6e75f2937b52dbf23b59ce2260ca8a89a396757c3750ab0f5744bb5648510f84

Analysis

max time kernel
142s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22e062af794dc93bbd9b8b3417d2f160_NeikiAnalytics.exe
Size

110KB
MD5

22e062af794dc93bbd9b8b3417d2f160
SHA1

fa108afcaa831b00406f5a3460994dc77fc5d38d
SHA256

6e75f2937b52dbf23b59ce2260ca8a89a396757c3750ab0f5744bb5648510f84
SHA512

e41edb8070672e938166e56ec7a498102553f675044d85d4cdc7a5a6da21c94ea3959f9a5051ac733358c89b9372f2720c4ce2637d11b099c569e22d4a9b60ea
SSDEEP

1536:SyIurqTw4xs5ngU7S2LzgmlkrWrOE5Y/dZodcUKmEAc3mV1tkKKWsm42L3:S9PxazDEm2yrOkXV1tkKKWsmJ3

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmbihg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgmoigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bphqji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbaclegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	22e062af794dc93bbd9b8b3417d2f160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loacdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aiplmq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjhmbihg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgmoigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edoencdm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cacmpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edoencdm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	22e062af794dc93bbd9b8b3417d2f160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphqji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dahfkimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eddnic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loacdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbaclegm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abcgjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aiplmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpbnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egpnooan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abcgjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dahfkimd.exe

Executes dropped EXE 19 IoCs

pid	Process
4304	Loacdc32.exe
220	Pakdbp32.exe
1256	Qpbnhl32.exe
400	Abcgjg32.exe
4552	Aiplmq32.exe
1048	Adgmoigj.exe
5024	Bbaclegm.exe
5068	Bphqji32.exe
3628	Cmnnimak.exe
1628	Calfpk32.exe
1920	Cacmpj32.exe
4480	Dahfkimd.exe
3632	Edoencdm.exe
4180	Egpnooan.exe
2652	Eddnic32.exe
3668	Fclhpo32.exe
4528	Fjhmbihg.exe
4408	Fjmfmh32.exe
4696	Gddgpqbe.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ckjfdocc.dll	Qpbnhl32.exe
File created	C:\Windows\SysWOW64\Adppeapp.dll	Bphqji32.exe
File opened for modification	C:\Windows\SysWOW64\Edoencdm.exe	Dahfkimd.exe
File opened for modification	C:\Windows\SysWOW64\Egpnooan.exe	Edoencdm.exe
File opened for modification	C:\Windows\SysWOW64\Adgmoigj.exe	Aiplmq32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnnimak.exe	Bphqji32.exe
File created	C:\Windows\SysWOW64\Loacdc32.exe	22e062af794dc93bbd9b8b3417d2f160_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Adgmoigj.exe	Aiplmq32.exe
File created	C:\Windows\SysWOW64\Paenokbf.dll	Aiplmq32.exe
File created	C:\Windows\SysWOW64\Iocmhlca.dll	Adgmoigj.exe
File created	C:\Windows\SysWOW64\Pakdbp32.exe	Loacdc32.exe
File created	C:\Windows\SysWOW64\Fclhpo32.exe	Eddnic32.exe
File opened for modification	C:\Windows\SysWOW64\Fclhpo32.exe	Eddnic32.exe
File opened for modification	C:\Windows\SysWOW64\Fjmfmh32.exe	Fjhmbihg.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fjmfmh32.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fjmfmh32.exe
File opened for modification	C:\Windows\SysWOW64\Loacdc32.exe	22e062af794dc93bbd9b8b3417d2f160_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Qpbnhl32.exe	Pakdbp32.exe
File created	C:\Windows\SysWOW64\Aiplmq32.exe	Abcgjg32.exe
File created	C:\Windows\SysWOW64\Eclbio32.dll	Eddnic32.exe
File created	C:\Windows\SysWOW64\Fjmfmh32.exe	Fjhmbihg.exe
File created	C:\Windows\SysWOW64\Abcgjg32.exe	Qpbnhl32.exe
File opened for modification	C:\Windows\SysWOW64\Abcgjg32.exe	Qpbnhl32.exe
File created	C:\Windows\SysWOW64\Calfpk32.exe	Cmnnimak.exe
File created	C:\Windows\SysWOW64\Fohhdm32.dll	Calfpk32.exe
File created	C:\Windows\SysWOW64\Jlmmnd32.dll	22e062af794dc93bbd9b8b3417d2f160_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Qpbnhl32.exe	Pakdbp32.exe
File opened for modification	C:\Windows\SysWOW64\Aiplmq32.exe	Abcgjg32.exe
File created	C:\Windows\SysWOW64\Bphqji32.exe	Bbaclegm.exe
File created	C:\Windows\SysWOW64\Mjaofnii.dll	Bbaclegm.exe
File opened for modification	C:\Windows\SysWOW64\Calfpk32.exe	Cmnnimak.exe
File created	C:\Windows\SysWOW64\Hdedgjno.dll	Cacmpj32.exe
File opened for modification	C:\Windows\SysWOW64\Pakdbp32.exe	Loacdc32.exe
File created	C:\Windows\SysWOW64\Deaiemli.dll	Loacdc32.exe
File created	C:\Windows\SysWOW64\Cnidqf32.dll	Fclhpo32.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fjmfmh32.exe
File created	C:\Windows\SysWOW64\Cacmpj32.exe	Calfpk32.exe
File created	C:\Windows\SysWOW64\Ndmojj32.dll	Dahfkimd.exe
File created	C:\Windows\SysWOW64\Egpnooan.exe	Edoencdm.exe
File created	C:\Windows\SysWOW64\Eddnic32.exe	Egpnooan.exe
File opened for modification	C:\Windows\SysWOW64\Bbaclegm.exe	Adgmoigj.exe
File opened for modification	C:\Windows\SysWOW64\Eddnic32.exe	Egpnooan.exe
File created	C:\Windows\SysWOW64\Pjhfcm32.dll	Pakdbp32.exe
File created	C:\Windows\SysWOW64\Qhjgbbnj.dll	Abcgjg32.exe
File opened for modification	C:\Windows\SysWOW64\Bphqji32.exe	Bbaclegm.exe
File created	C:\Windows\SysWOW64\Cmnnimak.exe	Bphqji32.exe
File created	C:\Windows\SysWOW64\Eafbac32.dll	Cmnnimak.exe
File created	C:\Windows\SysWOW64\Fjhmbihg.exe	Fclhpo32.exe
File opened for modification	C:\Windows\SysWOW64\Dahfkimd.exe	Cacmpj32.exe
File created	C:\Windows\SysWOW64\Lnedgk32.dll	Edoencdm.exe
File created	C:\Windows\SysWOW64\Fbjbac32.dll	Egpnooan.exe
File opened for modification	C:\Windows\SysWOW64\Fjhmbihg.exe	Fclhpo32.exe
File created	C:\Windows\SysWOW64\Klfhhpnk.dll	Fjhmbihg.exe
File created	C:\Windows\SysWOW64\Bbaclegm.exe	Adgmoigj.exe
File opened for modification	C:\Windows\SysWOW64\Cacmpj32.exe	Calfpk32.exe
File created	C:\Windows\SysWOW64\Dahfkimd.exe	Cacmpj32.exe
File created	C:\Windows\SysWOW64\Edoencdm.exe	Dahfkimd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3276	4696	WerFault.exe	108

