2dc0868e26c020c6fb842db1f074ddf7a9e10b74a473f612e3571deb9b0dcfab

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe
Size

398KB
MD5

e0aa5fa6a4d53f9fa3ae96c5fbb3aab0
SHA1

e2f2381e7cc712a7391e8cce4d994ef3e52579ca
SHA256

2dc0868e26c020c6fb842db1f074ddf7a9e10b74a473f612e3571deb9b0dcfab
SHA512

0e568fbb0de2133eda9bf8a2fa22ead28251bf785c256994e1664cb34ac446e67a02bf2c1e985c660312c9721fdeb139ccc6a3844157e67fd95f0f4b07e0e945
SSDEEP

12288:AjE3JsM6t3XGCByvNv54B9f01ZmHByvNv5imipWf0Aq:dD6t3XGpvr4B9f01ZmQvrimipWf0Aq

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgdmmgpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efncicpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Efncicpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dngoibmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dbehoa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbehoa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgdmmgpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmcoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dngoibmo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfijnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fckjalhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckjalhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gelppaof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghkllmoi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fmcoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfijnd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Facdeo32.exe

Executes dropped EXE 22 IoCs

pid	Process
1160	Dngoibmo.exe
2072	Dbehoa32.exe
2664	Dgdmmgpj.exe
2472	Dfijnd32.exe
2736	Efncicpm.exe
2948	Enihne32.exe
2824	Fckjalhj.exe
3000	Fmcoja32.exe
2708	Ffnphf32.exe
1788	Facdeo32.exe
2716	Gonnhhln.exe
324	Gbkgnfbd.exe
1260	Gelppaof.exe
1276	Ghkllmoi.exe
2420	Ghoegl32.exe
2036	Hgdbhi32.exe
588	Hnagjbdf.exe
1784	Hcnpbi32.exe
740	Hjjddchg.exe
2368	Hkkalk32.exe
280	Ieqeidnl.exe
2276	Iagfoe32.exe

Loads dropped DLL 48 IoCs

pid	Process
2104	e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe
2104	e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe
1160	Dngoibmo.exe
1160	Dngoibmo.exe
2072	Dbehoa32.exe
2072	Dbehoa32.exe
2664	Dgdmmgpj.exe
2664	Dgdmmgpj.exe
2472	Dfijnd32.exe
2472	Dfijnd32.exe
2736	Efncicpm.exe
2736	Efncicpm.exe
2948	Enihne32.exe
2948	Enihne32.exe
2824	Fckjalhj.exe
2824	Fckjalhj.exe
3000	Fmcoja32.exe
3000	Fmcoja32.exe
2708	Ffnphf32.exe
2708	Ffnphf32.exe
1788	Facdeo32.exe
1788	Facdeo32.exe
2716	Gonnhhln.exe
2716	Gonnhhln.exe
324	Gbkgnfbd.exe
324	Gbkgnfbd.exe
1260	Gelppaof.exe
1260	Gelppaof.exe
1276	Ghkllmoi.exe
1276	Ghkllmoi.exe
2420	Ghoegl32.exe
2420	Ghoegl32.exe
2036	Hgdbhi32.exe
2036	Hgdbhi32.exe
588	Hnagjbdf.exe
588	Hnagjbdf.exe
1784	Hcnpbi32.exe
1784	Hcnpbi32.exe
740	Hjjddchg.exe
740	Hjjddchg.exe
2368	Hkkalk32.exe
2368	Hkkalk32.exe
280	Ieqeidnl.exe
280	Ieqeidnl.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Gbkgnfbd.exe	Gonnhhln.exe
File opened for modification	C:\Windows\SysWOW64\Ghkllmoi.exe	Gelppaof.exe
File created	C:\Windows\SysWOW64\Fmcoja32.exe	Fckjalhj.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Dngoibmo.exe	e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lkojpojq.dll	Dfijnd32.exe
File created	C:\Windows\SysWOW64\Enihne32.exe	Efncicpm.exe
File opened for modification	C:\Windows\SysWOW64\Gelppaof.exe	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Hcnpbi32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Dngoibmo.exe	e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Dgdmmgpj.exe	Dbehoa32.exe
File created	C:\Windows\SysWOW64\Dhflmk32.dll	Dbehoa32.exe
File created	C:\Windows\SysWOW64\Fckjalhj.exe	Enihne32.exe
File created	C:\Windows\SysWOW64\Oecbjjic.dll	Facdeo32.exe
File created	C:\Windows\SysWOW64\Gbkgnfbd.exe	Gonnhhln.exe
File opened for modification	C:\Windows\SysWOW64\Hjjddchg.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Hjjddchg.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Hkkalk32.exe
File opened for modification	C:\Windows\SysWOW64\Dbehoa32.exe	Dngoibmo.exe
File opened for modification	C:\Windows\SysWOW64\Dgdmmgpj.exe	Dbehoa32.exe
File created	C:\Windows\SysWOW64\Lghegkoc.dll	Fckjalhj.exe
File created	C:\Windows\SysWOW64\Qahefm32.dll	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Cgcmfjnn.dll	Dgdmmgpj.exe
File opened for modification	C:\Windows\SysWOW64\Ghoegl32.exe	Ghkllmoi.exe
File created	C:\Windows\SysWOW64\Cnkajfop.dll	Ghoegl32.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Efncicpm.exe	Dfijnd32.exe
File created	C:\Windows\SysWOW64\Dfijnd32.exe	Dgdmmgpj.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Hkkalk32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Gonnhhln.exe	Facdeo32.exe
File created	C:\Windows\SysWOW64\Iebpge32.dll	Gelppaof.exe
File created	C:\Windows\SysWOW64\Gpekfank.dll	Ghkllmoi.exe
File opened for modification	C:\Windows\SysWOW64\Dfijnd32.exe	Dgdmmgpj.exe
File opened for modification	C:\Windows\SysWOW64\Hgdbhi32.exe	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Khejeajg.dll	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Efncicpm.exe	Dfijnd32.exe
File created	C:\Windows\SysWOW64\Jiiegafd.dll	Enihne32.exe
File opened for modification	C:\Windows\SysWOW64\Gonnhhln.exe	Facdeo32.exe
File created	C:\Windows\SysWOW64\Pabakh32.dll	Gbkgnfbd.exe
File opened for modification	C:\Windows\SysWOW64\Hcnpbi32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Facdeo32.exe	Ffnphf32.exe
File created	C:\Windows\SysWOW64\Gelppaof.exe	Gbkgnfbd.exe
File opened for modification	C:\Windows\SysWOW64\Hkkalk32.exe	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Ejdmpb32.dll	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Cbolpc32.dll	e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Enihne32.exe	Efncicpm.exe
File opened for modification	C:\Windows\SysWOW64\Fmcoja32.exe	Fckjalhj.exe
File created	C:\Windows\SysWOW64\Hgdbhi32.exe	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Hkkalk32.exe	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Ghkllmoi.exe	Gelppaof.exe
File created	C:\Windows\SysWOW64\Lkcmiimi.dll	Dngoibmo.exe
File created	C:\Windows\SysWOW64\Iecimppi.dll	Efncicpm.exe
File opened for modification	C:\Windows\SysWOW64\Fckjalhj.exe	Enihne32.exe
File opened for modification	C:\Windows\SysWOW64\Ffnphf32.exe	Fmcoja32.exe
File opened for modification	C:\Windows\SysWOW64\Facdeo32.exe	Ffnphf32.exe
File created	C:\Windows\SysWOW64\Jkamkfgh.dll	Ffnphf32.exe
File created	C:\Windows\SysWOW64\Dbehoa32.exe	Dngoibmo.exe
File created	C:\Windows\SysWOW64\Ffnphf32.exe	Fmcoja32.exe
File created	C:\Windows\SysWOW64\Kegiig32.dll	Fmcoja32.exe
File created	C:\Windows\SysWOW64\Ghoegl32.exe	Ghkllmoi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
900	2276	WerFault.exe	49

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll"	Facdeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dbehoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fckjalhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fckjalhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgdmmgpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Efncicpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gbkgnfbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhflmk32.dll"	Dbehoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecimppi.dll"	Efncicpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll"	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahefm32.dll"	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabakh32.dll"	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbkgnfbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dngoibmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcmiimi.dll"	Dngoibmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfijnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbolpc32.dll"	e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dngoibmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfijnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghegkoc.dll"	Fckjalhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Facdeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpge32.dll"	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dbehoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kegiig32.dll"	Fmcoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkamkfgh.dll"	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkojpojq.dll"	Dfijnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll"	Ghkllmoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgdmmgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgcmfjnn.dll"	Dgdmmgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiiegafd.dll"	Enihne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fmcoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fmcoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hgdbhi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 1160	2104	e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe	28
PID 2104 wrote to memory of 1160	2104	e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe	28
PID 2104 wrote to memory of 1160	2104	e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe	28
PID 2104 wrote to memory of 1160	2104	e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe	28
PID 1160 wrote to memory of 2072	1160	Dngoibmo.exe	29
PID 1160 wrote to memory of 2072	1160	Dngoibmo.exe	29
PID 1160 wrote to memory of 2072	1160	Dngoibmo.exe	29
PID 1160 wrote to memory of 2072	1160	Dngoibmo.exe	29
PID 2072 wrote to memory of 2664	2072	Dbehoa32.exe	30
PID 2072 wrote to memory of 2664	2072	Dbehoa32.exe	30
PID 2072 wrote to memory of 2664	2072	Dbehoa32.exe	30
PID 2072 wrote to memory of 2664	2072	Dbehoa32.exe	30
PID 2664 wrote to memory of 2472	2664	Dgdmmgpj.exe	31
PID 2664 wrote to memory of 2472	2664	Dgdmmgpj.exe	31
PID 2664 wrote to memory of 2472	2664	Dgdmmgpj.exe	31
PID 2664 wrote to memory of 2472	2664	Dgdmmgpj.exe	31
PID 2472 wrote to memory of 2736	2472	Dfijnd32.exe	32
PID 2472 wrote to memory of 2736	2472	Dfijnd32.exe	32
PID 2472 wrote to memory of 2736	2472	Dfijnd32.exe	32
PID 2472 wrote to memory of 2736	2472	Dfijnd32.exe	32
PID 2736 wrote to memory of 2948	2736	Efncicpm.exe	33
PID 2736 wrote to memory of 2948	2736	Efncicpm.exe	33
PID 2736 wrote to memory of 2948	2736	Efncicpm.exe	33
PID 2736 wrote to memory of 2948	2736	Efncicpm.exe	33
PID 2948 wrote to memory of 2824	2948	Enihne32.exe	34
PID 2948 wrote to memory of 2824	2948	Enihne32.exe	34
PID 2948 wrote to memory of 2824	2948	Enihne32.exe	34
PID 2948 wrote to memory of 2824	2948	Enihne32.exe	34
PID 2824 wrote to memory of 3000	2824	Fckjalhj.exe	35
PID 2824 wrote to memory of 3000	2824	Fckjalhj.exe	35
PID 2824 wrote to memory of 3000	2824	Fckjalhj.exe	35
PID 2824 wrote to memory of 3000	2824	Fckjalhj.exe	35
PID 3000 wrote to memory of 2708	3000	Fmcoja32.exe	36
PID 3000 wrote to memory of 2708	3000	Fmcoja32.exe	36
PID 3000 wrote to memory of 2708	3000	Fmcoja32.exe	36
PID 3000 wrote to memory of 2708	3000	Fmcoja32.exe	36
PID 2708 wrote to memory of 1788	2708	Ffnphf32.exe	37
PID 2708 wrote to memory of 1788	2708	Ffnphf32.exe	37
PID 2708 wrote to memory of 1788	2708	Ffnphf32.exe	37
PID 2708 wrote to memory of 1788	2708	Ffnphf32.exe	37
PID 1788 wrote to memory of 2716	1788	Facdeo32.exe	38
PID 1788 wrote to memory of 2716	1788	Facdeo32.exe	38
PID 1788 wrote to memory of 2716	1788	Facdeo32.exe	38
PID 1788 wrote to memory of 2716	1788	Facdeo32.exe	38
PID 2716 wrote to memory of 324	2716	Gonnhhln.exe	39
PID 2716 wrote to memory of 324	2716	Gonnhhln.exe	39
PID 2716 wrote to memory of 324	2716	Gonnhhln.exe	39
PID 2716 wrote to memory of 324	2716	Gonnhhln.exe	39
PID 324 wrote to memory of 1260	324	Gbkgnfbd.exe	40
PID 324 wrote to memory of 1260	324	Gbkgnfbd.exe	40
PID 324 wrote to memory of 1260	324	Gbkgnfbd.exe	40
PID 324 wrote to memory of 1260	324	Gbkgnfbd.exe	40
PID 1260 wrote to memory of 1276	1260	Gelppaof.exe	41
PID 1260 wrote to memory of 1276	1260	Gelppaof.exe	41
PID 1260 wrote to memory of 1276	1260	Gelppaof.exe	41
PID 1260 wrote to memory of 1276	1260	Gelppaof.exe	41
PID 1276 wrote to memory of 2420	1276	Ghkllmoi.exe	42
PID 1276 wrote to memory of 2420	1276	Ghkllmoi.exe	42
PID 1276 wrote to memory of 2420	1276	Ghkllmoi.exe	42
PID 1276 wrote to memory of 2420	1276	Ghkllmoi.exe	42
PID 2420 wrote to memory of 2036	2420	Ghoegl32.exe	43
PID 2420 wrote to memory of 2036	2420	Ghoegl32.exe	43
PID 2420 wrote to memory of 2036	2420	Ghoegl32.exe	43
PID 2420 wrote to memory of 2036	2420	Ghoegl32.exe	43

C:\Users\Admin\AppData\Local\Temp\e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\Dngoibmo.exe
  C:\Windows\system32\Dngoibmo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\SysWOW64\Dbehoa32.exe
    C:\Windows\system32\Dbehoa32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\SysWOW64\Dgdmmgpj.exe
      C:\Windows\system32\Dgdmmgpj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\Dfijnd32.exe
        
        C:\Windows\system32\Dfijnd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Windows\SysWOW64\Efncicpm.exe
        
        C:\Windows\system32\Efncicpm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Enihne32.exe
        
        C:\Windows\system32\Enihne32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Fckjalhj.exe
        
        C:\Windows\system32\Fckjalhj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Fmcoja32.exe
        
        C:\Windows\system32\Fmcoja32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Ffnphf32.exe
        
        C:\Windows\system32\Ffnphf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Facdeo32.exe
        
        C:\Windows\system32\Facdeo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Gonnhhln.exe
        
        C:\Windows\system32\Gonnhhln.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Gbkgnfbd.exe
        
        C:\Windows\system32\Gbkgnfbd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\SysWOW64\Gelppaof.exe
        
        C:\Windows\system32\Gelppaof.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Ghkllmoi.exe
        
        C:\Windows\system32\Ghkllmoi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Ghoegl32.exe
        
        C:\Windows\system32\Ghoegl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Hgdbhi32.exe
        
        C:\Windows\system32\Hgdbhi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:588
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Hjjddchg.exe
        
        C:\Windows\system32\Hjjddchg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Hkkalk32.exe
        
        C:\Windows\system32\Hkkalk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:280
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        23⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 140
        24⤵
        Loads dropped DLL
        Program crash
        
        PID:900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dfijnd32.exe

Filesize
398KB

MD5
a2bc325d9b94ff91e09262bbb2ca0d12

SHA1
6db1e9603927adab3565adc7f3d028ad8b3fe54b

SHA256
56b76bd5f524548ce5a3326b7d552b385db74c9c2d5d03181bcdb0445e609c99

SHA512
65a18d3ee2ee27d9b6a7fd277c4df51f7dbfebfcf955dad3381ef6b1246575f9aea87918375a04267b6dda1b0d475f7e45bfaf45007fa23048052770eb6263a7

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe

Filesize
398KB

MD5
2fcdf5ab9a7b6b2ef437aa2b6a33b205

SHA1
f333250f81f083228caa0a4b0d4e943934f23c14

SHA256
901484e84b89fdd019f3fc3b2e140b2549642d68f192cdb493e45654a10b715b

SHA512
48d6f1095a0591e70854d60ea665e0aca4fc3bc731d713f1d974e1ed16986a86b8a1424f2343806d211b2183bee485a3baba48fb97637c24753dbdc9453b9ba4

Download Submit
C:\Windows\SysWOW64\Hjjddchg.exe

Filesize
398KB

MD5
49630c191083a5b6a8be9031b7c64fb4

SHA1
4e3b35e384292d7fd7da3a6c48544b4ed5fb24f7

SHA256
3a70af28e8eedfd9950d4e9786a2d35a174a381cbff0fc77b465b72be36054d6

SHA512
d005fd7a774d138b66afa9ddd76808ce591a76fcf64befbba544221994802cddc92e13f0c2f56a6370a55a295fa9ef3b6308b6081258102c659cf843ab66735a

Download Submit
C:\Windows\SysWOW64\Hkkalk32.exe

Filesize
398KB

MD5
51aa1e6b6222e744df83f9f331c6c1d1

SHA1
c211112557fc34f80b211e8821c4f4be104185c9

SHA256
2a089b8ac27787f6cdcf17c79bb97485a43b64ce3aa2285290d6e0effb8dee15

SHA512
34aba3600e58dd7e7ec0aaac64b7b1723bc918509e5de7ca4953b26770abfa257457f0b3e810e31a4e7263950c582a2934aeb9d1347c7ddb23f2a298f7f84038

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
398KB

MD5
3bee4200f3822b8512bb15c3f60e3b70

SHA1
585662c6727cd858120e2857679ab02bf4cce03d

SHA256
a41d19660df1ba58cb91526f88aeedbfb3e0c961efcf232813f598c00840cfc3

SHA512
587d6783be9cb2e94db5d67f001f2a646c6fe62274718cb3374e8b9c2801eea608a06b224fff1182c616c78fa9cad89d64455af0ceea8f7f9efd5d461df1fd89

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
398KB

MD5
49838bec564c176baba130ac78cbcffd

SHA1
5b12ddec3fefe71ecdf183b88dfbf9a6c71645cd

SHA256
6898bc11e0d7e2b135cfc4bd59b70057e2697f8a61dc217232b89bf64680f519

SHA512
5794e0f738b0f046c8e83e2c2572fbf7866ee3990aa9343c108e1cbca860a8542511e7d9204e8c1259f9ff2b61a115eabe732a6811ac8d642466f269e5fc4771

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
398KB

MD5
d776cc1ef00ae679479a52d8fb3ab6bf

SHA1
bd0c05449a7835d8a028d2098cd233a524e160a9

SHA256
d82f633453d8fda2ed8d3105aef8d5fe7f1cc9a1a1fb968dcb0a7ffae47f2e18

SHA512
4aa46a5b5010281c8574302eb7097a37013a7db67b7fb06b497ce668d22e304e89e98fa77235b8bdec38280e0501248f5281a86afb8c7fd82f6d07ad0976443e

Download Submit
C:\Windows\SysWOW64\Lkojpojq.dll

Filesize
7KB

MD5
e7d1a40c0b02fefe024ebff84356c47a

SHA1
91cdf33b9a287fa85a74d638026b331d3496095e

SHA256
53860b9ca404136900a960a8d313c9221509d9348f2428500e59315d5525d1d9

SHA512
529ecaa77b2ae3fc80c82bac3967c98c18c97c31993536ab2e2522b7fd1d5c7d38e3335ad24f036b30d2231983f3b2d41736ed286744f1f11edeaef909793ff9

Download Submit
\Windows\SysWOW64\Dbehoa32.exe

Filesize
398KB

MD5
e9a5288c408caf66713914395d0dd3e6

SHA1
db77f19cda7bf1ff83f8120a667f77f5a1a68a6c

SHA256
9d4b0ab5b7fd20f842e20eb24b85607d4a572e097f17adbe32a601e470cd345f

SHA512
0c6f9a867e0d490a9d936bd016301ff5bf3f89e11021fcf0219cb97c57e30c14b8bbdaa0ed48b98d4e3f123823378a585531db6797ebe510b23d48f42cddd984

Download Submit
\Windows\SysWOW64\Dgdmmgpj.exe

Filesize
398KB

MD5
60b4ef867be075fc634d472245e769c6

SHA1
b64038cdd0a345640225cb41f19abc5be9d5a49f

SHA256
c63797a96091b42a1cc0e672592a362b58255b482cd3732f4d6aa433964b4dce

SHA512
f94b181968b99771244b1c0e97e17e0769d435e5d6b99492c511610b3c47e73cbe37f4689b41c8a68c3cfb8482dc6ea4f455eddd73d6a0efa50cd2c6aab90a33

Download Submit
\Windows\SysWOW64\Dngoibmo.exe

Filesize
398KB

MD5
884aacc817845b0564a91a44a08e0858

SHA1
5d2fc89a4cbb40af6f9ec97b21986ec123f134ee

SHA256
4a28036b60d88623d540408e91f67942944a3ea6f8f50cce71456a2c584aad69

SHA512
66de543b4b8ebef4109b445b44851445872f18c9c20f7ec0b3b2fe63a4cd6c36f60ef5d490698b58fa1b434fc89cc668b09e4a69365e205436a6530481ad9943

Download Submit
\Windows\SysWOW64\Efncicpm.exe

Filesize
398KB

MD5
9191263db88db0783a5a908596437c2a

SHA1
ba0f67cf0618380364fd761029cc4fd53a12c63c

SHA256
ca1e6b612aa710570e6c2d642c46c6400b7e466111bb40aaf5cc551c1730e353

SHA512
558479742319a0c76c2aa44eade3e7b490b032dd64b722c9230232a3e4a648e096491d1f8331f959664d8cf45d55ea11e705db7750c308b857e1267805949d14

Download Submit
\Windows\SysWOW64\Enihne32.exe

Filesize
398KB

MD5
db2b6a77904d5658a2aa3304b38c2021

SHA1
37a58fcbb48fd281686cb979a89a5904210c6df2

SHA256
2ed81426e84f560e30e47a336dd3abb790b0303ff4c0d57ca5919a07c672d225

SHA512
1ca56389c8cda036383169d90aba0dcd34d4663d326a7d017384211537ffd886a8c633646bc50042aeaeb5529ccd90d10ad40a850de72e6f529decd5073bfa89

Download Submit
\Windows\SysWOW64\Facdeo32.exe

Filesize
398KB

MD5
eaffd839c58b6ae5c914db60ece98bc8

SHA1
3d26474ccad27e3ff852f7cc08bb76611da3dfb9

SHA256
9c7e77ffb890443b6fd055433c37762d39119870d372b9a59dbbce925f69a57a

SHA512
3763f6f1d55143c43eb678a10e5d38c83ddbcbebbeb4b49e833938be414a9d7941abde6363acd2c640ef31de1415fb95d26784edbefc7920be593241402cb8d4

Download Submit
\Windows\SysWOW64\Fckjalhj.exe

Filesize
398KB

MD5
cf2ac70eb926fdf11afd0fb191343b32

SHA1
e2d972d1298d4fbb925c14ab7f9a65aef66c59f4

SHA256
027ed020128d2ca26575c6f82984f32d9292aa92818d8b0c60eac4fdcc018a56

SHA512
69e78ee7654027928c7b6f93e61935c0a5708b1d8fb9c68167e4b35545c80b388889604d59a7fd1e61619579a16ce8c82df659483e16d413d4bd7f030cc38ee1

Download Submit
\Windows\SysWOW64\Ffnphf32.exe

Filesize
398KB

MD5
9ff7989c1dbcdb4840e442289b32e430

SHA1
dc867b3cfa56ac0452692bd75133dc4c2ad1348b

SHA256
9ce995f3b33e26d91271d32e9f8074783044b258bd29194cf174afefc79438d3

SHA512
9fbe8dcf9bb7f39e4ab676d7a867d07919c1c0cc30942aa1ebcb08554727a9fd41d004795eaabeb94ffd98126a8986bb441b76490b36795c0974eef43640e127

Download Submit
\Windows\SysWOW64\Fmcoja32.exe

Filesize
398KB

MD5
c1673f7b7064a19f561c5f798dd240a3

SHA1
70fcdc239e1ce2d57788b1eb6ad2ffd93562e2ad

SHA256
7d8ab8e794606e6e1837bf88ca0178c06f986671d7791dc40e0339562b6aa104

SHA512
7e4810e3ee875bc8c924daffe110928a50afa7297262a045ceb2545526db70edaf5376557c95523a3a54368f3c932a1f170242ab6e0d89ef64dcbaeda08b6a9e

Download Submit
\Windows\SysWOW64\Gbkgnfbd.exe

Filesize
398KB

MD5
08ef70708b38482f787731d393ae82eb

SHA1
807c8c852fef05234c7d3db01d63177b48aef951

SHA256
49527265102c1194f7090d11ad3d086db6cd4d02e4f342baaf7a836710f9e8fe

SHA512
d512170078bdae4898fba06d84e82f8cecf2e573275b8bffff29dc8fc8c234ee4d1a29a327d24b2f95054bf7e211f11329ec3816e2786f5f20354c601d4f52ef

Download Submit
\Windows\SysWOW64\Gelppaof.exe

Filesize
398KB

MD5
df9f9e337ce1eb9b472ccf5bd1154722

SHA1
d764bb459dda3645495f761cf661c28d5c0290bb

SHA256
da3d96e96a1347b4a48478408f1895317b90f1d4b2d83bc1feb0f2125ecff692

SHA512
326a6722b93f85592ea51bdb7132643ed515bd30f054810cab53ab4d12296d864dbf2c63b0a8c25585e0b1d26f39df53fc1706d02044facceb3359be0406e65b

Download Submit
\Windows\SysWOW64\Ghkllmoi.exe

Filesize
398KB

MD5
96c840f031c4d6556f62ecb1d1083c3a

SHA1
0437080ced127b70a587acabfd76f0eed38d633b

SHA256
7f04ed4a020eb8f2e0540be75ef7cd386c4fdae99397bb47103a89326d04935b

SHA512
46d7169e118ef05e1fe8bc76fd65e31d0fde853ae9cd79ec1e9a49ef1bb727c573b76b290a995fa1432bc90b25a584da46af997b97d8a7c05d9091407fa38c39

Download Submit
\Windows\SysWOW64\Ghoegl32.exe

Filesize
398KB

MD5
9e2c2d19cd9590ae3434369f215d12b2

SHA1
a532e8b1e13e6f1ca17498ae048871cb98eb6458

SHA256
a54877a3d1300d3be0f2f8e051eafd011cdeaf0d6d9c0539db14c00e7a147c7b

SHA512
fe96fe6b91ab7698f5c14448c69d26d16bb835d9abb1b61e8259b5987394416df69fba99d4aff3d41b7f73bdb383863fbe763c7c712da68581eddfb9d7b61779

Download Submit
\Windows\SysWOW64\Gonnhhln.exe

Filesize
398KB

MD5
599adfe60ad957c77394272816697532

SHA1
d56a988ff94d4435fecf40163a0f416301e3fffc

SHA256
9ea053ff0bf15b79f463b1617db6b0bbd482d3116b5fb26f13470dce5f3149c0

SHA512
321f874565b9fa14dbdae242b449009df5919463472d17877c67899d2d96fed31a9271429c629c4388269564c488f99486c2355bcdb274fdda1c37ace035100e

Download Submit
\Windows\SysWOW64\Hgdbhi32.exe

Filesize
398KB

MD5
d7e9e2dd7473942df16e1fd3db890bf4

SHA1
29a834c21dd68cb3212277e01634243715e3a5d8

SHA256
9d137a36835ad9b816fcd4cc1868841c2ad4847008587b3f02a7c39fa94461cc

SHA512
61a38b3e562c928e4dc68b7ae0fd6f6f869b7463d803134a1eb8dc60b97d765fbb8950417a76cae9607561a9cc4514776cc6a6127092525e005014261d438e7e

Download Submit
memory/280-282-0x0000000000270000-0x00000000002B6000-memory.dmp

Filesize
280KB

Download
memory/280-281-0x0000000000270000-0x00000000002B6000-memory.dmp

Filesize
280KB

Download
memory/280-303-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/280-275-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/324-165-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/324-295-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/588-233-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/588-239-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/588-238-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/740-301-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/740-259-0x0000000000310000-0x0000000000356000-memory.dmp

Filesize
280KB

Download
memory/740-263-0x0000000000310000-0x0000000000356000-memory.dmp

Filesize
280KB

Download
memory/1160-18-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1160-21-0x0000000000320000-0x0000000000366000-memory.dmp

Filesize
280KB

Download
memory/1260-182-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1260-296-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1276-191-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1276-199-0x0000000000450000-0x0000000000496000-memory.dmp

Filesize
280KB

Download
memory/1276-297-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1784-246-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/1784-240-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1784-250-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/1784-300-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1788-145-0x00000000004D0000-0x0000000000516000-memory.dmp

Filesize
280KB

Download
memory/1788-293-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1788-138-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2036-230-0x00000000002D0000-0x0000000000316000-memory.dmp

Filesize
280KB

Download
memory/2036-231-0x00000000002D0000-0x0000000000316000-memory.dmp

Filesize
280KB

Download
memory/2036-217-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2036-299-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2072-27-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2072-285-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2072-34-0x00000000002D0000-0x0000000000316000-memory.dmp

Filesize
280KB

Download
memory/2104-6-0x0000000000450000-0x0000000000496000-memory.dmp

Filesize
280KB

Download
memory/2104-284-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2104-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2276-283-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2368-274-0x00000000002F0000-0x0000000000336000-memory.dmp

Filesize
280KB

Download
memory/2368-273-0x00000000002F0000-0x0000000000336000-memory.dmp

Filesize
280KB

Download
memory/2368-302-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2368-265-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2420-298-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2472-287-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2472-69-0x0000000000350000-0x0000000000396000-memory.dmp

Filesize
280KB

Download
memory/2472-62-0x0000000000350000-0x0000000000396000-memory.dmp

Filesize
280KB

Download
memory/2472-55-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2664-46-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2664-286-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2664-53-0x0000000000300000-0x0000000000346000-memory.dmp

Filesize
280KB

Download
memory/2708-292-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2708-130-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2716-294-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2716-152-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2736-288-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2736-83-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/2736-84-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/2736-70-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2824-290-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2824-99-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2948-289-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2948-85-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2948-93-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/3000-291-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3000-112-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads