e842044ef0f1eb4ac3f7ad1d577e852c00237fa7c53820fc91940e9ce2230046

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/05/2024, 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

508ef50c26c21dc512ce0dd31278aa40_NeikiAnalytics.exe
Size

57KB
MD5

508ef50c26c21dc512ce0dd31278aa40
SHA1

1beaf1506d67f4ef03a3b1c8083605885418cf73
SHA256

e842044ef0f1eb4ac3f7ad1d577e852c00237fa7c53820fc91940e9ce2230046
SHA512

28360d569bb692d25477873ec29a373ff01fbcf8a635bacb6ae6e2b9980e793bc5c95e06845e7ed9e30c761101876639af7f865beac32b1ead31c36cc47c40fe
SSDEEP

768:yAddTB+87ddfIhoDhRCM+5RBGVIOJNXhorNMnQ2wS1ep9RNmLtQcZY/1H51Xdnhg:yYdTB+87MMhAM+5rGvR+eeB5

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdamqndn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	508ef50c26c21dc512ce0dd31278aa40_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	508ef50c26c21dc512ce0dd31278aa40_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhhocjj.exe

Executes dropped EXE 21 IoCs

pid	Process
2936	Gopkmhjk.exe
2756	Ghhofmql.exe
2612	Gelppaof.exe
2548	Gkihhhnm.exe
2728	Gdamqndn.exe
2380	Gogangdc.exe
1956	Gddifnbk.exe
1348	Hiqbndpb.exe
2744	Hcifgjgc.exe
2008	Hicodd32.exe
2304	Hckcmjep.exe
2016	Hnagjbdf.exe
1904	Hobcak32.exe
592	Hjhhocjj.exe
856	Hpapln32.exe
2788	Hacmcfge.exe
2064	Icbimi32.exe
3064	Ieqeidnl.exe
2992	Ilknfn32.exe
888	Ioijbj32.exe
1300	Iagfoe32.exe

Loads dropped DLL 46 IoCs

pid	Process
1460	508ef50c26c21dc512ce0dd31278aa40_NeikiAnalytics.exe
1460	508ef50c26c21dc512ce0dd31278aa40_NeikiAnalytics.exe
2936	Gopkmhjk.exe
2936	Gopkmhjk.exe
2756	Ghhofmql.exe
2756	Ghhofmql.exe
2612	Gelppaof.exe
2612	Gelppaof.exe
2548	Gkihhhnm.exe
2548	Gkihhhnm.exe
2728	Gdamqndn.exe
2728	Gdamqndn.exe
2380	Gogangdc.exe
2380	Gogangdc.exe
1956	Gddifnbk.exe
1956	Gddifnbk.exe
1348	Hiqbndpb.exe
1348	Hiqbndpb.exe
2744	Hcifgjgc.exe
2744	Hcifgjgc.exe
2008	Hicodd32.exe
2008	Hicodd32.exe
2304	Hckcmjep.exe
2304	Hckcmjep.exe
2016	Hnagjbdf.exe
2016	Hnagjbdf.exe
1904	Hobcak32.exe
1904	Hobcak32.exe
592	Hjhhocjj.exe
592	Hjhhocjj.exe
856	Hpapln32.exe
856	Hpapln32.exe
2788	Hacmcfge.exe
2788	Hacmcfge.exe
2064	Icbimi32.exe
2064	Icbimi32.exe
3064	Ieqeidnl.exe
3064	Ieqeidnl.exe
2992	Ilknfn32.exe
2992	Ilknfn32.exe
888	Ioijbj32.exe
888	Ioijbj32.exe
1864	WerFault.exe
1864	WerFault.exe
1864	WerFault.exe
1864	WerFault.exe

Drops file in System32 directory 63 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Hiqbndpb.exe	Gddifnbk.exe
File opened for modification	C:\Windows\SysWOW64\Hpapln32.exe	Hjhhocjj.exe
File opened for modification	C:\Windows\SysWOW64\Ilknfn32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Pabakh32.dll	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Fealjk32.dll	Hiqbndpb.exe
File opened for modification	C:\Windows\SysWOW64\Hicodd32.exe	Hcifgjgc.exe
File opened for modification	C:\Windows\SysWOW64\Hckcmjep.exe	Hicodd32.exe
File opened for modification	C:\Windows\SysWOW64\Ioijbj32.exe	Ilknfn32.exe
File opened for modification	C:\Windows\SysWOW64\Gelppaof.exe	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Gkihhhnm.exe	Gelppaof.exe
File created	C:\Windows\SysWOW64\Hkkmeglp.dll	Hcifgjgc.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Ahpjhc32.dll	Gopkmhjk.exe
File opened for modification	C:\Windows\SysWOW64\Gogangdc.exe	Gdamqndn.exe
File opened for modification	C:\Windows\SysWOW64\Gddifnbk.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Gopkmhjk.exe	508ef50c26c21dc512ce0dd31278aa40_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Jondlhmp.dll	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Hobcak32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Ioijbj32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Gelppaof.exe	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Ahcocb32.dll	Gelppaof.exe
File opened for modification	C:\Windows\SysWOW64\Hiqbndpb.exe	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Hcifgjgc.exe	Hiqbndpb.exe
File opened for modification	C:\Windows\SysWOW64\Hcifgjgc.exe	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Glqllcbf.dll	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Icbimi32.exe	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Jgdmei32.dll	508ef50c26c21dc512ce0dd31278aa40_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Gogangdc.exe	Gdamqndn.exe
File created	C:\Windows\SysWOW64\Hicodd32.exe	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Hckcmjep.exe	Hicodd32.exe
File created	C:\Windows\SysWOW64\Hjhhocjj.exe	Hobcak32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Hobcak32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Ilknfn32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Pdpfph32.dll	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Ilknfn32.exe
File opened for modification	C:\Windows\SysWOW64\Hjhhocjj.exe	Hobcak32.exe
File opened for modification	C:\Windows\SysWOW64\Ghhofmql.exe	Gopkmhjk.exe
File created	C:\Windows\SysWOW64\Hacmcfge.exe	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Icbimi32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Ghhofmql.exe	Gopkmhjk.exe
File opened for modification	C:\Windows\SysWOW64\Gkihhhnm.exe	Gelppaof.exe
File created	C:\Windows\SysWOW64\Pfabenjd.dll	Gogangdc.exe
File created	C:\Windows\SysWOW64\Omabcb32.dll	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Cabknqko.dll	Hicodd32.exe
File created	C:\Windows\SysWOW64\Gdamqndn.exe	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Hllopfgo.dll	Gdamqndn.exe
File created	C:\Windows\SysWOW64\Alogkm32.dll	Hpapln32.exe
File created	C:\Windows\SysWOW64\Gddifnbk.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Nokeef32.dll	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Hpapln32.exe	Hjhhocjj.exe
File opened for modification	C:\Windows\SysWOW64\Icbimi32.exe	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Icbimi32.exe
File created	C:\Windows\SysWOW64\Ecmkgokh.dll	Hacmcfge.exe
File opened for modification	C:\Windows\SysWOW64\Gopkmhjk.exe	508ef50c26c21dc512ce0dd31278aa40_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Gdamqndn.exe	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Fenhecef.dll	Hobcak32.exe
File opened for modification	C:\Windows\SysWOW64\Hacmcfge.exe	Hpapln32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1864	1300	WerFault.exe	48

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdmei32.dll"	508ef50c26c21dc512ce0dd31278aa40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll"	Gdamqndn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhecef.dll"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll"	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabakh32.dll"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	508ef50c26c21dc512ce0dd31278aa40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	508ef50c26c21dc512ce0dd31278aa40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	508ef50c26c21dc512ce0dd31278aa40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	508ef50c26c21dc512ce0dd31278aa40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahpjhc32.dll"	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll"	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabenjd.dll"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondlhmp.dll"	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gelppaof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmeglp.dll"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	508ef50c26c21dc512ce0dd31278aa40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll"	Gelppaof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hicodd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2936	1460	508ef50c26c21dc512ce0dd31278aa40_NeikiAnalytics.exe	28
PID 1460 wrote to memory of 2936	1460	508ef50c26c21dc512ce0dd31278aa40_NeikiAnalytics.exe	28
PID 1460 wrote to memory of 2936	1460	508ef50c26c21dc512ce0dd31278aa40_NeikiAnalytics.exe	28
PID 1460 wrote to memory of 2936	1460	508ef50c26c21dc512ce0dd31278aa40_NeikiAnalytics.exe	28
PID 2936 wrote to memory of 2756	2936	Gopkmhjk.exe	29
PID 2936 wrote to memory of 2756	2936	Gopkmhjk.exe	29
PID 2936 wrote to memory of 2756	2936	Gopkmhjk.exe	29
PID 2936 wrote to memory of 2756	2936	Gopkmhjk.exe	29
PID 2756 wrote to memory of 2612	2756	Ghhofmql.exe	30
PID 2756 wrote to memory of 2612	2756	Ghhofmql.exe	30
PID 2756 wrote to memory of 2612	2756	Ghhofmql.exe	30
PID 2756 wrote to memory of 2612	2756	Ghhofmql.exe	30
PID 2612 wrote to memory of 2548	2612	Gelppaof.exe	31
PID 2612 wrote to memory of 2548	2612	Gelppaof.exe	31
PID 2612 wrote to memory of 2548	2612	Gelppaof.exe	31
PID 2612 wrote to memory of 2548	2612	Gelppaof.exe	31
PID 2548 wrote to memory of 2728	2548	Gkihhhnm.exe	32
PID 2548 wrote to memory of 2728	2548	Gkihhhnm.exe	32
PID 2548 wrote to memory of 2728	2548	Gkihhhnm.exe	32
PID 2548 wrote to memory of 2728	2548	Gkihhhnm.exe	32
PID 2728 wrote to memory of 2380	2728	Gdamqndn.exe	33
PID 2728 wrote to memory of 2380	2728	Gdamqndn.exe	33
PID 2728 wrote to memory of 2380	2728	Gdamqndn.exe	33
PID 2728 wrote to memory of 2380	2728	Gdamqndn.exe	33
PID 2380 wrote to memory of 1956	2380	Gogangdc.exe	34
PID 2380 wrote to memory of 1956	2380	Gogangdc.exe	34
PID 2380 wrote to memory of 1956	2380	Gogangdc.exe	34
PID 2380 wrote to memory of 1956	2380	Gogangdc.exe	34
PID 1956 wrote to memory of 1348	1956	Gddifnbk.exe	35
PID 1956 wrote to memory of 1348	1956	Gddifnbk.exe	35
PID 1956 wrote to memory of 1348	1956	Gddifnbk.exe	35
PID 1956 wrote to memory of 1348	1956	Gddifnbk.exe	35
PID 1348 wrote to memory of 2744	1348	Hiqbndpb.exe	36
PID 1348 wrote to memory of 2744	1348	Hiqbndpb.exe	36
PID 1348 wrote to memory of 2744	1348	Hiqbndpb.exe	36
PID 1348 wrote to memory of 2744	1348	Hiqbndpb.exe	36
PID 2744 wrote to memory of 2008	2744	Hcifgjgc.exe	37
PID 2744 wrote to memory of 2008	2744	Hcifgjgc.exe	37
PID 2744 wrote to memory of 2008	2744	Hcifgjgc.exe	37
PID 2744 wrote to memory of 2008	2744	Hcifgjgc.exe	37
PID 2008 wrote to memory of 2304	2008	Hicodd32.exe	38
PID 2008 wrote to memory of 2304	2008	Hicodd32.exe	38
PID 2008 wrote to memory of 2304	2008	Hicodd32.exe	38
PID 2008 wrote to memory of 2304	2008	Hicodd32.exe	38
PID 2304 wrote to memory of 2016	2304	Hckcmjep.exe	39
PID 2304 wrote to memory of 2016	2304	Hckcmjep.exe	39
PID 2304 wrote to memory of 2016	2304	Hckcmjep.exe	39
PID 2304 wrote to memory of 2016	2304	Hckcmjep.exe	39
PID 2016 wrote to memory of 1904	2016	Hnagjbdf.exe	40
PID 2016 wrote to memory of 1904	2016	Hnagjbdf.exe	40
PID 2016 wrote to memory of 1904	2016	Hnagjbdf.exe	40
PID 2016 wrote to memory of 1904	2016	Hnagjbdf.exe	40
PID 1904 wrote to memory of 592	1904	Hobcak32.exe	41
PID 1904 wrote to memory of 592	1904	Hobcak32.exe	41
PID 1904 wrote to memory of 592	1904	Hobcak32.exe	41
PID 1904 wrote to memory of 592	1904	Hobcak32.exe	41
PID 592 wrote to memory of 856	592	Hjhhocjj.exe	42
PID 592 wrote to memory of 856	592	Hjhhocjj.exe	42
PID 592 wrote to memory of 856	592	Hjhhocjj.exe	42
PID 592 wrote to memory of 856	592	Hjhhocjj.exe	42
PID 856 wrote to memory of 2788	856	Hpapln32.exe	43
PID 856 wrote to memory of 2788	856	Hpapln32.exe	43
PID 856 wrote to memory of 2788	856	Hpapln32.exe	43
PID 856 wrote to memory of 2788	856	Hpapln32.exe	43

C:\Users\Admin\AppData\Local\Temp\508ef50c26c21dc512ce0dd31278aa40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\508ef50c26c21dc512ce0dd31278aa40_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\Gopkmhjk.exe
  C:\Windows\system32\Gopkmhjk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\Ghhofmql.exe
    C:\Windows\system32\Ghhofmql.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\Gelppaof.exe
      C:\Windows\system32\Gelppaof.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\SysWOW64\Gkihhhnm.exe
        
        C:\Windows\system32\Gkihhhnm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\SysWOW64\Gdamqndn.exe
        
        C:\Windows\system32\Gdamqndn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Gogangdc.exe
        
        C:\Windows\system32\Gogangdc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Gddifnbk.exe
        
        C:\Windows\system32\Gddifnbk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Hiqbndpb.exe
        
        C:\Windows\system32\Hiqbndpb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\Hcifgjgc.exe
        
        C:\Windows\system32\Hcifgjgc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Hicodd32.exe
        
        C:\Windows\system32\Hicodd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Hckcmjep.exe
        
        C:\Windows\system32\Hckcmjep.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Hobcak32.exe
        
        C:\Windows\system32\Hobcak32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Hjhhocjj.exe
        
        C:\Windows\system32\Hjhhocjj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Hpapln32.exe
        
        C:\Windows\system32\Hpapln32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Hacmcfge.exe
        
        C:\Windows\system32\Hacmcfge.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Icbimi32.exe
        
        C:\Windows\system32\Icbimi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Ilknfn32.exe
        
        C:\Windows\system32\Ilknfn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        22⤵
        Executes dropped EXE
        
        PID:1300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 140
        23⤵
        Loads dropped DLL
        Program crash
        
        PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hacmcfge.exe

Filesize
57KB

MD5
554848566555606061a2596bd6d39e97

SHA1
e367f092aa4e71d6a59c313eae572355a1855f21

SHA256
0ad4e96ce869f5b58bf5483973f21949bc9e3041666011e26f660e17229383ec

SHA512
58a945cab32cefaa9dbca8c00d27b3dc89c09a42d16bca06473ca3ec5209d2ddf4807d669aeb7b27778a586494d72f03a59165ab743016aebd40dfaeec3a6847

Download Submit
C:\Windows\SysWOW64\Hicodd32.exe

Filesize
57KB

MD5
b584c08312084ed9ebcd1f67151606a4

SHA1
30e3409caf0e92df87f829d2c16a57a5dd068f74

SHA256
7a079a01571d093451f1a278c57ddab1aab1e9885be21310482f7f562101be28

SHA512
7c47cc96af3b4b5a06f5d4d6668273c23b42d1b560c2b3d3f747762b411b0bc1886facda6597ba34c754bb35e61b92ef81929e38d914b176981252435ad5b90c

Download Submit
C:\Windows\SysWOW64\Hpapln32.exe

Filesize
57KB

MD5
6e09b1c2ee0347063cb005cce30d73dd

SHA1
2fa815e1589dd3f5f052c832012734a471b2c9ab

SHA256
e34b0b66aece68609ff69896f4bbc9f46fb1e128ae6529101461164bf951754e

SHA512
fb2038a0a332f96d0c64de1dcd9f7fa21888cd2a6b2504417b9ee4d4834fda22b76e24961aa68e81054cdd815fbf2dbed6c415946007feabe104b7675f537f11

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
57KB

MD5
1fa664e42690ec81a39c9a97c997c508

SHA1
0b19a17194d56e8edcea9d702ce6a97d86dcc592

SHA256
a5e8d9bc3603aada090453aeba8a07ff8d8ecb2d5144f367b5ece9791f1b80a8

SHA512
8664b98ab8bdcb0394614267f66cb8bc56c2b821baf723238abf309c769ca1291e1bb7c8ebe752b63821154723e468f55df7ad779f45266c70510c9e0645f0fa

Download Submit
C:\Windows\SysWOW64\Icbimi32.exe

Filesize
57KB

MD5
82973dc23fb69d42e33622cf8a4eac53

SHA1
1295c9449a630966b4a83f1aff446c61d5d44c40

SHA256
45f449b76f17cf5a8181eaceb9911087ee5dfeab49a615e665f97a6037e5c8a9

SHA512
9d1cbadeb81c9724f5803007d2bb5af82f843d5ba2005ce088b60da351aa2b994c433fa69446b445845c97236bc840f717b725851f8ac41086c7b8a161ad2480

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
57KB

MD5
329741c11acba4e25dd09e7a094a96d4

SHA1
8331df671a28406c0e766c64f8e5e54c3094a3f1

SHA256
d7460b7ec62192187f7a6c8f62a339e5e7dca4f7b50c992afc7ce4cc28d05721

SHA512
4df99a52f7ecc26f76c5e10d3ebda0ec3da0bb3d32bd201b07160824cafac3062af9f99c55f465c1052af83405ef5e38c107cf2b76799cca966f7e40560112dd

Download Submit
C:\Windows\SysWOW64\Ilknfn32.exe

Filesize
57KB

MD5
9ce5c675b1fce834f04b7fc64b0495bd

SHA1
51c6f99b05c2749c745b37c621674cd9baa67467

SHA256
f46ae10a8c3623fddb66a4454bbd1c0e8553f1fee70b7ea24f38369cb144c828

SHA512
d104288872a6e64783c296e2af81ea41e88bc848bfe36331b03833661efe486510ac43c1e5881001db62a87a27c3e1b09da070955232c05a7669cd25c18cacbb

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
57KB

MD5
09b84aed603c4775f9dc9630a3cfd944

SHA1
2064a2ac29604a3cd01f6ccef01f66baadea1a2e

SHA256
a58b32908651f76e5a6b2d25e6eecde898bb31246678691ff21b44f800670245

SHA512
0f930e4c9d28f023dcd27aa6b95c128463e99cda8536f334f794c472c0ef6dc0e330a3ec4b914daca95583b65a354a9b1070b5d4f9c04583460cac03788dc6b4

Download Submit
\Windows\SysWOW64\Gdamqndn.exe

Filesize
57KB

MD5
fd98c4d3e0da22a8047ef1bb7dc5c345

SHA1
d7b63497ceb8f791f2f5ed282313cf00233ff06d

SHA256
b47ced88d3d6cc8c547fe6d370b8ef76bbe4f5f7dc0cd31bc7aa1ca95a1ba521

SHA512
4aa05fd56fd01c7988015ad6ede1c78673d63a3e983de30cb6134a39302f4d9e43d88843a94dc3b0bc09ba31ca37d922435322a9c2d8992f2417dd863e534b4c

Download Submit
\Windows\SysWOW64\Gddifnbk.exe

Filesize
57KB

MD5
9510d281366f1ee35289bd9727fb5dd1

SHA1
ee16fce575576ba78cab30ce5a3d7e30f57bf85c

SHA256
4ad1928c8e35a54c07dcf691ce0a801043b731e9fca9af9c88f3fcc436d80b17

SHA512
7a7ea00f77e6ac35d952e9f34ab46f969c5abf3947639a3f38e0e59ecf432df7ff9ba7857d5b48915d6d268689fae9db601cf6236f3fb5bd766ea026a5625474

Download Submit
\Windows\SysWOW64\Gelppaof.exe

Filesize
57KB

MD5
f449bca186d0dbab815395561267b04c

SHA1
46b4a9fad97202e8ffe619c8766a01d1daaf05e0

SHA256
bac47ed1bc7223fed71ae304abb0ff52a36b852a698c7730e352c592711ce6c6

SHA512
0b6bfcfe581f70b77c772cb391d18454e7e2154295bf671fcaef01eda6327ea9e84fa9f2cd5500aa1fa1cbe5fd81dc0e9ecde970cd48806d1c95dcb99b758da1

Download Submit
\Windows\SysWOW64\Ghhofmql.exe

Filesize
57KB

MD5
5040cb9f97a183b2efbdc32d1fcb4d1c

SHA1
e0d3ea1b68176e2137ff22093927d045d9e4365f

SHA256
0f6a153ce1684a9de3e7144b38d410d64d4486805b3336206ea097763cc644a7

SHA512
2e453beed023bca2aecc413c4dd8a10151ba5de068a67b0ce8e2f3619f6aba0c8c58b6cbf203d1228424cbc11a02e77eac8cad87c72daf3acc602e234a6aff26

Download Submit
\Windows\SysWOW64\Gkihhhnm.exe

Filesize
57KB

MD5
dca8edd2e793951c7a669fd08565659e

SHA1
44ba47911fcd56ac7dce6399e751d25b35d099fb

SHA256
1f1b18b6cb70b0b8bcac3623ac24ceb3527ab76b567c08b50b02864ff2776ec4

SHA512
9f6dbe83fcc5aaf906e5fc8e31b2f83ba27ad935f9348f219584a6149f74650c497bd2763fa73367406870bc48e4c264ce03e4058ed72184a67b2e9749f630a4

Download Submit
\Windows\SysWOW64\Gogangdc.exe

Filesize
57KB

MD5
d176b041daabef03f8c3c04ae506f743

SHA1
4de8154b4b16de9b00fc0e6d78727a367a2bc0e4

SHA256
58ea69bff2f2f91a2f8988ce6d0e076c64963bfbed27fcdea5f06a93843315b4

SHA512
769e2eabf7b9feb6e9f65f98938a4417e23299634b24b8ec878fc13ba79facfe78f2919d6e548cf78d8b9e77f31a2a00358421ac69a8bb8d46b4e75618632f45

Download Submit
\Windows\SysWOW64\Gopkmhjk.exe

Filesize
57KB

MD5
ab5b6d01e8fcfe430c43c4e6e532ccc7

SHA1
e0a3cbf97bfdfd25f9579affb7a90802b363a320

SHA256
afd8c4953de75c899e4f219cb270f2d0557115d532d77c71905ce8167313564c

SHA512
177dd08be72580e74a2b09c1a049ae4357fea28f07f62959b104bc901431e62539e83e423f77556a535d51a6fd8964d4a3e0f40368d0d0483bb18d5825bf617b

Download Submit
\Windows\SysWOW64\Hcifgjgc.exe

Filesize
57KB

MD5
1b5ee41407e9e71e64c10492b2e59bc9

SHA1
279c5b91d4beebcce75fce73adea164d0b11f9d2

SHA256
ad595798121df230d1824eef6fa4b52c2410f26eddbe0ad24dbd39f4388fdcdb

SHA512
b72d0843b5cf424058ef923b6541ec2353c0c47111d3605036282fe208d2e39c3863076b25417a55bb8963d709cc0b4729f9027fb15213fb7c8a0820d4e39436

Download Submit
\Windows\SysWOW64\Hckcmjep.exe

Filesize
57KB

MD5
839771841e2f4db71c7b74aecd9209f4

SHA1
2826248479636508c87652a29f704224c9002ad1

SHA256
a904110ccbcce95076c52cf38db0de3fae62a319f25551cbd308db4082170feb

SHA512
2c2e4ec6f463a7d555a15e7a5b1b7abb7359056e56a9af86deb63e9b96b377c565682808cb17718d19c9e487961efc030c9056828e5bf9d85dc2ddc819ea7a96

Download Submit
\Windows\SysWOW64\Hiqbndpb.exe

Filesize
57KB

MD5
6d26945b1406e8d151267f38a1f2e032

SHA1
8f5b441e1b7cfbfbb67432b6433ac39a35ba8475

SHA256
6104049498f7b4fbb502b87b897c7a3aed22badff98f1b05296fd7a4876e4033

SHA512
3e7194aeabf429ee3fd79af6be8780735b423b2399a8074e7278b24a87972aa7633a30abf53089b29d79f32c3987070bb878af829e668b7a833050af18c3cacc

Download Submit
\Windows\SysWOW64\Hjhhocjj.exe

Filesize
57KB

MD5
6c9af6f17cccd7e3d1e2cb669b4339d8

SHA1
df672858a319c0eea97068737b59cca1021a01c3

SHA256
943b79ed85c389581fba906c6450e6637c33a575e5190e99ac6e0f14feb324f2

SHA512
a6fd49da78a68e89b5bd2a20c35702c7aa86daeda12ce8a4265c9b98c34feb7fa092edfb2f04477ad08e864cb2152331f91c4b98a3e183209bf782c800507aaf

Download Submit
\Windows\SysWOW64\Hnagjbdf.exe

Filesize
57KB

MD5
dc53e3abdbea47ddc005187a8cfd698d

SHA1
b76c7569a4e1a9ff07c7d94d6943e6fa5562ff2b

SHA256
faadab1d3255c70b00f81926573c5b8d5ebadbf64302ea8a05b6f32e47fdf25f

SHA512
a42860607b8071b554b73aca6e525050f42fcacfc9f0e66f370a3cd3269ea1bd9215afe2130dde33f5144e73923cb2938f886dd65f0f9958f3c182fa49db8473

Download Submit
\Windows\SysWOW64\Hobcak32.exe

Filesize
57KB

MD5
d023536ce07302e5f1abc53142dfc9d6

SHA1
27552045c4c61feff308c02131963df5af952690

SHA256
e4e7b0b4c873ead4f8bd0b4aeb3e5eca4f5e4ba622bc32b7be21eac6ff4734a9

SHA512
084e6f34812561e1ff4965646312055d81e03c3f3b8dcfedb05dbf487d1d338a365a86089b13a8ca5daea61c1f08da124531423610dcb0120237c578dcaa5117

Download Submit
memory/592-271-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/592-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/856-272-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/856-201-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/888-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/888-254-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/888-277-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1300-258-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1348-105-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1348-266-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1460-6-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1460-259-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1460-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1904-171-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1904-270-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1956-97-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2008-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2008-145-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2008-267-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2016-158-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2016-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2064-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2064-221-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2304-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2380-78-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2380-86-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2380-265-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2548-52-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2548-59-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2548-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2612-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2728-264-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2744-126-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2744-123-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2756-261-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2756-34-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2756-26-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2788-210-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2788-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2788-220-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2936-24-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2936-260-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2992-243-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2992-276-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3064-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3064-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads