064 4064 Hbanme32.exe Hpgkkioa.exe PID 4064 wrote to memory of 1064 4064 Hbanme32.exe Hpgkkioa.exe PID 4064 wrote to memory of 1064 4064 Hbanme32.exe Hpgkkioa.exe PID 1064 wrote to memory of 4608 1064 Hpgkkioa.exe Hcedaheh.exe PID 1064 wrote to memory of 4608 1064 Hpgkkioa.exe Hcedaheh.exe PID 1064 wrote to memory of 4608 1064 Hpgkkioa.exe Hcedaheh.exe PID 4608 wrote to memory of 4544 4608 Hcedaheh.exe Hmmhjm32.exe PID 4608 wrote to memory of 4544 4608 Hcedaheh.exe Hmmhjm32.exe PID 4608 wrote to memory of 4544 4608 Hcedaheh.exe Hmmhjm32.exe PID 4544 wrote to memory of 5104 4544 Hmmhjm32.exe Icgqggce.exe PID 4544 wrote to memory of 5104 4544 Hmmhjm32.exe Icgqggce.exe PID 4544 wrote to memory of 5104 4544 Hmmhjm32.exe Icgqggce.exe PID 5104 wrote to memory of 3328 5104 Icgqggce.exe Iffmccbi.exe PID 5104 wrote to memory of 3328 5104 Icgqggce.exe Iffmccbi.exe PID 5104 wrote to memory of 3328 5104 Icgqggce.exe Iffmccbi.exe PID 3328 wrote to memory of 4044 3328 Iffmccbi.exe Impepm32.exe PID 3328 wrote to memory of 4044 3328 Iffmccbi.exe Impepm32.exe PID 3328 wrote to memory of 4044 3328 Iffmccbi.exe Impepm32.exe PID 4044 wrote to memory of 5028 4044 Impepm32.exe Ipnalhii.exe PID 4044 wrote to memory of 5028 4044 Impepm32.exe Ipnalhii.exe PID 4044 wrote to memory of 5028 4044 Impepm32.exe Ipnalhii.exe PID 5028 wrote to memory of 5076 5028 Ipnalhii.exe Ibmmhdhm.exe PID 5028 wrote to memory of 5076 5028 Ipnalhii.exe Ibmmhdhm.exe PID 5028 wrote to memory of 5076 5028 Ipnalhii.exe Ibmmhdhm.exe PID 5076 wrote to memory of 4032 5076 Ibmmhdhm.exe Ijdeiaio.exe PID 5076 wrote to memory of 4032 5076 Ibmmhdhm.exe Ijdeiaio.exe PID 5076 wrote to memory of 4032 5076 Ibmmhdhm.exe Ijdeiaio.exe PID 4032 wrote to memory of 3024 4032 Ijdeiaio.exe Iiffen32.exe PID 4032 wrote to memory of 3024 4032 Ijdeiaio.exe Iiffen32.exe PID 4032 wrote to memory of 3024 4032 Ijdeiaio.exe Iiffen32.exe PID 3024 wrote to memory of 4868 3024 Iiffen32.exe Ipqnahgf.exe PID 3024 wrote to memory of 4868 3024 Iiffen32.exe Ipqnahgf.exe PID 3024 wrote to memory of 4868 3024 Iiffen32.exe Ipqnahgf.exe PID 4868 wrote to memory of 4688 4868 Ipqnahgf.exe Icljbg32.exe PID 4868 wrote to memory of 4688 4868 Ipqnahgf.exe Icljbg32.exe PID 4868 wrote to memory of 4688 4868 Ipqnahgf.exe Icljbg32.exe PID 4688 wrote to memory of 4900 4688 Icljbg32.exe Ifjfnb32.exe PID 4688 wrote to memory of 4900 4688 Icljbg32.exe Ifjfnb32.exe PID 4688 wrote to memory of 4900 4688 Icljbg32.exe Ifjfnb32.exe PID 4900 wrote to memory of 2132 4900 Ifjfnb32.exe Ijfboafl.exe PID 4900 wrote to memory of 2132 4900 Ifjfnb32.exe Ijfboafl.exe PID 4900 wrote to memory of 2132 4900 Ifjfnb32.exe Ijfboafl.exe PID 2132 wrote to memory of 4308 2132 Ijfboafl.exe Imdnklfp.exe PID 2132 wrote to memory of 4308 2132 Ijfboafl.exe Imdnklfp.exe PID 2132 wrote to memory of 4308 2132 Ijfboafl.exe Imdnklfp.exe PID 4308 wrote to memory of 1140 4308 Imdnklfp.exe Ipckgh32.exe PID 4308 wrote to memory of 1140 4308 Imdnklfp.exe Ipckgh32.exe PID 4308 wrote to memory of 1140 4308 Imdnklfp.exe Ipckgh32.exe PID 1140 wrote to memory of 2600 1140 Ipckgh32.exe Idofhfmm.exe PID 1140 wrote to memory of 2600 1140 Ipckgh32.exe Idofhfmm.exe PID 1140 wrote to memory of 2600 1140 Ipckgh32.exe Idofhfmm.exe PID 2600 wrote to memory of 2140 2600 Idofhfmm.exe Ifmcdblq.exe PID 2600 wrote to memory of 2140 2600 Idofhfmm.exe Ifmcdblq.exe PID 2600 wrote to memory of 2140 2600 Idofhfmm.exe Ifmcdblq.exe PID 2140 wrote to memory of 3204 2140 Ifmcdblq.exe Iikopmkd.exe PID 2140 wrote to memory of 3204 2140 Ifmcdblq.exe Iikopmkd.exe PID 2140 wrote to memory of 3204 2140 Ifmcdblq.exe Iikopmkd.exe PID 3204 wrote to memory of 388 3204 Iikopmkd.exe Iabgaklg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Hpgkkioa.exeC:\Windows\system32\Hpgkkioa.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Icgqggce.exeC:\Windows\system32\Icgqggce.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Ijdeiaio.exeC:\Windows\system32\Ijdeiaio.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Imdnklfp.exeC:\Windows\system32\Imdnklfp.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:4820 -
C:\Windows\SysWOW64\Ifopiajn.exeC:\Windows\system32\Ifopiajn.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4216 -
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe26⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe28⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3188 -
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:4864 -
C:\Windows\SysWOW64\Jdemhe32.exeC:\Windows\system32\Jdemhe32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3872 -
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4464 -
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Jaimbj32.exeC:\Windows\system32\Jaimbj32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\Jdhine32.exeC:\Windows\system32\Jdhine32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4376 -
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3340 -
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3724 -
C:\Windows\SysWOW64\Jfhbppbc.exeC:\Windows\system32\Jfhbppbc.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3684 -
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4812 -
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4896 -
C:\Windows\SysWOW64\Jfkoeppq.exeC:\Windows\system32\Jfkoeppq.exe47⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe48⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe51⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Kacphh32.exeC:\Windows\system32\Kacphh32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3984 -
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3820 -
C:\Windows\SysWOW64\Kgphpo32.exeC:\Windows\system32\Kgphpo32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3520 -
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3592 -
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:4516 -
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe60⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe61⤵
- Modifies registry class
PID:4336 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4196 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3152 -
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4296 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe67⤵
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe68⤵PID:4588
-
C:\Windows\SysWOW64\Liekmj32.exeC:\Windows\system32\Liekmj32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4668 -
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:4700 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe72⤵
- Modifies registry class
PID:5160 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe73⤵
- Drops file in System32 directory
PID:5192 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe74⤵
- Drops file in System32 directory
PID:5228 -
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe75⤵PID:5264
-
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5300 -
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5336 -
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5372 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe79⤵
- Drops file in System32 directory
PID:5408 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe80⤵PID:5444
-
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe81⤵
- Modifies registry class
PID:5480 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe82⤵
- Drops file in System32 directory
PID:5516 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe83⤵
- Modifies registry class
PID:5552 -
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5588 -
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5624 -
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:5660 -
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:5696 -
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5732 -
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe89⤵
- Drops file in System32 directory
PID:5768 -
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:5804 -
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe91⤵
- Drops file in System32 directory
PID:5840 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe92⤵
- Drops file in System32 directory
PID:5876 -
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe93⤵PID:5912
-
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:5948 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5984 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe96⤵PID:6024
-
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe97⤵
- Drops file in System32 directory
- Modifies registry class
PID:6056 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6096 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe99⤵PID:6128
-
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe101⤵PID:1124
-
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4360 -
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3552 -
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3632 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:4816 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe107⤵
- Drops file in System32 directory
PID:4348 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe108⤵
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe109⤵
- Modifies registry class
PID:5184 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe110⤵
- Modifies registry class
PID:5252 -
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe111⤵
- Modifies registry class
PID:5320 -
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5384 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe113⤵
- Modifies registry class
PID:5440 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe114⤵
- Drops file in System32 directory
PID:5504 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5564 -
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5620 -
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe117⤵PID:5688
-
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:5756 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe119⤵PID:5816
-
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe120⤵
- Modifies registry class
PID:5868 -
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe121⤵
- Drops file in System32 directory
PID:5924 -
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5980 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6048 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe124⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6116 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4988 -
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe126⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4380 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe127⤵
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe128⤵PID:3676
-
C:\Windows\SysWOW64\Nkcmohbg.exeC:\Windows\system32\Nkcmohbg.exe129⤵PID:4780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 412130⤵
- Program crash
PID:5436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4780 -ip 47801⤵PID:5240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
844KB
MD54aeef9554ec731d7344807a476d8fe0d
SHA169d80c4c413d5cc43946bd383c0423dec6f7a000
SHA256e59402af05ca379f17b552ac529a2c2df97648cc868c54859acb099020b1f946
SHA512074dfae1459317aa52d80eb9401cea1c84a61c286f982f6d44d46aceb6077adbeb8cc005c12fc5b05ccb05ddbc2a0d16a41b0cd2c4e59be3877427d3447bd8e4
-
Filesize
844KB
MD586a3d800186ed94b066ceed2af112005
SHA1dadb55d4f06e3d035e8701bbbadb199e63699c2d
SHA256779f1d853dd57cb4e9d1c9c3046b1e592766178266ad14f470fd19b61eb6d343
SHA512fcb7d91fa9340a216fbf7f9940859737b8c0a92650917d9e55e73783fff291680a24692d9d746ed25c5ea5b65c454ab0aaf951d827ef18fe4c0e5bc345e46823
-
Filesize
844KB
MD50c7e1fa52256db48a1cf764a2079559a
SHA13ec52d966e3390673dd069142ef0a58d58fb8cba
SHA2567a83f7e249e3ba01e48accf6570fa5e3109b5c31a4a59ed20b629f0d67511597
SHA512b8437a6226a611b075ef4f916d563d241fad4c8b9984b95b49ce9ba43553431cb40408c54194eac0f2531bbb4cbb1b2662565072253a619941f4bcf93f512f05
-
Filesize
844KB
MD5d31ab713235e384f578f314a32c9512c
SHA100dc654eb4601bd5e4fda9cd3d360387796cafea
SHA2560408a37dc72e4dab32e5fa6081c43cafae90444f9774876bc47081ce948bf321
SHA512669d9d7b2911eba7e77bab4cb058c3b4183c59c771f0cca32a496e8c7c6275315e9c974f08f664f522f88f24fc5f6a6da4acd8185eee0c5aee59f3bfa6b80050
-
Filesize
844KB
MD5ea8c2439791fa35bc55f1c7266218e2a
SHA1d6ec420d5132071a7e925cd004bced24dcead3c3
SHA256534f05ae51f5a62a693f2415228b8197ac8f809cb971c21ee2019655b5fafc53
SHA512e951e2b86dd613f51df5008debb37c0dc08a66112a226cd142430e2b70f8471ea783fe584c6308ea86faa47a594b48a969d09d36fcee6453a833471e7f34c933
-
Filesize
844KB
MD5ac215a82bf1e7e6ceccaf872a04896d7
SHA13ce7784ba4409db6a18f54babb3e22cad4d0ba8d
SHA256f2565363708530fb183c9906e3e90346bdf5458c6c339c147bf9fdaa69dfa241
SHA512bd01b8185861b0f15aabf606a3b434ed8c4225a7d57052f049442cc34eaeea2a6e3172fe739a5a9d60d6d9d5aa5809965b4dcd59d45e2c385c73d07df945bbe9
-
Filesize
844KB
MD53b8153604259f0170e99ff3038845c68
SHA1f75b88599f2a812cc1fb4d2de15121011458df8d
SHA2564bd081e9af9ca09212b3d03f1522518157d29c40da60f16e6609f84a6923c4cf
SHA512562a3400b388ce2fb6226c024ec57d233c0f6216d06b69d99772de062b25a974efd939582228807ec1136ee05a9e990b588f6cc87fa0c60955685dbb38acff32
-
Filesize
844KB
MD585af1498f674e73b7853b97fe7d4328d
SHA1c45aedcce50685ad488a036f2aeac4f4a8095198
SHA2560045c06c44ad50a7ee9bdac443f38737c60e846216620ce81ce8b87d4273a465
SHA5125d56a862faa9b73fbe7895ad136719ee2a7f7e6b681b91a0e100051c0d3dcc3c17709034e3adfba8c5423455fd789febe00850e6f6a7de6ed4082e8afe8440f3
-
Filesize
844KB
MD53b9f30a0a67c31e67fbfc2b1f4538c50
SHA1414a84c52a018e6ac1b0f0087d1a368016bc0db3
SHA256568c7704d64a8e3cececa946d8875eaae0e9e7458dd05fbae301d67d71969ef7
SHA512b8e754dda0f69770e9bd457f951a69371f1392891686f996b95350bb96e8db5d28c7ea36d401ef4dcc3085a9f153608fce7a68fa3b525005d721714af5cfa43c
-
Filesize
844KB
MD52ffff722a85ef94b9c1a9408ae1ad1f1
SHA147e90a2fa76de84d00ba778835a792225718f109
SHA256f7fbf549cb8030113df3036c094bbf223a77430ad3c2eaff6c3e9c5efc37fa40
SHA51261e83eb028b36fc4b373d4b209b23e13ded2a98f42a112207dff6c40e75049f81d16d1abc21af08ef67ece739244aefa74b5f55c13a400b128bdaa8e5a3f5b00
-
Filesize
844KB
MD5a7aaee2ff732410207261e296b0f6e42
SHA119aa12834499e189920719e54f741d2c4bbae3ec
SHA2563fe548d57ab43fc0ebc48860b4e632101f90956d89782de8f8ad3f09a909293d
SHA512350cca5f0a7ccecb4d541f8b5d27ef13f6853f6e98b44b2e797ee60b7c25c1ab6abced1b2e77f333cbab58515819c754bf025edd2e2901cb155c2f37bceee5d7
-
Filesize
844KB
MD5b8e774cef46a332350cec813efd873a9
SHA1c021c65f1e960526a9601a019223ee93c19d0f0e
SHA25650ad93f51adb3a4d5738bd1676dc8994c5891eebd2e45cf9eacb4d2e8f924633
SHA512eb8ee7a6f550705c6af32fe3314f35e0ed75f8a62ea28f57144ff88c2587d4acf1d79b72143aab52b8ade2e9ed2ef3dc2f382f079dcab641a56fe49decd00921
-
Filesize
844KB
MD55db91d343daf81966a0194ca5c542453
SHA1f40d79743c09d5f8911fd1567617b81c14c30d2c
SHA256247964b8f7e9049544e0d810264646bfe345507e224a5d895f010020ab5053cd
SHA512b020653a8101fb451e4c9c1f33818b07316dee2d1bfdc0847271c997ee02d223418e2911b353bc47140f6f96aa38ac61f52929961c8435a4627c27ff0dc6d894
-
Filesize
844KB
MD5dd46184b6bdbad02489abd10ecae6c93
SHA1981b2c30201fc1057972e5a5e3ccaa8c6e6e04ed
SHA25618502a0e3b70cb8b5c61634cca1ed5ccd013914bbc56e42107091e92d56a81a3
SHA512b7a63892692892918a44ce9aa03c67cb3983a772e1f5b0d0a934518beb24429345121879b5016bf437474fa6e15a5a77e5be6da84dc1b9b3aeaf2e2702cbaf64
-
Filesize
844KB
MD5c03d2b5b6ab58a97c4f84329e34afb46
SHA10b02329ea177b7357bad818e5f6ffdf00d39bb52
SHA256c6d74be939afe6c477e20f72ef498ba31bb40c6bc94a40b2ad87fec6c3fccf98
SHA5126fb073ff6f794886f70f656fc67a2cd81fe46c94dbc435b70f68d086a5b900a66c012da441e8c25dd6b8e113f78b975c27b152ff88be1715604db3c7c0bd7f70
-
Filesize
844KB
MD5c7d90bb6ca2a513b7b38693c2b8f7185
SHA10c63a5c502e472e6ad5eba002b1ca4d4e6d90ebb
SHA25696a1633a9099fb35176f3073633c50498a4d73957b156bf125bc9901974a64d6
SHA51230640a15b89b47531112f04caf744883ab707722d32bd4953136296047408f56b91ced3a45e59fed243b974fc7dc400a38817d5d3d4d3c6971f4a1aa1127ba89
-
Filesize
844KB
MD5163fc7e5973e39d6b0705ed48ee2d5b2
SHA1a479c2fcd0a583491a29602277b3479fb459b5af
SHA256ebd4ee403769a0e30b8017d54e328a56daec628e2213863920675273aa54eb81
SHA5124c2209f4c11d859e99aaafa81144d5e82d3e990ecc1fbe9d953f0a6c4af559976863b7a11912a062815c1cfd7411cb80716ee859ff944cb54666ece696018901
-
Filesize
844KB
MD5e01f1530cff0fec2483c7dd22d500f84
SHA117038ae365860ba8a32d3ece76fa166de1c1feb7
SHA25671436df1a7a5cd895e669d78ba62a15ffc5f59a29c9715e5dded8700f3fc48ff
SHA512bb4130b6df25a7ef03904e27e2ac32687c11869360d7cf5c1fb2f0166229d04c6bce301ddf25f912b09322c2e3b3805016daf29a50cd5592139a70e92c03a08a
-
Filesize
844KB
MD536070e9ca2b31f64c74b273e321bc9e3
SHA1fa9c159f13179920a20c933252935d18a30886c1
SHA256a86c4e97513f49fca1a179e1f0e0050edaa13bf58eb586fb58eaa61b82b84777
SHA5123b8317d020905c333411d7b54e7d5bd7aee2ae58369e182ee86f7c107c6eb2e34ea82eaa5ea1855ffb5bedde78e6f91cb98cbaf05205cb474986475f6dec48ba
-
Filesize
844KB
MD504c007218c6007c3e0bb9a32af30c8ac
SHA126fa0bbc089d14903f9f4faba9d472e0f30682dc
SHA256947a79e068787a019d3a8810e87042e21b8379659af1f392258724ab633c3298
SHA51211cc99f3bf3c5e8c61928099a1654114adb801389a276635166f586f698f286ce057ff76ab3e98f3cd9c42407a79f161a59247f8ebffa5ab2a3eb03d4793769f
-
Filesize
844KB
MD595118c7345561ebbcd8dcc76e8187e18
SHA13293d555182b0a57239c8a5440ecaac688d69c3b
SHA256c72484daf8acce82806ead1c6f632d71af5fab9b16917d4980a8d916720e4640
SHA512b0e32b127328477108de255558e57d7acac11067a8784c1da4b407d5dae941f0b5290b384a92dab13cb89a9a885b71734c5478d37c411168cd4d8845d4325cfa
-
Filesize
844KB
MD559e53c7de773615be304abb7983ec86e
SHA12b5a1926290a0e07981b5dbe9e70420a5784c2d0
SHA256a626ae13d2efc9b9561f16f2334480a277f61142dd4d1fc6436bb15df34fdb4c
SHA5121a14f73ba754aac6b5de266fa790fdc7447e30162779b9676a5dfbc8161d8baf636c28f43c2c4a38577ac47b87815d4a31119f68d1bedb055e505e70400109b7
-
Filesize
844KB
MD515db1ecdc028ffb2759e368815142020
SHA1f3c69f38c8a5fe57cde8fea1e81e86581e7ce7ef
SHA2560b7534f978951c5b939f7233829b767bc785d550df88358498aec45d58d69e46
SHA512031f42bdd180ccf159e2549d19d36807a0dc830e70d9f14a10a411b9ac464e7107d90db0da67df28f10c58a50eb7847ebe23b009d22952f89743d216af3c3219
-
Filesize
844KB
MD5d6d5ff4d9b1e391d010a70a4b871829a
SHA1f658c82f31c1ee5fc381f939227e02abb384e5ba
SHA25639e54a62ae630f96cbc843a5b281ca11bbee237a00ec40e4a7d1e0b73425a2fc
SHA512a1544624472c4d722116e99a44be94040837cd095975d2c740e8479a4b2533eea44680e6c0d228bbfb7f03742b3cf002290e96096d7a15fa5797ade3d4eb2eef
-
Filesize
844KB
MD5b6cfea1dd32fc95ddeb1f237c32f31d0
SHA1189cb6bc115bc1d8016168d504aa89eb83590828
SHA25678ae9ddb0ea928a79e265d6987cb7a8125feaa5ee83afff193eadf7ea9a30443
SHA512b1022bf8451bcd6c24f96b3ba04fe73c2f22575e643581d42e471e79e5ceda65a86c3dd95c4aff3885ae4c2245df118e0b071a8ad19abc418608670e0e6ca64d
-
Filesize
844KB
MD5517aa89e6d22b95394b33f276f24494d
SHA161a2bc140179dc84a84e56051046c293cfcbb597
SHA25692ae9b0d244899cf46f6557b728d4b8f90153a52721ab364c601a1f86afa13f6
SHA512a80ef903106bb6b3560ef415de46119da10e39aa41b49114043cd69c07bdfccf84c708f83716c5dbabd740e0d9b286a6dbfce91df054b29fc8fb90381c492b13
-
Filesize
844KB
MD53f762938816e9168c500271ec909edd6
SHA19cd5803ca25d1aec108c1167f6b9158905c84766
SHA256d14218e2dc0fde95dfe7033e639c96849bcc49b677fa9ee4de23a4e052fb185c
SHA512446cb199076a5fbc4f47f3c9428cac838eb137d99c3140eef96631fdfb0651379990b224d1bee92da6b4fe061a47d190ba650823acbd9277bb9f7e085041dd10
-
Filesize
844KB
MD53bdfed7141df284dc5a61ca989623ee7
SHA1b50cc633f6bb93df661c447c27f5a53894875c0f
SHA2565cd9d1a5d7fd92e05bd10694615a02cc5ca09a3a2de2bf6ce8285a2a3661787b
SHA512b6919ad2905ca37cc819efbb2c53b1bfcb3198ef4d5279845594e7bb4126933f3cc2b74fd6c6fe4594f3744607fa38431fa63cfe6f38c21a96c3b1f8e2a9df0b
-
Filesize
844KB
MD562c6097662d67c9697fd61badbb75869
SHA1697546892cae116a0513759e9f3dd0e7e18e1f07
SHA256d98efcd8a8c92f244dc48b59516bf549013f9cfdee098d9a8e419625cb5fbe88
SHA512184f1af654d585c48d571df8e382cf62f1f0c14c79ce73f7bd700d44bcc9d06d0a2a77af983387160b7fb7cd29c7654aa2b0a06f614f2627a7b2d7d4aaf2259c
-
Filesize
844KB
MD5d33acdcaa2eafbdce673d0e183b9a34d
SHA1a8065d62a6cae4212732d7aa0b8b531361ba6811
SHA2567b3859143b3026e28722f91b867d7831a50ccc73b9e1be2d8aeccbf344567679
SHA512964cd0d97855d0476e6b82c916be2297ed3224bcc10e612177a921aa5c16b96eafd1b278494985a63dba90d233cba1b7d734673c4df2915443c22006005eb177
-
Filesize
844KB
MD57faa4f7efe4ea424baf0abffb02138c7
SHA1c8738994f377c6f6f0543c6c7bef431122b7799b
SHA2567eb666da63fc9dc8ac7ab8210ad5b27719cc0c0969dc90ea865520658b916732
SHA512131321d3984e0b0d17584b773f905c29ab647bdfb1f045f83832d1d2b8fa38389926629b41cc4cfdc9b5c87062b4c57aedf128deed8c14d31880583a183c978c
-
Filesize
844KB
MD5c44d3e162644e1e570a47c51d761b15d
SHA1cbbb80542d0a12c5339c70fcd05ea9695d936d74
SHA2568df40d1a81ca6cd380721de325052d7802a0756ac2bfdcc2e48a0ffbbeeeecc5
SHA512e364a03feca3c8c7fcac362e2e9811fdab7a4a74c4819450d2cae1597232e8fe89048c7b372589b98407e507adb217167699a52acfdc7005906080b791303267
-
Filesize
7KB
MD5c32584fa61d7e261ac3090deb71ec3fb
SHA1f72e0548b5ac7fe2c0022e3f0239c1f486fab2bb
SHA256412d1b5e573d609d1e3d6a5e8ebde82d6d8d69d8ff8570ac7d69af8c3c224d32
SHA512cba80851dbe014a18a0b6f5c8b57638c6d60b23616462e82877ef2f949abb419769ca5913a175f924fd0ea44bf62079ae2833be6a8debba0fb5aac8c6f5bbc48