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjhmbihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjfdocc.dll"	Qpbnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adppeapp.dll"	Bphqji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmojj32.dll"	Dahfkimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dahfkimd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dahfkimd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmmnd32.dll"	22e062af794dc93bbd9b8b3417d2f160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abcgjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhjgbbnj.dll"	Abcgjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aiplmq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbaclegm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	22e062af794dc93bbd9b8b3417d2f160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdedgjno.dll"	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnedgk32.dll"	Edoencdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfhhpnk.dll"	Fjhmbihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aiplmq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgmoigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgmoigj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnidqf32.dll"	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	22e062af794dc93bbd9b8b3417d2f160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abcgjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cacmpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edoencdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egpnooan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	22e062af794dc93bbd9b8b3417d2f160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	22e062af794dc93bbd9b8b3417d2f160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deaiemli.dll"	Loacdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bphqji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calfpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Loacdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjaofnii.dll"	Bbaclegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edoencdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjhfcm32.dll"	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eafbac32.dll"	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Loacdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paenokbf.dll"	Aiplmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjhmbihg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpbnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eclbio32.dll"	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocmhlca.dll"	Adgmoigj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bphqji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnnimak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cacmpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	22e062af794dc93bbd9b8b3417d2f160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpbnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbaclegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohhdm32.dll"	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjbac32.dll"	Egpnooan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fclhpo32.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 4304	4836	22e062af794dc93bbd9b8b3417d2f160_NeikiAnalytics.exe	90
PID 4836 wrote to memory of 4304	4836	22e062af794dc93bbd9b8b3417d2f160_NeikiAnalytics.exe	90
PID 4836 wrote to memory of 4304	4836	22e062af794dc93bbd9b8b3417d2f160_NeikiAnalytics.exe	90
PID 4304 wrote to memory of 220	4304	Loacdc32.exe	91
PID 4304 wrote to memory of 220	4304	Loacdc32.exe	91
PID 4304 wrote to memory of 220	4304	Loacdc32.exe	91
PID 220 wrote to memory of 1256	220	Pakdbp32.exe	92
PID 220 wrote to memory of 1256	220	Pakdbp32.exe	92
PID 220 wrote to memory of 1256	220	Pakdbp32.exe	92
PID 1256 wrote to memory of 400	1256	Qpbnhl32.exe	93
PID 1256 wrote to memory of 400	1256	Qpbnhl32.exe	93
PID 1256 wrote to memory of 400	1256	Qpbnhl32.exe	93
PID 400 wrote to memory of 4552	400	Abcgjg32.exe	94
PID 400 wrote to memory of 4552	400	Abcgjg32.exe	94
PID 400 wrote to memory of 4552	400	Abcgjg32.exe	94
PID 4552 wrote to memory of 1048	4552	Aiplmq32.exe	95
PID 4552 wrote to memory of 1048	4552	Aiplmq32.exe	95
PID 4552 wrote to memory of 1048	4552	Aiplmq32.exe	95
PID 1048 wrote to memory of 5024	1048	Adgmoigj.exe	96
PID 1048 wrote to memory of 5024	1048	Adgmoigj.exe	96
PID 1048 wrote to memory of 5024	1048	Adgmoigj.exe	96
PID 5024 wrote to memory of 5068	5024	Bbaclegm.exe	97
PID 5024 wrote to memory of 5068	5024	Bbaclegm.exe	97
PID 5024 wrote to memory of 5068	5024	Bbaclegm.exe	97
PID 5068 wrote to memory of 3628	5068	Bphqji32.exe	98
PID 5068 wrote to memory of 3628	5068	Bphqji32.exe	98
PID 5068 wrote to memory of 3628	5068	Bphqji32.exe	98
PID 3628 wrote to memory of 1628	3628	Cmnnimak.exe	99
PID 3628 wrote to memory of 1628	3628	Cmnnimak.exe	99
PID 3628 wrote to memory of 1628	3628	Cmnnimak.exe	99
PID 1628 wrote to memory of 1920	1628	Calfpk32.exe	100
PID 1628 wrote to memory of 1920	1628	Calfpk32.exe	100
PID 1628 wrote to memory of 1920	1628	Calfpk32.exe	100
PID 1920 wrote to memory of 4480	1920	Cacmpj32.exe	101
PID 1920 wrote to memory of 4480	1920	Cacmpj32.exe	101
PID 1920 wrote to memory of 4480	1920	Cacmpj32.exe	101
PID 4480 wrote to memory of 3632	4480	Dahfkimd.exe	102
PID 4480 wrote to memory of 3632	4480	Dahfkimd.exe	102
PID 4480 wrote to memory of 3632	4480	Dahfkimd.exe	102
PID 3632 wrote to memory of 4180	3632	Edoencdm.exe	103
PID 3632 wrote to memory of 4180	3632	Edoencdm.exe	103
PID 3632 wrote to memory of 4180	3632	Edoencdm.exe	103
PID 4180 wrote to memory of 2652	4180	Egpnooan.exe	104
PID 4180 wrote to memory of 2652	4180	Egpnooan.exe	104
PID 4180 wrote to memory of 2652	4180	Egpnooan.exe	104
PID 2652 wrote to memory of 3668	2652	Eddnic32.exe	105
PID 2652 wrote to memory of 3668	2652	Eddnic32.exe	105
PID 2652 wrote to memory of 3668	2652	Eddnic32.exe	105
PID 3668 wrote to memory of 4528	3668	Fclhpo32.exe	106
PID 3668 wrote to memory of 4528	3668	Fclhpo32.exe	106
PID 3668 wrote to memory of 4528	3668	Fclhpo32.exe	106
PID 4528 wrote to memory of 4408	4528	Fjhmbihg.exe	107
PID 4528 wrote to memory of 4408	4528	Fjhmbihg.exe	107
PID 4528 wrote to memory of 4408	4528	Fjhmbihg.exe	107
PID 4408 wrote to memory of 4696	4408	Fjmfmh32.exe	108
PID 4408 wrote to memory of 4696	4408	Fjmfmh32.exe	108
PID 4408 wrote to memory of 4696	4408	Fjmfmh32.exe	108

C:\Users\Admin\AppData\Local\Temp\22e062af794dc93bbd9b8b3417d2f160_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\22e062af794dc93bbd9b8b3417d2f160_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\SysWOW64\Loacdc32.exe
  C:\Windows\system32\Loacdc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\SysWOW64\Pakdbp32.exe
    C:\Windows\system32\Pakdbp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Windows\SysWOW64\Qpbnhl32.exe
      C:\Windows\system32\Qpbnhl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1256
    - - C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
      - C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Adgmoigj.exe
        
        C:\Windows\system32\Adgmoigj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Bbaclegm.exe
        
        C:\Windows\system32\Bbaclegm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Bphqji32.exe
        
        C:\Windows\system32\Bphqji32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Dahfkimd.exe
        
        C:\Windows\system32\Dahfkimd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Fjhmbihg.exe
        
        C:\Windows\system32\Fjhmbihg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        20⤵
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 400
        21⤵
        Program crash
        
        PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4696 -ip 4696
1⤵
PID:3176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3708 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abcgjg32.exe

Filesize
110KB

MD5
f6dd071e5912c6e84151502bfcbc5dfe

SHA1
c279a445d3cfc3e1a9265134e020de7bd5d86e44

SHA256
e63aa0dc64aeaefb7ede8f6d81dabf543524a1b6e8f37975c8c0ec316d75d609

SHA512
6d67e71218f34301cbb964c981cea05e6847543a3e23f7c0ac902894c0cd6e700260afd26961e4899277fa50ecc9af4b31d9f5d89b88db1d758696ad46c22c30

Download Submit
C:\Windows\SysWOW64\Adgmoigj.exe

Filesize
110KB

MD5
bdb31ddee488e8eb6d1e7d2df2fd75ee

SHA1
3a00739c38ac3ea9cf5c47f4f3361121f1aed0c9

SHA256
469faa1a78f41f6ab01099f30f0292a77a6009571ee8e491e30ffbdc021c63b0

SHA512
1251ca9c146ca61c4d65ab262da9958035c1d3c52fa5da2b91012382d29ed8fbbe373054a0665c4774274f1691cd9c566445135b048ed55753cd7a47122d0c40

Download Submit
C:\Windows\SysWOW64\Aiplmq32.exe

Filesize
110KB

MD5
524fb9d08032422a7b79585def5aa99c

SHA1
f68f66355817cadd3d2346e3aed7b14f554acb33

SHA256
a5d3bb4fec37c706ec8d6428950bd6b716af66acdbd72a2ab57e6b23b81c20e5

SHA512
9054960146daab89c4821965c7525551ccc3613e3e6d8e251e44ae81f2c0be3bbc34398130d208d724f6a676a4a58b51e7304d593dc90f8f7a80a9172bc71402

Download Submit
C:\Windows\SysWOW64\Bbaclegm.exe

Filesize
110KB

MD5
b16b0b05ad9ce5736b195188433b4a21

SHA1
99e5e484f364816735d557f4270245cbad995149

SHA256
bf2fd4ecd7c8a62a97c06feebe2f096c0fec12724e1eabdcb686f69a3d5bfa99

SHA512
ef49025561159876c164822d08a0877e1a4b85aa25dcb4e7e39e0b0fa06203d9c5b7b83c4106249477da88033cd57e52cc31f031c53531a96014755df321519a

Download Submit
C:\Windows\SysWOW64\Bphqji32.exe

Filesize
110KB

MD5
fa25459c60ea3012b6ff2172c0c26da1

SHA1
c44860deeaae8a74c0cf04bbfc6dad788d1d7326

SHA256
c0ab61214ad715204d07cfc4ea06e502af67b200bdb6a52170a1a2cfe6585056

SHA512
07736f308519363cc4bf2b06fd60f0bc99895145fa7a08ff0f2c7dca13c657b071f338f92123fbe3e25d7c37b4b2e24494aa3c6e232bebd1effe77ad6cf447c7

Download Submit
C:\Windows\SysWOW64\Cacmpj32.exe

Filesize
110KB

MD5
bc55e23e347f5e8c3da7c401efef014d

SHA1
8e6c47c689d58f85dc8f17502581c7b480791bf2

SHA256
581d3310187760523aa1e22bb3b72a55d91a0c1250138ac658eb5b06795a8ec6

SHA512
e84db1e769ef2146b82ca44a24dab105606c1525b050b6228bb41d7c55e4a1f8fbb594834079b84560e255f88dab7323b7ef5715c1599d32363e4edbf76fdbee

Download Submit
C:\Windows\SysWOW64\Calfpk32.exe

Filesize
110KB

MD5
c6fe464c22d52cde9d6f6e60c669ca01

SHA1
bc686ff6b9bb7f5296ef4e710879c30cdbb4516d

SHA256
2e3dffc31d809d0d04e5df3345abcd9bc1e3b750c16e32d45e24942eba806534

SHA512
08365f7e6c3b2c785fe587b7ecb5ed29d857abe37cb2108423767cb0adc55cfa0b5eb38131949e40ebd4d9fc59ceca3c750fc76817a4d092d577405c505cf32e

Download Submit
C:\Windows\SysWOW64\Cmnnimak.exe

Filesize
110KB

MD5
2d04aaf3e87f8dece5645e0d68c89d4e

SHA1
69dd98cd9baa1b9db142610702c74008b9c18c16

SHA256
473a0742a0add16c3d31edec64941135592e42174e1dc66dd9998692af1c6419

SHA512
eab57b5fe38b4eaa84e8a2762e9f00c4d122522b0a573077e2da905dac52832837e5f7a18af9a764ef02984aa7c2e7ef21b7a9676035483a6b4f082e721ce5e3

Download Submit
C:\Windows\SysWOW64\Dahfkimd.exe

Filesize
110KB

MD5
32d2ee9c25685a7178fbf84f3cbe407e

SHA1
f651ec602f3c7a1db323c112f98bc0bcc1c25485

SHA256
e2b3d18835a632d66c5da3e10648abf925d5f2bd3804b73c38177ada21fefae1

SHA512
c2783c8ccd053dec5659b42e869a5bfa660d8f10c4bc78654912e1371f2dc56b15ec53087091cee594e265fd4c997e5aed595500e2399d992e2e6dcdcf407859

Download Submit
C:\Windows\SysWOW64\Eddnic32.exe

Filesize
110KB

MD5
9a18d0c7060daf492a971005b88ca6e1

SHA1
14c2e9c9aa51fcbc6ad3008a24604b6a1e7b2458

SHA256
20b1c3831e36d779ac9d1eb065c2570174f71d1ac4eae0cf199d81c3cd6cb00f

SHA512
7d90769b598e512b84f9212b012f17830c761317c0de7b80241a40fec5c598b982ea84075accad019e9d9fa970b8a947b36f206321bf69af419a8f72ab86ee40

Download Submit
C:\Windows\SysWOW64\Edoencdm.exe

Filesize
110KB

MD5
0678b43f52a590f6f16b693c215e9aa3

SHA1
5958d26c28f15139c8208e72f37f4e10d851f4cb

SHA256
1a83d3ee86ca4c5e4082698b2d3526d3d24ff7015f4c2f120a0ea06fadc240cc

SHA512
51823c078fdffd2990f086bbd1d036b838851a372c8243fcddf69d730682a4accbad2b49b12f6dc544472841b391787081d14ac77c4333c6478e3e51681d1e53

Download Submit
C:\Windows\SysWOW64\Egpnooan.exe

Filesize
110KB

MD5
6361c5664f126ca7c128998989bdab52

SHA1
824a825e9bb8bca3c4791aebdbd2e2d4cc466480

SHA256
e6b0c2e18f982d947a710ae0e3ed1964e1f14911f8419d9eb50ed3af0580d18b

SHA512
b3ea3290338ac14f882d81d34a4320add0b18a2d10b3b962ed3b28ededad7daf5721d5f27b95099062e31c917f86d7a7939f75abb23c5f26f0fa42e3696d4e19

Download Submit
C:\Windows\SysWOW64\Fclhpo32.exe

Filesize
110KB

MD5
88bb7cc8348561418366f41548fe7e64

SHA1
709b529b419a2851859cb4e5feb94df6d98fde39

SHA256
8d3387baf32faf13c16bd0f472b74456c681d1201d74e836c920b7a2ed6c8efe

SHA512
0567e8b8eceb61abe4f4a17feae4243b6b80a9f591297cbd9b7c12d02e850b9cc99929297a5c8b592e64322dd64b001d4b6f444aa8c92843b74ffb3ef5afc811

Download Submit
C:\Windows\SysWOW64\Fjhmbihg.exe

Filesize
110KB

MD5
69b21eebfeb43a1661b3927d920ec868

SHA1
1f3fc15e9f3cd035c19b53736f24d601f96a276d

SHA256
9b395e1c30bb3505e869cddb781cf5599b634a31f8238f7d5acaa508da944a2c

SHA512
1666345f4a420c9de1b56b26df89bd6149fc77772f90305a553cdebaf1b0cb00ff17c00ffe1b16d5fb8927ebaa2c002332be57f53466436473fff2fba1b091c1

Download Submit
C:\Windows\SysWOW64\Fjmfmh32.exe

Filesize
110KB

MD5
8bd30eaffaf3bfb96b90cdedde26dd58

SHA1
6d0e98ec6e813ae71e5b47585dc651a8e8d12540

SHA256
b0aa23bf6e1783854122e75a83e65cb86e6fb2639e5c61053013a47fe81b92a3

SHA512
3a074bbd8ed409fb40ed23c22abdb09b5b0e8294d06b9c8202847f0e11ac1e1c89052182118f0a9b04a48b462dd12337f64a0dd96007078798e40c87bc525663

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
110KB

MD5
dc522885119e7c2cd11319c849f01a2d

SHA1
6c9438cc2c8459f188949b9b7c1c11f3b90e4add

SHA256
452812d1a272ef7fcadd9ce7d2ae72c54bc70ac4e4e8084649c6a39cb2bc773d

SHA512
99746799948c64f40d5496cb5d56a6741d430db1dd651ccb26753c761fd811c2f97de3fe75f74e73183bfd107ee6ccb035eb07d003c5795778ab5085f9b04696

Download Submit
C:\Windows\SysWOW64\Loacdc32.exe

Filesize
110KB

MD5
5a44c0ddb29a9e175c8a110fb6d8e41e

SHA1
f31439f7e82c286b46b05173838ee65df9ba55e0

SHA256
00d6527561e85b6b17d51eba0648adf888749879bed7f1151c0276ed2e7c7275

SHA512
d889d61fc2b66e5d60d455e7cd4557c7338234a82e273df0657a695f0b3139675775658cf158e9ee318518cf309df40dd32846a06fe249101a06d557bde58eb6

Download Submit
C:\Windows\SysWOW64\Pakdbp32.exe

Filesize
110KB

MD5
b12c820f5700934dd7f1c74978b017d3

SHA1
eb8492859b9709870235c67e94cb3bee57e7f0e0

SHA256
e537cb3fd8c7a286cc63d103cd0ad58aba6077fc84f9e6008e64f6ce223ba581

SHA512
2a99524b6ce86a8b7ebb79c7af326d1290f809c7d4026a93358f89eaff1da27411eeded979e64fc63830c010d5b3847d5e613630023bb8abd908d21c26aa326d

Download Submit
C:\Windows\SysWOW64\Qpbnhl32.exe

Filesize
110KB

MD5
1aa6818ffa332a2452cadb68b84a32e8

SHA1
bcd5bd2fb89f0e3b2c571529f2f07d3e5adf91ca

SHA256
198e95f713bf9c44b0f2ef35aea4c2135a5c641cf9f11bfc5608021ce86f158e

SHA512
9e74ff8e19d0c7e60e5545301490adb2cee9373b4412e3b9d6eedf20f4b6d147304d2d1c013c926a559cde83b610a3992ad728fa97c7fdf4d39877c526cf2187

Download Submit
memory/220-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-34-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-51-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4180-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4180-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-10-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-3-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4836-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-58-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads