Analysis
-
max time kernel
138s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 01:15
Behavioral task
behavioral1
Sample
1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exe
-
Size
374KB
-
MD5
1a77d5ecd2fa27578d658e03657ab7c0
-
SHA1
045165a890734661a8dcd7ad8595494e1c0793fa
-
SHA256
bf00b789eb1689cbd7d62ec2fc02bf0dcaa0d1bd63704de9b807c91a008b2ad1
-
SHA512
ee15df11d3ff406ce950cfe1b1feadb56a24227a6d0ba7fda46b7299d8866d56a54237c74ccdf77d220f9736bd74b136a9375fdf01b3be83d4cf4a8fa41f21a9
-
SSDEEP
6144:XMgx0rCoiOxikZ+Eu6QnFw5+0pU8oStTf3runG/qoxfIkeI1SHkF63lngMBdkw8D:7To/ZE6uidyzwr6AxfLeI1Su63lgMBdQ
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Hpbaqj32.exeJdcpcf32.exeJplmmfmi.exeKkpnlm32.exeKckbqpnj.exeMpolqa32.exeNqiogp32.exeMglack32.exe1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exeHabnjm32.exeIcljbg32.exeIikopmkd.exeKagichjo.exeKcifkp32.exeKgfoan32.exeImpepm32.exeIjfboafl.exeIbagcc32.exeNjacpf32.exeNcldnkae.exeIcjmmg32.exeImbaemhc.exeJbocea32.exeKmgdgjek.exeKgphpo32.exeNjcpee32.exeLalcng32.exeHikfip32.exeIiibkn32.exeImgkql32.exeIdacmfkj.exeLiekmj32.exeKilhgk32.exeLijdhiaa.exeHcedaheh.exeIpldfi32.exeIabgaklg.exeJkdnpo32.exeJpjqhgol.exeJaljgidl.exeKmegbjgn.exeKbdmpqcb.exeKpmfddnf.exeIpckgh32.exeKgbefoji.exeIbojncfj.exeJfdida32.exeIfopiajn.exeKgmlkp32.exeIpqnahgf.exeIfmcdblq.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpbaqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdcpcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdcpcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jplmmfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkpnlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kckbqpnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpolqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqiogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mglack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Habnjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icljbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iikopmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kagichjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcifkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgfoan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Impepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijfboafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibagcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kckbqpnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncldnkae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icjmmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imbaemhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbocea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmgdgjek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgphpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njcpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lalcng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hikfip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijfboafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iiibkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imgkql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idacmfkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liekmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kilhgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kilhgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijdhiaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqiogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcedaheh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipldfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabgaklg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkdnpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiibkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpjqhgol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaljgidl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmegbjgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbdmpqcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kagichjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmfddnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipckgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgbefoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibojncfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfdida32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcifkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifopiajn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jplmmfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgphpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njcpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgmlkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hikfip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipqnahgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifmcdblq.exe -
Malware Dropper & Backdoor - Berbew 32 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Hpbaqj32.exe family_berbew C:\Windows\SysWOW64\Hfljmdjc.exe family_berbew C:\Windows\SysWOW64\Hikfip32.exe family_berbew C:\Windows\SysWOW64\Habnjm32.exe family_berbew C:\Windows\SysWOW64\Hccglh32.exe family_berbew C:\Windows\SysWOW64\Hcedaheh.exe family_berbew C:\Windows\SysWOW64\Ipldfi32.exe family_berbew C:\Windows\SysWOW64\Impepm32.exe family_berbew C:\Windows\SysWOW64\Ifhiib32.exe family_berbew C:\Windows\SysWOW64\Imbaemhc.exe family_berbew C:\Windows\SysWOW64\Ipqnahgf.exe family_berbew C:\Windows\SysWOW64\Icljbg32.exe family_berbew C:\Windows\SysWOW64\Ijfboafl.exe family_berbew C:\Windows\SysWOW64\Iabgaklg.exe family_berbew C:\Windows\SysWOW64\Ijkljp32.exe family_berbew C:\Windows\SysWOW64\Jfaloa32.exe family_berbew C:\Windows\SysWOW64\Jjmhppqd.exe family_berbew C:\Windows\SysWOW64\Jdcpcf32.exe family_berbew C:\Windows\SysWOW64\Jaedgjjd.exe family_berbew C:\Windows\SysWOW64\Iinlemia.exe family_berbew C:\Windows\SysWOW64\Ifopiajn.exe family_berbew C:\Windows\SysWOW64\Idacmfkj.exe family_berbew C:\Windows\SysWOW64\Imgkql32.exe family_berbew C:\Windows\SysWOW64\Iikopmkd.exe family_berbew C:\Windows\SysWOW64\Ifmcdblq.exe family_berbew C:\Windows\SysWOW64\Ibagcc32.exe family_berbew C:\Windows\SysWOW64\Ipckgh32.exe family_berbew C:\Windows\SysWOW64\Iapjlk32.exe family_berbew C:\Windows\SysWOW64\Iiibkn32.exe family_berbew C:\Windows\SysWOW64\Ibojncfj.exe family_berbew C:\Windows\SysWOW64\Icjmmg32.exe family_berbew C:\Windows\SysWOW64\Ijaida32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Hpbaqj32.exeHfljmdjc.exeHikfip32.exeHabnjm32.exeHccglh32.exeHcedaheh.exeIpldfi32.exeIjaida32.exeImpepm32.exeIcjmmg32.exeIfhiib32.exeImbaemhc.exeIpqnahgf.exeIcljbg32.exeIbojncfj.exeIjfboafl.exeIiibkn32.exeIapjlk32.exeIpckgh32.exeIbagcc32.exeIfmcdblq.exeIikopmkd.exeImgkql32.exeIabgaklg.exeIdacmfkj.exeIfopiajn.exeIjkljp32.exeIinlemia.exeJaedgjjd.exeJdcpcf32.exeJfaloa32.exeJjmhppqd.exeJpjqhgol.exeJfdida32.exeJibeql32.exeJplmmfmi.exeJbkjjblm.exeJidbflcj.exeJaljgidl.exeJbmfoa32.exeJkdnpo32.exeJigollag.exeJangmibi.exeJpaghf32.exeJbocea32.exeJkfkfohj.exeKmegbjgn.exeKpccnefa.exeKdopod32.exeKgmlkp32.exeKilhgk32.exeKmgdgjek.exeKpepcedo.exeKbdmpqcb.exeKgphpo32.exeKkkdan32.exeKmjqmi32.exeKphmie32.exeKdcijcke.exeKgbefoji.exeKipabjil.exeKagichjo.exeKcifkp32.exeKkpnlm32.exepid process 4196 Hpbaqj32.exe 1320 Hfljmdjc.exe 2748 Hikfip32.exe 1836 Habnjm32.exe 4712 Hccglh32.exe 2644 Hcedaheh.exe 1184 Ipldfi32.exe 4024 Ijaida32.exe 5028 Impepm32.exe 3288 Icjmmg32.exe 3248 Ifhiib32.exe 4460 Imbaemhc.exe 2200 Ipqnahgf.exe 3788 Icljbg32.exe 3596 Ibojncfj.exe 1136 Ijfboafl.exe 644 Iiibkn32.exe 4908 Iapjlk32.exe 3252 Ipckgh32.exe 4952 Ibagcc32.exe 1276 Ifmcdblq.exe 4852 Iikopmkd.exe 3820 Imgkql32.exe 2152 Iabgaklg.exe 908 Idacmfkj.exe 2612 Ifopiajn.exe 4084 Ijkljp32.exe 3424 Iinlemia.exe 3600 Jaedgjjd.exe 4284 Jdcpcf32.exe 3272 Jfaloa32.exe 3000 Jjmhppqd.exe 924 Jpjqhgol.exe 2560 Jfdida32.exe 4172 Jibeql32.exe 4488 Jplmmfmi.exe 740 Jbkjjblm.exe 2056 Jidbflcj.exe 4788 Jaljgidl.exe 4912 Jbmfoa32.exe 2088 Jkdnpo32.exe 3328 Jigollag.exe 1272 Jangmibi.exe 4812 Jpaghf32.exe 3972 Jbocea32.exe 2272 Jkfkfohj.exe 4408 Kmegbjgn.exe 4604 Kpccnefa.exe 3756 Kdopod32.exe 2600 Kgmlkp32.exe 5036 Kilhgk32.exe 868 Kmgdgjek.exe 3768 Kpepcedo.exe 4344 Kbdmpqcb.exe 2156 Kgphpo32.exe 4412 Kkkdan32.exe 4528 Kmjqmi32.exe 4940 Kphmie32.exe 2740 Kdcijcke.exe 988 Kgbefoji.exe 2680 Kipabjil.exe 796 Kagichjo.exe 4964 Kcifkp32.exe 628 Kkpnlm32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Iabgaklg.exeMglack32.exeLijdhiaa.exeIapjlk32.exeJibeql32.exeJangmibi.exeKckbqpnj.exeHcedaheh.exeJbocea32.exeKgmlkp32.exeKgphpo32.exeKmjqmi32.exeIjaida32.exeImpepm32.exeJidbflcj.exeJigollag.exeLalcng32.exeLpocjdld.exeNcldnkae.exeIcljbg32.exeJbmfoa32.exeHpbaqj32.exeKilhgk32.exeJbkjjblm.exeKmgdgjek.exeKphmie32.exeIpckgh32.exeJdcpcf32.exeJfaloa32.exeNjacpf32.exeMdmegp32.exeIcjmmg32.exeNjcpee32.exe1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exeJkdnpo32.exeImgkql32.exeKkkdan32.exeJfdida32.exeJaljgidl.exeKpmfddnf.exeNgpjnkpf.exeIiibkn32.exeJpjqhgol.exeKgbefoji.exeLpappc32.exeImbaemhc.exeIbagcc32.exedescription ioc process File created C:\Windows\SysWOW64\Bpqnnk32.dll Iabgaklg.exe File opened for modification C:\Windows\SysWOW64\Ngpjnkpf.exe Mglack32.exe File created C:\Windows\SysWOW64\Mpolqa32.exe Lijdhiaa.exe File created C:\Windows\SysWOW64\Ipckgh32.exe Iapjlk32.exe File created C:\Windows\SysWOW64\Bbbjnidp.dll Jibeql32.exe File created C:\Windows\SysWOW64\Nilhco32.dll Jangmibi.exe File opened for modification C:\Windows\SysWOW64\Kgfoan32.exe Kckbqpnj.exe File created C:\Windows\SysWOW64\Ipldfi32.exe Hcedaheh.exe File created C:\Windows\SysWOW64\Jkfkfohj.exe Jbocea32.exe File opened for modification C:\Windows\SysWOW64\Jpaghf32.exe Jangmibi.exe File opened for modification C:\Windows\SysWOW64\Kilhgk32.exe Kgmlkp32.exe File opened for modification C:\Windows\SysWOW64\Kkkdan32.exe Kgphpo32.exe File created C:\Windows\SysWOW64\Kphmie32.exe Kmjqmi32.exe File created C:\Windows\SysWOW64\Impepm32.exe Ijaida32.exe File opened for modification C:\Windows\SysWOW64\Icjmmg32.exe Impepm32.exe File created C:\Windows\SysWOW64\Qekdppan.dll Jidbflcj.exe File created C:\Windows\SysWOW64\Lppaheqp.dll Jigollag.exe File created C:\Windows\SysWOW64\Jchbak32.dll Lalcng32.exe File created C:\Windows\SysWOW64\Ogndib32.dll Lpocjdld.exe File created C:\Windows\SysWOW64\Lpappc32.exe Lpocjdld.exe File created C:\Windows\SysWOW64\Hnibdpde.dll Ncldnkae.exe File created C:\Windows\SysWOW64\Ibojncfj.exe Icljbg32.exe File created C:\Windows\SysWOW64\Fojkiimn.dll Icljbg32.exe File opened for modification C:\Windows\SysWOW64\Jplmmfmi.exe Jibeql32.exe File created C:\Windows\SysWOW64\Qknpkqim.dll Jbmfoa32.exe File created C:\Windows\SysWOW64\Hmjdia32.dll Hpbaqj32.exe File created C:\Windows\SysWOW64\Kmgdgjek.exe Kilhgk32.exe File created C:\Windows\SysWOW64\Bekppcpp.dll Hcedaheh.exe File created C:\Windows\SysWOW64\Jidbflcj.exe Jbkjjblm.exe File created C:\Windows\SysWOW64\Ldobbkdk.dll Kmgdgjek.exe File opened for modification C:\Windows\SysWOW64\Kdcijcke.exe Kphmie32.exe File opened for modification C:\Windows\SysWOW64\Mpolqa32.exe Lijdhiaa.exe File opened for modification C:\Windows\SysWOW64\Impepm32.exe Ijaida32.exe File created C:\Windows\SysWOW64\Ibagcc32.exe Ipckgh32.exe File created C:\Windows\SysWOW64\Aajjaf32.dll Jdcpcf32.exe File opened for modification C:\Windows\SysWOW64\Jjmhppqd.exe Jfaloa32.exe File created C:\Windows\SysWOW64\Ncihikcg.exe Njacpf32.exe File created C:\Windows\SysWOW64\Oaehlf32.dll Mdmegp32.exe File created C:\Windows\SysWOW64\Mmpfpdoi.dll Ijaida32.exe File opened for modification C:\Windows\SysWOW64\Ifhiib32.exe Icjmmg32.exe File created C:\Windows\SysWOW64\Eilljncf.dll Jbocea32.exe File opened for modification C:\Windows\SysWOW64\Kpepcedo.exe Kmgdgjek.exe File opened for modification C:\Windows\SysWOW64\Nqmhbpba.exe Njcpee32.exe File created C:\Windows\SysWOW64\Inccjgbc.dll 1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Ggpfjejo.dll Jkdnpo32.exe File opened for modification C:\Windows\SysWOW64\Kphmie32.exe Kmjqmi32.exe File created C:\Windows\SysWOW64\Pkckjila.dll Njacpf32.exe File opened for modification C:\Windows\SysWOW64\Iabgaklg.exe Imgkql32.exe File opened for modification C:\Windows\SysWOW64\Jfaloa32.exe Jdcpcf32.exe File created C:\Windows\SysWOW64\Kmjqmi32.exe Kkkdan32.exe File created C:\Windows\SysWOW64\Jibeql32.exe Jfdida32.exe File created C:\Windows\SysWOW64\Jbmfoa32.exe Jaljgidl.exe File opened for modification C:\Windows\SysWOW64\Kckbqpnj.exe Kpmfddnf.exe File created C:\Windows\SysWOW64\Pponmema.dll Ngpjnkpf.exe File created C:\Windows\SysWOW64\Dakcla32.dll Iiibkn32.exe File created C:\Windows\SysWOW64\Jfdida32.exe Jpjqhgol.exe File created C:\Windows\SysWOW64\Bclhoo32.dll Jfdida32.exe File opened for modification C:\Windows\SysWOW64\Kmjqmi32.exe Kkkdan32.exe File opened for modification C:\Windows\SysWOW64\Kipabjil.exe Kgbefoji.exe File opened for modification C:\Windows\SysWOW64\Lijdhiaa.exe Lpappc32.exe File created C:\Windows\SysWOW64\Icjmmg32.exe Impepm32.exe File created C:\Windows\SysWOW64\Mlilmlna.dll Imbaemhc.exe File opened for modification C:\Windows\SysWOW64\Ibagcc32.exe Ipckgh32.exe File opened for modification C:\Windows\SysWOW64\Ifmcdblq.exe Ibagcc32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4988 1264 WerFault.exe Nkcmohbg.exe -
Modifies registry class 64 IoCs
Processes:
Jdcpcf32.exeJkdnpo32.exeKpmfddnf.exeMglack32.exeKckbqpnj.exeLalcng32.exeIfhiib32.exeJidbflcj.exeKmgdgjek.exeKipabjil.exeIcjmmg32.exeMdmegp32.exeIjkljp32.exeJaljgidl.exeJangmibi.exeNjcpee32.exeNqmhbpba.exeKbdmpqcb.exeMpolqa32.exeHabnjm32.exeIbojncfj.exeIapjlk32.exeIiibkn32.exeNcihikcg.exeHccglh32.exeKphmie32.exeIjaida32.exeKpepcedo.exeNcldnkae.exeKkpnlm32.exeNgpjnkpf.exeIcljbg32.exeHikfip32.exeImgkql32.exeKmegbjgn.exeIfmcdblq.exeJkfkfohj.exeLiekmj32.exeHpbaqj32.exeIpldfi32.exeKilhgk32.exeJibeql32.exeIinlemia.exeKkkdan32.exeKgphpo32.exeImbaemhc.exeJbmfoa32.exeLpappc32.exeIfopiajn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdcpcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkdnpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpmfddnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mglack32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kckbqpnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lalcng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifhiib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jidbflcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmgdgjek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kipabjil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempmq32.dll" Icjmmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll" Mdmegp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijkljp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll" Jaljgidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jangmibi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njcpee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqmhbpba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jidbflcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbdmpqcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpolqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll" Mglack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll" Habnjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibojncfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iapjlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdcpcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iiibkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncihikcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hccglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll" Kphmie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kphmie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijaida32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpepcedo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" Ncldnkae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkpnlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngpjnkpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojkiimn.dll" Icljbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honckk32.dll" Hikfip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phogofep.dll" Ibojncfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imgkql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll" Ijkljp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmegbjgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll" Ifmcdblq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imgkql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkfkfohj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll" Liekmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpbaqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipldfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipldfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icjmmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll" Ipldfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kilhgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdmegp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jibeql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll" Iinlemia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkkdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgphpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll" Kkpnlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll" Imbaemhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll" Jdcpcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jaljgidl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbmfoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpappc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hikfip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifopiajn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exeHpbaqj32.exeHfljmdjc.exeHikfip32.exeHabnjm32.exeHccglh32.exeHcedaheh.exeIpldfi32.exeIjaida32.exeImpepm32.exeIcjmmg32.exeIfhiib32.exeImbaemhc.exeIpqnahgf.exeIcljbg32.exeIbojncfj.exeIjfboafl.exeIiibkn32.exeIapjlk32.exeIpckgh32.exeIbagcc32.exeIfmcdblq.exedescription pid process target process PID 1556 wrote to memory of 4196 1556 1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exe Hpbaqj32.exe PID 1556 wrote to memory of 4196 1556 1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exe Hpbaqj32.exe PID 1556 wrote to memory of 4196 1556 1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exe Hpbaqj32.exe PID 4196 wrote to memory of 1320 4196 Hpbaqj32.exe Hfljmdjc.exe PID 4196 wrote to memory of 1320 4196 Hpbaqj32.exe Hfljmdjc.exe PID 4196 wrote to memory of 1320 4196 Hpbaqj32.exe Hfljmdjc.exe PID 1320 wrote to memory of 2748 1320 Hfljmdjc.exe Hikfip32.exe PID 1320 wrote to memory of 2748 1320 Hfljmdjc.exe Hikfip32.exe PID 1320 wrote to memory of 2748 1320 Hfljmdjc.exe Hikfip32.exe PID 2748 wrote to memory of 1836 2748 Hikfip32.exe Habnjm32.exe PID 2748 wrote to memory of 1836 2748 Hikfip32.exe Habnjm32.exe PID 2748 wrote to memory of 1836 2748 Hikfip32.exe Habnjm32.exe PID 1836 wrote to memory of 4712 1836 Habnjm32.exe Hccglh32.exe PID 1836 wrote to memory of 4712 1836 Habnjm32.exe Hccglh32.exe PID 1836 wrote to memory of 4712 1836 Habnjm32.exe Hccglh32.exe PID 4712 wrote to memory of 2644 4712 Hccglh32.exe Hcedaheh.exe PID 4712 wrote to memory of 2644 4712 Hccglh32.exe Hcedaheh.exe PID 4712 wrote to memory of 2644 4712 Hccglh32.exe Hcedaheh.exe PID 2644 wrote to memory of 1184 2644 Hcedaheh.exe Ipldfi32.exe PID 2644 wrote to memory of 1184 2644 Hcedaheh.exe Ipldfi32.exe PID 2644 wrote to memory of 1184 2644 Hcedaheh.exe Ipldfi32.exe PID 1184 wrote to memory of 4024 1184 Ipldfi32.exe Ijaida32.exe PID 1184 wrote to memory of 4024 1184 Ipldfi32.exe Ijaida32.exe PID 1184 wrote to memory of 4024 1184 Ipldfi32.exe Ijaida32.exe PID 4024 wrote to memory of 5028 4024 Ijaida32.exe Impepm32.exe PID 4024 wrote to memory of 5028 4024 Ijaida32.exe Impepm32.exe PID 4024 wrote to memory of 5028 4024 Ijaida32.exe Impepm32.exe PID 5028 wrote to memory of 3288 5028 Impepm32.exe Icjmmg32.exe PID 5028 wrote to memory of 3288 5028 Impepm32.exe Icjmmg32.exe PID 5028 wrote to memory of 3288 5028 Impepm32.exe Icjmmg32.exe PID 3288 wrote to memory of 3248 3288 Icjmmg32.exe Ifhiib32.exe PID 3288 wrote to memory of 3248 3288 Icjmmg32.exe Ifhiib32.exe PID 3288 wrote to memory of 3248 3288 Icjmmg32.exe Ifhiib32.exe PID 3248 wrote to memory of 4460 3248 Ifhiib32.exe Imbaemhc.exe PID 3248 wrote to memory of 4460 3248 Ifhiib32.exe Imbaemhc.exe PID 3248 wrote to memory of 4460 3248 Ifhiib32.exe Imbaemhc.exe PID 4460 wrote to memory of 2200 4460 Imbaemhc.exe Ipqnahgf.exe PID 4460 wrote to memory of 2200 4460 Imbaemhc.exe Ipqnahgf.exe PID 4460 wrote to memory of 2200 4460 Imbaemhc.exe Ipqnahgf.exe PID 2200 wrote to memory of 3788 2200 Ipqnahgf.exe Icljbg32.exe PID 2200 wrote to memory of 3788 2200 Ipqnahgf.exe Icljbg32.exe PID 2200 wrote to memory of 3788 2200 Ipqnahgf.exe Icljbg32.exe PID 3788 wrote to memory of 3596 3788 Icljbg32.exe Ibojncfj.exe PID 3788 wrote to memory of 3596 3788 Icljbg32.exe Ibojncfj.exe PID 3788 wrote to memory of 3596 3788 Icljbg32.exe Ibojncfj.exe PID 3596 wrote to memory of 1136 3596 Ibojncfj.exe Ijfboafl.exe PID 3596 wrote to memory of 1136 3596 Ibojncfj.exe Ijfboafl.exe PID 3596 wrote to memory of 1136 3596 Ibojncfj.exe Ijfboafl.exe PID 1136 wrote to memory of 644 1136 Ijfboafl.exe Iiibkn32.exe PID 1136 wrote to memory of 644 1136 Ijfboafl.exe Iiibkn32.exe PID 1136 wrote to memory of 644 1136 Ijfboafl.exe Iiibkn32.exe PID 644 wrote to memory of 4908 644 Iiibkn32.exe Iapjlk32.exe PID 644 wrote to memory of 4908 644 Iiibkn32.exe Iapjlk32.exe PID 644 wrote to memory of 4908 644 Iiibkn32.exe Iapjlk32.exe PID 4908 wrote to memory of 3252 4908 Iapjlk32.exe Ipckgh32.exe PID 4908 wrote to memory of 3252 4908 Iapjlk32.exe Ipckgh32.exe PID 4908 wrote to memory of 3252 4908 Iapjlk32.exe Ipckgh32.exe PID 3252 wrote to memory of 4952 3252 Ipckgh32.exe Ibagcc32.exe PID 3252 wrote to memory of 4952 3252 Ipckgh32.exe Ibagcc32.exe PID 3252 wrote to memory of 4952 3252 Ipckgh32.exe Ibagcc32.exe PID 4952 wrote to memory of 1276 4952 Ibagcc32.exe Ifmcdblq.exe PID 4952 wrote to memory of 1276 4952 Ibagcc32.exe Ifmcdblq.exe PID 4952 wrote to memory of 1276 4952 Ibagcc32.exe Ifmcdblq.exe PID 1276 wrote to memory of 4852 1276 Ifmcdblq.exe Iikopmkd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SysWOW64\Ibojncfj.exeC:\Windows\system32\Ibojncfj.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Imgkql32.exeC:\Windows\system32\Imgkql32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3820 -
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Ifopiajn.exeC:\Windows\system32\Ifopiajn.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:4084 -
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:3424 -
C:\Windows\SysWOW64\Jaedgjjd.exeC:\Windows\system32\Jaedgjjd.exe30⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Jdcpcf32.exeC:\Windows\system32\Jdcpcf32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4284 -
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3272 -
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe33⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:924 -
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4172 -
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:740 -
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4788 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4912 -
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3328 -
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1272 -
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe45⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3972 -
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4408 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe49⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe50⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5036 -
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:3768 -
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4344 -
C:\Windows\SysWOW64\Kgphpo32.exeC:\Windows\system32\Kgphpo32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4412 -
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4528 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4940 -
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe60⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:988 -
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:628 -
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe66⤵PID:3760
-
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5076 -
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5044 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1444 -
C:\Windows\SysWOW64\Liekmj32.exeC:\Windows\system32\Liekmj32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4704 -
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe72⤵
- Drops file in System32 directory
PID:3616 -
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:4568 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4456 -
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:3236 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3468 -
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:4348 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4864 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe81⤵
- Modifies registry class
PID:4996 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe83⤵
- Modifies registry class
PID:3472 -
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3416 -
C:\Windows\SysWOW64\Nkcmohbg.exeC:\Windows\system32\Nkcmohbg.exe85⤵PID:1264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 41286⤵
- Program crash
PID:4988
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1264 -ip 12641⤵PID:3144
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:4864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
374KB
MD50ee860d47eab2be3e809addb674faa56
SHA114fd42b96d20ecb8613db456f25fed5c84fe47d1
SHA256873c44941afd505b367cdd7ce2dd90ba5f45de25a9d136a673d3d6f98676e06a
SHA51232f4bb5c06f938bd75eca38160c9f078784bcf644dc347e397e01215cc0774e34eb4ca491ff024b968b579d3f1c9bb3e11418db9adbeec4c84871466fedf177c
-
Filesize
374KB
MD5e0d32ac17d3b124d6576ed92bb42ea64
SHA15569a29110666cd12835bdda8a914ddcf75199d0
SHA256509556c2390c34443780f88c4bf2ee0aeba522ba3d5a1dd0f702525c5e21a518
SHA512eb2065da81af4842feab37e4534c25964afccf98f3a9b77fcfa51c1499e80c2444b89cc1901d7562e5503c15768663c6fd024272a581094368ebc8ff9fed8abf
-
Filesize
374KB
MD58099ddb57d142644c7cd4d82d95fe1bf
SHA1e7178739f0a5646553158e4c119c8478f77e6cb4
SHA256ca0bc4bacde520c76ae1edf19f6b304ca1437a170fcb1636aab1f2a7d34098de
SHA512c00d7ed1fbb91bf14fdd71f20ee1ef98c08457c3d14ea585feb8719b4b91defe1003a2abd6b114af31c1f3ac9123aaa01255c652615569b92cf3c31c9b996d8c
-
Filesize
374KB
MD53b9fbc659368db63a3914b7947f9b2d1
SHA124f10c4e2a9031648292132868d034d9e9cf09f9
SHA256afa8d2148d5c71562c60577d940698994407a2adea3cf7e4691bb08b6e96aabc
SHA512b23befa49f7f65b093cc621c158a3524c97bf91261bf9db15208d4cfafb33fcfa202d2af5c0d3a9143fbab899232d48712c6d6ace671319de74bd67369f4d970
-
Filesize
374KB
MD5236b62c527a304385e614a328261f34e
SHA1118431e1e944193901328dab3dc61a42bac60f0b
SHA256137e5d07622aec17a0730234dff0eb009a9262efe387639507c023022352c9ab
SHA5121396dbb1bdf0d53075b9c6db70b6628da46b64933890c75db5ebcbc775ed2e1ed77accbc14efd9ab5bc3900e41ebaa1e572e64016edb976bfa7abe6ec7057a57
-
Filesize
374KB
MD53384ca1b568e4545e9382616458fb006
SHA1f43450ccfedff712672c41d1075d09a8f2029dd3
SHA25677644849679c229cc0e100b1b53987d31121f5929b13cb74369de06d6fe8f87a
SHA512c6dde15f3aded5cd613c6abf38bc2848f6dfb82c4f54671afb8cbfa0f4d2710e9ff9e4a528e442110598125e914df544dc4b572b4c5e2ec5f2918d6abd9d871c
-
Filesize
374KB
MD5e820917678a94d9f93736527d73baafe
SHA16d6269b3446b1c067967313bd5c4215f675b5bbb
SHA25607cc4562dfb391bffe5c1fed72fb213444d51400fce2105f51b3196b5d57bf6d
SHA5122fa446dc4bd50936826573ae2c2c7e295a2b782296d6f0d60aeea72e70b506f7f5b3bc0ed77ffd37b9039722a8530cf9c5cdc5ad179845654b683f370073f1c4
-
Filesize
374KB
MD52e41a71ded4f84e32b0425680047f08d
SHA19317f1f070ffe4e222b5e22138e5af640a2a40fc
SHA256fb09be66fe8d4faa86ad48ceb0a5a64a627bc7eac3add0702a08d0f944057c7d
SHA5124b21362686e5de244ea5c35ecb203a93b25f4c079bca8c2e399214339157bc7c2da211d572feb557620ca278efbf01dde4a3d9b03d83c16cd823b5760d2c1f9f
-
Filesize
374KB
MD58c84b232f67bc3b29a0833e08d632866
SHA11ba750b9845a1532f40d1f15c3bc1bdda2af4e2a
SHA256e9b6d13978e95b254915af0f18ff0fcfc0eb5f0856952bd029d1393ad64301b7
SHA51294fe53b03d8c05a62a7594c593e114b263f98cac0579d9f63c5d3c003d2d159856d5d8845323a591c645edc82f5bb69733f217ddc3a3e62a6abb6d205a355308
-
Filesize
374KB
MD5e726e5a6744b374313562c8e144d5b4a
SHA19fc2f653a2f45c88ec006abad341a0d24e714440
SHA256391ef8e7d16deb2e678e5a48453eba70fcc195a71dddb09f2b547ed7bc77758d
SHA512f51368ec74c60338278fa57ae8779b88c1189c6e59513d8587b0d33950ef04e7f1263f715b4f9ff37036baa8d402a59b8f9b1c64d318df12fef7770fb48fa770
-
Filesize
374KB
MD564d5adfb654d390dc9c78dfaedc4c80d
SHA19e36dfc6f35b2d5498af647cc305fb9d76b0a36f
SHA25617980b53aebe5395f26f7118ae4524fd876712d81de2a06feb21994cf8b8284c
SHA5124933badabf12b1195ce291ddd7ccd3e0520691b6755e871f1ba345f6929d3a0cd2fc69d11f767ab2b291488e2ffda414a8e2d55b5b193faa00e830e092fd045f
-
Filesize
374KB
MD5b748b792652420992f47a90873318ada
SHA1df4962993f788eb5a1650befdd3adae63a2e010c
SHA256f64bedf86eef1d456b81d40a4b5874feb3bd2cac9ca2f55988787a0fd16ef21f
SHA512701b1fbd816981c0100506a65dedc4b2b4366195bcea96d9f81d7054951ff179e27c5f0d49f05f288ebe4ae3c9794330c82af3366a826419c2770086e22d90a5
-
Filesize
374KB
MD50662a7cc382821a442db95a83d576f8f
SHA1ea275fc428418622fbaefbed6ef0dd9bcdddd1ca
SHA256fddc9e7af75c90ec411a0b9ae8106f3210e2fc3f1438ade9468de236aa9078de
SHA512e29dea97f1d846669e6af9d1a743cd3cd662f4ba54b51667dc4a220020888d676dd131687457c28b7c8b030509b6d25d76a2e58cbddc33fd3abb0f7e730c7520
-
Filesize
374KB
MD5ce814ef109ee89bf37db62ce674b508d
SHA1c255b7eb87654158d83412480a5e39278e950ec4
SHA256f23c9793c1c797d61dc01096dc0eccda1f53a0d9c01c78e8e0ede1025d782519
SHA512f0d9a40cc326bf189a6431adcef663855825c65a46d48da77f046a88ab6c4e8c9ec355f8835a8cd4e2f907fa75675bd323d3fad36af3d781b5d63d6db680e012
-
Filesize
374KB
MD5991e940abeceb7cec38128eec35ebe7d
SHA13b1766b06d277b7c65e804613f580bc969322c78
SHA256041564061319ee6cca5e7269bd6b5e4f266a38378fe2af213c1c634250c72fef
SHA512a8a663a43ff435937adea82583819458b1c683c8385ca4f7b5f7d5bb9785db76a121ce0112d4580102c61b7aead4b04e28768da947cfad5864b34f6ede4a1c93
-
Filesize
374KB
MD50349aca08b04e16759e1fada1cc45ed6
SHA1b303bef886c0e016caceff55e51d4867896ab095
SHA256a041ae840066394f8f4f8f588613eb1c1b3612c09cabcf911926687b2f49ffb0
SHA512eea1ad676f7179c1dbaedb82e2ed3b71f4f7b824492116b17c7ed52adc37333a0340894b50e485c8dd8d4acf105a1e77cbc1aaca3b064e134ac66b8b0af05367
-
Filesize
374KB
MD57143071be90a87a8376384dbd25cab46
SHA1f6bb26562e98175f2a90bb995a095bfb9625409b
SHA256e2319a8b82849c1f4a29aba5aab65c9b77a5396bb8e11f5e5b10c1ca20274f56
SHA512ab00ed5c97170b1bf46a498cc77ddecea82bc6bdb65494de5b79d1efc688f8f66139e1d66889118a7e4ca02fa51372c2f3f85d9dffbe467c2644b32feff7aec8
-
Filesize
374KB
MD537b30bd419d47f6461d89bd071d21ecc
SHA1027aa84789f55cd5f46f709774efb62b902af816
SHA25636d914b9d4dbde4ca3c1e9b75df4cecf6c736f1db15d781c08c67016fda70ca5
SHA51288230ec3c11a9e781d9473a7fc5dbc7886d8caaa64da2321ab8cfa4a3e3eeb7d00ad55541f51877c5da2ceaf059e66c2ffb74ae53c1743717b857758a5dacad7
-
Filesize
374KB
MD573f9f2dce220f3cba472b2662a480f4a
SHA1512cec7bfc8e4a1137bf031afc96d36695a97167
SHA256bf11c051d3dd9ac440c151bd5ad90dbd878c9892d1be4349ecd026bcad210285
SHA5128a43dd9f2612c1f4f4857acf31f0016c45da1322988f98f6b2b2707979cc5eeb874fce94ead352051188384afa24bcd58431ae3d9bc53146b2db9d627820d2d2
-
Filesize
374KB
MD5db2532dd2f8c97e9693897dac04502e1
SHA1241a5be0314d9257554bbbf41cfdb6a02b919c8b
SHA256f24b9eee8ad212fbe44b2ee2d69a5fb962997aa14665cfe4882de334bbea5caf
SHA512acc4b89fc48f390161ef943378f25069adfeb5ba11b1b348855cfd00100fd00fd9ce394f4090c69e3ab05168a06a5f9ee8dae91236c632cc48a8309e28105689
-
Filesize
374KB
MD59ef5bc4ee32eefda87b68eacf231b63c
SHA1ceca71dbe4a8ca8f8dd69be7542aef34dabfb79f
SHA25690a761590f7cf8fd4a7b650bfe0e2edd9ccc8e56369feb90235ae6aed7ef8244
SHA51217a40d5948c700b66ca2b1c24dcaa0bf690f32102e29dad961306ec36186ad6691e21ee54f000d36069bb455d3b699db800f4f273cd1177d4523ee912fcdfc45
-
Filesize
374KB
MD5b6fc66947805133e38146af7c0c94f41
SHA137922cb5779372ccc013727aa73794539946b55d
SHA2566369b727b2e9e94f95f1b82b70fa4e8be6b5164ddb29d55db3d46408d5a7ca5a
SHA512d5a655a1785d4ca328f1083887c20447f8ee1d045e07114cd602cdfdbf8a1d8ac7aa245103fbb4ed60106dad58249e739d433dd209e6590082d2290c882faed8
-
Filesize
374KB
MD5abe8b10f37d8f919e23522505877047d
SHA1c47b8cb6837d099abc6205a16f0d63f39d127c7a
SHA256640d115e5409a8c6581fcdaca36bd4e6b07cc64efbd192ae5d6407dec826c7a7
SHA5126505c79f732ddbf30984eb03445c01a0cbf57251a02cb5cf9d55138aa88e5e4d0e574cf22889e25218e2680695874ba5b23831a00c9b023bfa3778298a6f85cc
-
Filesize
374KB
MD5f8eba0e8c6b3477d926a776be281c854
SHA155e64570804149e0e84db819b23a5ad6be3fdaa4
SHA256df33b349d53d94a3085e379e9eddcf74680f59973270aca0ccff429ce3b27743
SHA51243480f6c65efbe571766105448b7be57795c57f57ace76a29341aac92077f8855eee72af1eb1e98e4b91a59c3e62ba654d2ad227b9e23addc47c9c54c8eea960
-
Filesize
374KB
MD50b15b22108678aae3e8896ae0165a001
SHA18752d0b21e6a15017b22ae4a31432bc2fd16045c
SHA25649c988179851859f7a883155f5390a0a7e5972b07dd5ac59a32823ded4ca378a
SHA51290b3fc24f6555601be1b7033d7af8b72221336859fcdb79bcd4bed9642639c00f6ad2c9deefcc294386d3b757e35489c7c058fbee377a1c385a136637d9b36d7
-
Filesize
374KB
MD5c38e7a0837fb6ca8e928a6a2a308cc9d
SHA149650308d01cf23a557365e60eedf273f8dbf503
SHA256fbb880c24474a9ce2131a8e8bbf113887cb6dc70959ede68735e8a893c7f2971
SHA512e9d1d0e70f9814dd6dc2970dcf9706fccbd57b0a57b5d578ed5865bf5af2bd7167462869d42b294eb5682b3c36a9074beeb3e86eb31656337ab03f64292848e4
-
Filesize
374KB
MD5d47d448c939b1b0eda5b0d7900889528
SHA105c6e0c5d8d7c7d65cf3fcd70d5c95ec7bbc82ad
SHA256ea9790394dc4a4ba487575f612fed8c9d519816d3498846be97b8f64d4d57349
SHA512640c23bb5916ce81260678394ccb9b935147cabd609bf7b434f340182b09df55b278c975cdc9e3b8238eda8ce1c878ecc3d38829617fa04a602a46c1eab25f58
-
Filesize
374KB
MD54ce5651cb786a005116c95a8aa0b1509
SHA1ed368b1f6b547ae9e1c0d09666abfabf6252d861
SHA256ab7923ee1a14e83386034c27c3bca709cd61205fc9ac386764df949b15bee718
SHA512266e3897f93918cff5a468852f1160bdbee963f65adc2e394337306afc45325be3bcb8cf603fa7e1589aba090a0b07b961e572a01e16ad34f4b3bf7b27f8d349
-
Filesize
374KB
MD5f1dcf301c74ad463515bf7fd05837579
SHA17a2f1753dac4c865740a892f2c7723dddaa42309
SHA2568928ff7d5bb608445f6ac84dcbdecc32e6d51a2a354105a5b45a09ccb7b58d4e
SHA5121567067cbf4022b82cf1737f8afcc948d3dfe58612921acee39affcf97e4b0a19bdc3662cc4e74b50c9451514a28c05c4fccd520d7c2a512f5eb2c6604355293
-
Filesize
374KB
MD5b935f27a5a623771a5b91bbbab9e9eaa
SHA1f9dd3f82660c425cdc2a710dfd538431e3d518ce
SHA2565b2f36d5e6ea2d74e0a050203bbead00d0945e17c3559ffb19ac04105d1caae9
SHA51219c40f62519e3499ce0d16759914b9bf50de9a2c953108ba51cccaf0369bb68d6d27c9c3e98617b6ac6cb6222d1f6f2563d73947b5ddf57c49318aa2aae7f2c2
-
Filesize
374KB
MD58d3e09ee3e4bfce10f582dee068266af
SHA1ed0ff0065c05e87f9a5609400c05239def821522
SHA256198830ff5df14cb6b4189ee1483d2ffcdafe4489eb94258bf9a859c8738c14a3
SHA51288879cab3c527f158340d7452a0b1935d257773e4c68925f17807397c0801ab11170a3cf54051358aecaf42f6106fae06004e3dfcf3b2fbb73bdec4432b497d7
-
Filesize
374KB
MD5eb28947f7fee5dee74ff81c43547180b
SHA196b3f0756e6ffe48d27bd74a6ea3c386b96f2fd5
SHA2564886dcc8aad266defeddfb4dcab5b9646c02250781e0c1fc05e39b3c32885d49
SHA512a27845ea4e73705ac5f410fcc2a0ce12c958c06c1044c049a6e905e402b838ab0542bb543a8e19f34913313b9f1839a1fa231b144531e839cabc359a08fc49b7
-
Filesize
7KB
MD5a3f791c4f16782cf3adc2b4268a22b17
SHA1d6ce2e9fdb8d2572370f2b8240955c3f9d80fd2a
SHA256b7766551b70dced0e73367e8e79ec320bc8d3ec375a52e56b8fb7cd4ae0f0aeb
SHA512ee590b15b70a916b351ce5d8f6f26f44610b6666a952cbe52aa2e69de787f00fedf7da5f2e17d478649f7c412f95d098c7cf6f193b51fe4843699868f36cbaf6