f53a2551a81b51e0bea007e9bcb6051c34b28650175eafd320cf7671318d4781

Analysis

max time kernel
143s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-06-2024 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c7a52992f7b4c97c040749d92bb00e0_NeikiAnalytics.exe
Size

669KB
MD5

2c7a52992f7b4c97c040749d92bb00e0
SHA1

0c7cb61f7cbc9c964b8d9a3d4d4560a05504d21a
SHA256

f53a2551a81b51e0bea007e9bcb6051c34b28650175eafd320cf7671318d4781
SHA512

37c599d80b3b69183b161e2720720c7a28f57640715703b808d4cba28f5f737c7c3eac0cc2b8d4f15a0d626db5c1411cf4dd5f3f85576a91afacb96abb52dddb
SSDEEP

12288:zhjIeVKhMpQnqr+cI3a72LXrY6x46UbR/qYglMi:zhjzchMpQnqrdX72LbY6x46uR/qYglMi

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Fckjalhj.exeFmcoja32.exeIeqeidnl.exeDchali32.exeEmcbkn32.exeGkkemh32.exeCndbcc32.exeDodonf32.exeGpmjak32.exeHahjpbad.exeHdhbam32.exeHpapln32.exeIknnbklc.exe2c7a52992f7b4c97c040749d92bb00e0_NeikiAnalytics.exeEnihne32.exeFdapak32.exeEbbgid32.exeFjlhneio.exeGieojq32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fckjalhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmcoja32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dchali32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emcbkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndbcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodonf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emcbkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dchali32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hahjpbad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckjalhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	2c7a52992f7b4c97c040749d92bb00e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndbcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebbgid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmcoja32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjlhneio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gieojq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2c7a52992f7b4c97c040749d92bb00e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodonf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebbgid32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjlhneio.exe

Malware Dropper & Backdoor - Berbew 19 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
\Windows\SysWOW64\Cndbcc32.exe	family_berbew
C:\Windows\SysWOW64\Dodonf32.exe	family_berbew
\Windows\SysWOW64\Dchali32.exe	family_berbew
\Windows\SysWOW64\Emcbkn32.exe	family_berbew
\Windows\SysWOW64\Ebbgid32.exe	family_berbew
C:\Windows\SysWOW64\Enihne32.exe	family_berbew
\Windows\SysWOW64\Fckjalhj.exe	family_berbew
C:\Windows\SysWOW64\Fmcoja32.exe	family_berbew
\Windows\SysWOW64\Fdapak32.exe	family_berbew
\Windows\SysWOW64\Fjlhneio.exe	family_berbew
\Windows\SysWOW64\Gpmjak32.exe	family_berbew
C:\Windows\SysWOW64\Gieojq32.exe	family_berbew
\Windows\SysWOW64\Gkkemh32.exe	family_berbew
C:\Windows\SysWOW64\Hahjpbad.exe	family_berbew
C:\Windows\SysWOW64\Hdhbam32.exe	family_berbew
C:\Windows\SysWOW64\Hpapln32.exe	family_berbew
C:\Windows\SysWOW64\Ieqeidnl.exe	family_berbew
C:\Windows\SysWOW64\Iknnbklc.exe	family_berbew
C:\Windows\SysWOW64\Iagfoe32.exe	family_berbew

Executes dropped EXE 19 IoCs

Processes:

Cndbcc32.exeDodonf32.exeDchali32.exeEmcbkn32.exeEbbgid32.exeEnihne32.exeFckjalhj.exeFmcoja32.exeFdapak32.exeFjlhneio.exeGpmjak32.exeGieojq32.exeGkkemh32.exeHahjpbad.exeHdhbam32.exeHpapln32.exeIeqeidnl.exeIknnbklc.exeIagfoe32.exe

pid	process
2196	Cndbcc32.exe
2616	Dodonf32.exe
2776	Dchali32.exe
2960	Emcbkn32.exe
2292	Ebbgid32.exe
3044	Enihne32.exe
2820	Fckjalhj.exe
2936	Fmcoja32.exe
2336	Fdapak32.exe
2756	Fjlhneio.exe
2824	Gpmjak32.exe
1584	Gieojq32.exe
2116	Gkkemh32.exe
2916	Hahjpbad.exe
1948	Hdhbam32.exe
1056	Hpapln32.exe
2368	Ieqeidnl.exe
1992	Iknnbklc.exe
1728	Iagfoe32.exe

Loads dropped DLL 42 IoCs

Processes:

2c7a52992f7b4c97c040749d92bb00e0_NeikiAnalytics.exeCndbcc32.exeDodonf32.exeDchali32.exeEmcbkn32.exeEbbgid32.exeEnihne32.exeFckjalhj.exeFmcoja32.exeFdapak32.exeFjlhneio.exeGpmjak32.exeGieojq32.exeGkkemh32.exeHahjpbad.exeHdhbam32.exeHpapln32.exeIeqeidnl.exeIknnbklc.exeWerFault.exe

pid	process
2952	2c7a52992f7b4c97c040749d92bb00e0_NeikiAnalytics.exe
2952	2c7a52992f7b4c97c040749d92bb00e0_NeikiAnalytics.exe
2196	Cndbcc32.exe
2196	Cndbcc32.exe
2616	Dodonf32.exe
2616	Dodonf32.exe
2776	Dchali32.exe
2776	Dchali32.exe
2960	Emcbkn32.exe
2960	Emcbkn32.exe
2292	Ebbgid32.exe
2292	Ebbgid32.exe
3044	Enihne32.exe
3044	Enihne32.exe
2820	Fckjalhj.exe
2820	Fckjalhj.exe
2936	Fmcoja32.exe
2936	Fmcoja32.exe
2336	Fdapak32.exe
2336	Fdapak32.exe
2756	Fjlhneio.exe
2756	Fjlhneio.exe
2824	Gpmjak32.exe
2824	Gpmjak32.exe
1584	Gieojq32.exe
1584	Gieojq32.exe
2116	Gkkemh32.exe
2116	Gkkemh32.exe
2916	Hahjpbad.exe
2916	Hahjpbad.exe
1948	Hdhbam32.exe
1948	Hdhbam32.exe
1056	Hpapln32.exe
1056	Hpapln32.exe
2368	Ieqeidnl.exe
2368	Ieqeidnl.exe
1992	Iknnbklc.exe
1992	Iknnbklc.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe

Drops file in System32 directory 57 IoCs

Processes:

Fckjalhj.exeFmcoja32.exeIeqeidnl.exeHahjpbad.exeIknnbklc.exeDchali32.exeEbbgid32.exeEnihne32.exeCndbcc32.exeDodonf32.exeEmcbkn32.exeGkkemh32.exeGpmjak32.exeHdhbam32.exeFdapak32.exeFjlhneio.exeGieojq32.exe2c7a52992f7b4c97c040749d92bb00e0_NeikiAnalytics.exeHpapln32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Fmcoja32.exe	Fckjalhj.exe
File opened for modification	C:\Windows\SysWOW64\Fdapak32.exe	Fmcoja32.exe
File opened for modification	C:\Windows\SysWOW64\Iknnbklc.exe	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Hdhbam32.exe	Hahjpbad.exe
File created	C:\Windows\SysWOW64\Ndabhn32.dll	Hahjpbad.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Mmqgncdn.dll	Dchali32.exe
File opened for modification	C:\Windows\SysWOW64\Enihne32.exe	Ebbgid32.exe
File opened for modification	C:\Windows\SysWOW64\Fckjalhj.exe	Enihne32.exe
File created	C:\Windows\SysWOW64\Enihne32.exe	Ebbgid32.exe
File created	C:\Windows\SysWOW64\Memeaofm.dll	Cndbcc32.exe
File opened for modification	C:\Windows\SysWOW64\Dchali32.exe	Dodonf32.exe
File opened for modification	C:\Windows\SysWOW64\Emcbkn32.exe	Dchali32.exe
File created	C:\Windows\SysWOW64\Jamfqeie.dll	Emcbkn32.exe
File created	C:\Windows\SysWOW64\Hahjpbad.exe	Gkkemh32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File opened for modification	C:\Windows\SysWOW64\Gieojq32.exe	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Hpapln32.exe	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Eqpofkjo.dll	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Nobdlg32.dll	Dodonf32.exe
File created	C:\Windows\SysWOW64\Fjlhneio.exe	Fdapak32.exe
File created	C:\Windows\SysWOW64\Gieojq32.exe	Gpmjak32.exe
File opened for modification	C:\Windows\SysWOW64\Fjlhneio.exe	Fdapak32.exe
File created	C:\Windows\SysWOW64\Gpmjak32.exe	Fjlhneio.exe
File opened for modification	C:\Windows\SysWOW64\Gkkemh32.exe	Gieojq32.exe
File created	C:\Windows\SysWOW64\Hdhbam32.exe	Hahjpbad.exe
File created	C:\Windows\SysWOW64\Hpenlb32.dll	2c7a52992f7b4c97c040749d92bb00e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Emcbkn32.exe	Dchali32.exe
File created	C:\Windows\SysWOW64\Jiiegafd.dll	Enihne32.exe
File created	C:\Windows\SysWOW64\Gkkemh32.exe	Gieojq32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Lghegkoc.dll	Fckjalhj.exe
File created	C:\Windows\SysWOW64\Aloeodfi.dll	Fdapak32.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Hahjpbad.exe	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Njmekj32.dll	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Cndbcc32.exe	2c7a52992f7b4c97c040749d92bb00e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Fdapak32.exe	Fmcoja32.exe
File created	C:\Windows\SysWOW64\Glqllcbf.dll	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Ebbgid32.exe	Emcbkn32.exe
File opened for modification	C:\Windows\SysWOW64\Cndbcc32.exe	2c7a52992f7b4c97c040749d92bb00e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Dodonf32.exe	Cndbcc32.exe
File created	C:\Windows\SysWOW64\Dchali32.exe	Dodonf32.exe
File created	C:\Windows\SysWOW64\Kcaipkch.dll	Gieojq32.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Hpapln32.exe
File created	C:\Windows\SysWOW64\Dodonf32.exe	Cndbcc32.exe
File opened for modification	C:\Windows\SysWOW64\Gpmjak32.exe	Fjlhneio.exe
File created	C:\Windows\SysWOW64\Hmhfjo32.dll	Fjlhneio.exe
File created	C:\Windows\SysWOW64\Iknnbklc.exe	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Ebbgid32.exe	Emcbkn32.exe
File created	C:\Windows\SysWOW64\Nopodm32.dll	Fmcoja32.exe
File created	C:\Windows\SysWOW64\Lkoabpeg.dll	Gpmjak32.exe
File opened for modification	C:\Windows\SysWOW64\Hpapln32.exe	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Iecimppi.dll	Ebbgid32.exe
File created	C:\Windows\SysWOW64\Fckjalhj.exe	Enihne32.exe
File created	C:\Windows\SysWOW64\Fmcoja32.exe	Fckjalhj.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2492 1728 WerFault.exe Iagfoe32.exe

pid	pid_target	process	target process
2492	1728	WerFault.exe	Iagfoe32.exe

Modifies registry class 60 IoCs

Processes:

Gkkemh32.exeHpapln32.exeIeqeidnl.exeIknnbklc.exe2c7a52992f7b4c97c040749d92bb00e0_NeikiAnalytics.exeEbbgid32.exeGieojq32.exeGpmjak32.exeHahjpbad.exeEnihne32.exeFjlhneio.exeFckjalhj.exeFmcoja32.exeCndbcc32.exeHdhbam32.exeDodonf32.exeEmcbkn32.exeFdapak32.exeDchali32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmekj32.dll"	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2c7a52992f7b4c97c040749d92bb00e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebbgid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebbgid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndabhn32.dll"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecimppi.dll"	Ebbgid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjlhneio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	2c7a52992f7b4c97c040749d92bb00e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghegkoc.dll"	Fckjalhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fmcoja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2c7a52992f7b4c97c040749d92bb00e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpenlb32.dll"	2c7a52992f7b4c97c040749d92bb00e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cndbcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memeaofm.dll"	Cndbcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodonf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamfqeie.dll"	Emcbkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nopodm32.dll"	Fmcoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobdlg32.dll"	Dodonf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiiegafd.dll"	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloeodfi.dll"	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	2c7a52992f7b4c97c040749d92bb00e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll"	Fjlhneio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dchali32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fckjalhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodonf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dchali32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Emcbkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	2c7a52992f7b4c97c040749d92bb00e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enihne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmcoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cndbcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmqgncdn.dll"	Dchali32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Emcbkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fckjalhj.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2952 wrote to memory of 2196	2952	2c7a52992f7b4c97c040749d92bb00e0_NeikiAnalytics.exe	Cndbcc32.exe
PID 2952 wrote to memory of 2196	2952	2c7a52992f7b4c97c040749d92bb00e0_NeikiAnalytics.exe	Cndbcc32.exe
PID 2952 wrote to memory of 2196	2952	2c7a52992f7b4c97c040749d92bb00e0_NeikiAnalytics.exe	Cndbcc32.exe
PID 2952 wrote to memory of 2196	2952	2c7a52992f7b4c97c040749d92bb00e0_NeikiAnalytics.exe	Cndbcc32.exe
PID 2196 wrote to memory of 2616	2196	Cndbcc32.exe	Dodonf32.exe
PID 2196 wrote to memory of 2616	2196	Cndbcc32.exe	Dodonf32.exe
PID 2196 wrote to memory of 2616	2196	Cndbcc32.exe	Dodonf32.exe
PID 2196 wrote to memory of 2616	2196	Cndbcc32.exe	Dodonf32.exe
PID 2616 wrote to memory of 2776	2616	Dodonf32.exe	Dchali32.exe
PID 2616 wrote to memory of 2776	2616	Dodonf32.exe	Dchali32.exe
PID 2616 wrote to memory of 2776	2616	Dodonf32.exe	Dchali32.exe
PID 2616 wrote to memory of 2776	2616	Dodonf32.exe	Dchali32.exe
PID 2776 wrote to memory of 2960	2776	Dchali32.exe	Emcbkn32.exe
PID 2776 wrote to memory of 2960	2776	Dchali32.exe	Emcbkn32.exe
PID 2776 wrote to memory of 2960	2776	Dchali32.exe	Emcbkn32.exe
PID 2776 wrote to memory of 2960	2776	Dchali32.exe	Emcbkn32.exe
PID 2960 wrote to memory of 2292	2960	Emcbkn32.exe	Ebbgid32.exe
PID 2960 wrote to memory of 2292	2960	Emcbkn32.exe	Ebbgid32.exe
PID 2960 wrote to memory of 2292	2960	Emcbkn32.exe	Ebbgid32.exe
PID 2960 wrote to memory of 2292	2960	Emcbkn32.exe	Ebbgid32.exe
PID 2292 wrote to memory of 3044	2292	Ebbgid32.exe	Enihne32.exe
PID 2292 wrote to memory of 3044	2292	Ebbgid32.exe	Enihne32.exe
PID 2292 wrote to memory of 3044	2292	Ebbgid32.exe	Enihne32.exe
PID 2292 wrote to memory of 3044	2292	Ebbgid32.exe	Enihne32.exe
PID 3044 wrote to memory of 2820	3044	Enihne32.exe	Fckjalhj.exe
PID 3044 wrote to memory of 2820	3044	Enihne32.exe	Fckjalhj.exe
PID 3044 wrote to memory of 2820	3044	Enihne32.exe	Fckjalhj.exe
PID 3044 wrote to memory of 2820	3044	Enihne32.exe	Fckjalhj.exe
PID 2820 wrote to memory of 2936	2820	Fckjalhj.exe	Fmcoja32.exe
PID 2820 wrote to memory of 2936	2820	Fckjalhj.exe	Fmcoja32.exe
PID 2820 wrote to memory of 2936	2820	Fckjalhj.exe	Fmcoja32.exe
PID 2820 wrote to memory of 2936	2820	Fckjalhj.exe	Fmcoja32.exe
PID 2936 wrote to memory of 2336	2936	Fmcoja32.exe	Fdapak32.exe
PID 2936 wrote to memory of 2336	2936	Fmcoja32.exe	Fdapak32.exe
PID 2936 wrote to memory of 2336	2936	Fmcoja32.exe	Fdapak32.exe
PID 2936 wrote to memory of 2336	2936	Fmcoja32.exe	Fdapak32.exe
PID 2336 wrote to memory of 2756	2336	Fdapak32.exe	Fjlhneio.exe
PID 2336 wrote to memory of 2756	2336	Fdapak32.exe	Fjlhneio.exe
PID 2336 wrote to memory of 2756	2336	Fdapak32.exe	Fjlhneio.exe
PID 2336 wrote to memory of 2756	2336	Fdapak32.exe	Fjlhneio.exe
PID 2756 wrote to memory of 2824	2756	Fjlhneio.exe	Gpmjak32.exe
PID 2756 wrote to memory of 2824	2756	Fjlhneio.exe	Gpmjak32.exe
PID 2756 wrote to memory of 2824	2756	Fjlhneio.exe	Gpmjak32.exe
PID 2756 wrote to memory of 2824	2756	Fjlhneio.exe	Gpmjak32.exe
PID 2824 wrote to memory of 1584	2824	Gpmjak32.exe	Gieojq32.exe
PID 2824 wrote to memory of 1584	2824	Gpmjak32.exe	Gieojq32.exe
PID 2824 wrote to memory of 1584	2824	Gpmjak32.exe	Gieojq32.exe
PID 2824 wrote to memory of 1584	2824	Gpmjak32.exe	Gieojq32.exe
PID 1584 wrote to memory of 2116	1584	Gieojq32.exe	Gkkemh32.exe
PID 1584 wrote to memory of 2116	1584	Gieojq32.exe	Gkkemh32.exe
PID 1584 wrote to memory of 2116	1584	Gieojq32.exe	Gkkemh32.exe
PID 1584 wrote to memory of 2116	1584	Gieojq32.exe	Gkkemh32.exe
PID 2116 wrote to memory of 2916	2116	Gkkemh32.exe	Hahjpbad.exe
PID 2116 wrote to memory of 2916	2116	Gkkemh32.exe	Hahjpbad.exe
PID 2116 wrote to memory of 2916	2116	Gkkemh32.exe	Hahjpbad.exe
PID 2116 wrote to memory of 2916	2116	Gkkemh32.exe	Hahjpbad.exe
PID 2916 wrote to memory of 1948	2916	Hahjpbad.exe	Hdhbam32.exe
PID 2916 wrote to memory of 1948	2916	Hahjpbad.exe	Hdhbam32.exe
PID 2916 wrote to memory of 1948	2916	Hahjpbad.exe	Hdhbam32.exe
PID 2916 wrote to memory of 1948	2916	Hahjpbad.exe	Hdhbam32.exe
PID 1948 wrote to memory of 1056	1948	Hdhbam32.exe	Hpapln32.exe
PID 1948 wrote to memory of 1056	1948	Hdhbam32.exe	Hpapln32.exe
PID 1948 wrote to memory of 1056	1948	Hdhbam32.exe	Hpapln32.exe
PID 1948 wrote to memory of 1056	1948	Hdhbam32.exe	Hpapln32.exe

C:\Users\Admin\AppData\Local\Temp\2c7a52992f7b4c97c040749d92bb00e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2c7a52992f7b4c97c040749d92bb00e0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\SysWOW64\Cndbcc32.exe
C:\Windows\system32\Cndbcc32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\Dodonf32.exe
C:\Windows\system32\Dodonf32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\Dchali32.exe
C:\Windows\system32\Dchali32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\SysWOW64\Emcbkn32.exe
C:\Windows\system32\Emcbkn32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\Ebbgid32.exe
C:\Windows\system32\Ebbgid32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\Enihne32.exe
C:\Windows\system32\Enihne32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\Fckjalhj.exe
C:\Windows\system32\Fckjalhj.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\Fmcoja32.exe
C:\Windows\system32\Fmcoja32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\SysWOW64\Fdapak32.exe
C:\Windows\system32\Fdapak32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\Fjlhneio.exe
C:\Windows\system32\Fjlhneio.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\Gpmjak32.exe
C:\Windows\system32\Gpmjak32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\Gieojq32.exe
C:\Windows\system32\Gieojq32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\Gkkemh32.exe
C:\Windows\system32\Gkkemh32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\Hahjpbad.exe
C:\Windows\system32\Hahjpbad.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\SysWOW64\Hdhbam32.exe
C:\Windows\system32\Hdhbam32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\Hpapln32.exe
C:\Windows\system32\Hpapln32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1056

C:\Windows\SysWOW64\Ieqeidnl.exe
C:\Windows\system32\Ieqeidnl.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2368

C:\Windows\SysWOW64\Iknnbklc.exe
C:\Windows\system32\Iknnbklc.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1992

C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
20⤵
- Executes dropped EXE
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 140
21⤵
- Loads dropped DLL
- Program crash
PID:2492

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dodonf32.exe
Filesize
669KB

MD5
5467e579f2522cf27c559cfedaabeaaf

SHA1
8b4890ac7fb6d477a1cc550f8b3b0eaa4920df3d

SHA256
b9e645013216803037fcfa5bf9a6edbba6235c5c8e91ef62a879545688f6a664

SHA512
610ad6659068811027c0b21104ab8fb819f42211dc03a8ae60f21f13d56bd79d5013f6134638544b4e515b4bbbddc465ca1149e230533e91f9747c8d1f6f7828

Download Submit
C:\Windows\SysWOW64\Enihne32.exe
Filesize
669KB

MD5
c3316eb71ab56d2c4f6cb812cf4fd4cd

SHA1
7fd56e0379dfe985a2e07f338b494a5c4451ce62

SHA256
977155513965bd6eced50c1eaae18bb01a909dbbc27a0a714560f4943a203f7c

SHA512
92a225e8d432831ca0231654e9f77f3aad15a6a0c679a9e8e31ebfbd681ccace9c6f3c71b52b27d3bab611590952ffde0b7139bf5ce33b05dd422e45affb08d3

Download Submit
C:\Windows\SysWOW64\Fmcoja32.exe
Filesize
669KB

MD5
cdbadfca7cf12426c1e5c0baeef948e2

SHA1
40844546321ace844e630ccae3c17b3e798adb23

SHA256
8cebace436631e411c517b462e6f4e31fa8e5e936a7915e63dccb12db22fe7ef

SHA512
f732b34620c6d9e24266ac7474c35c298d26296796379a9769329a205f3fcb34505619e9a80e11bbde97fc0581a37366383e83bd0f3e56eafb1f93df68912925

Download Submit
C:\Windows\SysWOW64\Gieojq32.exe
Filesize
669KB

MD5
ff4fd52cf09cb163874682c437502b86

SHA1
5c726a08edd29df8658d211829ebfe6d33cd3a3a

SHA256
3e620c2b0bb85583000b332c016eabb27ea427d6bca5d341a19013642de1c590

SHA512
c3d9a85207ed30dfdac1b4846b1a49bf6b667145c0361ca27bfdb0d6eb04f52946a0d9195087406280e14279afc84742a516b01db93f4ce90a189d392c6c0c3f

Download Submit
C:\Windows\SysWOW64\Hahjpbad.exe
Filesize
669KB

MD5
360de9f14de077874118c1c44e2b7dd3

SHA1
5f32baa7d1451444eaf55ca4b92f9fd40408127e

SHA256
509d8e75be3fbf4a31e742a443494b83b9340e0e79d32aa567efdfc7dfe98dca

SHA512
f898ba6e0b8860e739374839a03c1bba74cae27ea78e3bf2915e960356ce225d2db4eac5f769540b311db088a220df5be3fc0bf3224f200cabf5760ef6ccc225

Download Submit
C:\Windows\SysWOW64\Hdhbam32.exe
Filesize
669KB

MD5
5f99d7aa36747d03f5998892e4ef2962

SHA1
14a621d3f4472955a09aaea9d7e45d7bed7ceb8b

SHA256
9a383d9159bde32520de912cdcd6487eead2d5d29d15dc957e38646d82940ffb

SHA512
06f491634510512201735e6960efd3439a49dd9753c3e84e904c439a1b240324e22095bf6e8311204c82cf18ab7a6f0a0ac467cf66872405d95e788d76bf1cd7

Download Submit
C:\Windows\SysWOW64\Hpapln32.exe
Filesize
669KB

MD5
4f4559099db72d4fb284e7795672671f

SHA1
1d530450992609731ec202264bdc78e9bc325cf3

SHA256
97a2d58154e7920e1defb90e51fb03b6c36771078b51f1ba7e2b5ea746399224

SHA512
0730b3ede70082cfd20aad08f79c35a58d21dbd985a7dbea331389fe5aef049b47ec63f70e2bc75c5752ecd42a1f81ef81654d6328df8f98433579e6fe5aab55

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe
Filesize
669KB

MD5
05d7ea94149aa7ca2924a875f7232fb7

SHA1
3dae66ff39c389dce08ea180008759477d26f499

SHA256
95ad220db7176d14fc989435462cf27101bb86c79250062a35c090fcaea0cb72

SHA512
44f5afbccb74832b306ad1bc16146851e36428e9f3d84ef473a566c08c34a29fdcc24b9f19caecd12a0f1b0fa17f565ea62266016a2e2a3b0647b2185211d587

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe
Filesize
669KB

MD5
9105c69b7015e9226c06cef29e1d3e4b

SHA1
ee973dc676dff692a192c82f57a45ea4d41f0b7e

SHA256
8cfcdb4d4361c9a26701bb41c7aafb3480ef3af0d85704c8bf3bc420ecd0baaa

SHA512
631e0f047999c673116645058864c8fb46bed49e997f0f27662068c810bba46179fab4b03c9cda547fca3a787a16babc47445efc9a43efa983e504999a6fdb86

Download Submit
C:\Windows\SysWOW64\Iknnbklc.exe
Filesize
669KB

MD5
c8a5bc3c5940e24b91a6f56777d6a271

SHA1
d34a64a130643b30f0201fd9d2b5081d7fb6eaf0

SHA256
1cfa941d42e55575e7a905198ed42d70d2496b3757b047d58d24ffaf907881e7

SHA512
f2de149ab12c16ca2b8a2f9260273e6531d5c0f8705a32f3d80dca185ec807a859b9e6bde2ee8653e4b6c84cbdd9cbdba77a3ead800ab459ef59ef93d93e5058

Download Submit
C:\Windows\SysWOW64\Jamfqeie.dll
Filesize
7KB

MD5
0bf755e777beaa938f463bea7d4002ad

SHA1
339006aa13d53df6f4e870c1fa4222cf8cc5df87

SHA256
990dd8b806aa51aa19f3e495a1ebbba491657cbf88becf03f80417ed53bf25cc

SHA512
f63ac24f22cbea56fd08e3bd2502776f08303ddabc5115e8642def6d709b85ffb28b3a81fe51e62327a935f774409fd6b6b75ff3641cbdbd43f99fc11fa4eeaf

Download Submit
\Windows\SysWOW64\Cndbcc32.exe
Filesize
669KB

MD5
840b4cec380956b421d38a9f5778d5e4

SHA1
6638f484620de94affed3606a9594ea59b298c32

SHA256
2869ee2ad59dc9c12db8caa8c86dce6fe336581837f8f3f3a9e078a722023dcd

SHA512
1533545347a181cce80fde8f719d254b50c894bb53e08fd58fb7f957f6f95bdb6899af5fedbef8a9805cc9e6692427317d27a5901c033560d546606dd3880245

Download Submit
\Windows\SysWOW64\Dchali32.exe
Filesize
669KB

MD5
66a061de484cfcf471a00787464ed12e

SHA1
7f4bbb166ba58e2a569a987c08dd4e78b2718944

SHA256
f51a8d80338d4614f6dcb2da4070b707765877afb768286aa6d432a2b1be6fe1

SHA512
3fe4c085e709b600d07700903b64454745ce22792728913ae3680a20e86ac549b00877fe02857232b57ce3f9f213fb4e576846aa9e26410430ce86cb3e7a57dd

Download Submit
\Windows\SysWOW64\Ebbgid32.exe
Filesize
669KB

MD5
3256a32b0b155647c715e85c52083651

SHA1
bc51f91be45a8480d2c3cf2f3e5c2157ce796b93

SHA256
1aeea66e510b1dcb8e041063d93a1dc7361f4a4847933777ec8a9b9853e65200

SHA512
15fafe4e4266df5e8ec3b5f83b7484cae50b69d1e1ad7fe86ede3f63e1df8cca80eedad0f34991c8ec1e85874ffdd637073731a10cbb4a5d1cd8455f3c458af5

Download Submit
\Windows\SysWOW64\Emcbkn32.exe
Filesize
669KB

MD5
63c209faa9780f21d31ed0d78951c3e7

SHA1
fb5780edafed93260815f3b852254d4474f06729

SHA256
1bebd1f539b60245559a011a6e240f0bbdea003739a117469de4c76e429005b7

SHA512
ac1f833d4117bef51bc6a78142cf7067b14ab4e14d01e6dab6ac7e8deb80871e2d947afd43f45c0b474102e4611a5bb5fa09d61be7e71aae2832929df0a5469a

Download Submit
\Windows\SysWOW64\Fckjalhj.exe
Filesize
669KB

MD5
ad5f1252f57820e43a16f9771bc69ed8

SHA1
6acc7719bb396617218846205994d90c4827c792

SHA256
fccdd3b9dd7d7de93e057be735f21260c9e389be0e63de277259b2433b193e46

SHA512
f6b1191f1922e9534125895c8ef7a65c251d16be14effd38a93927cedab41bdd87dfcf56985e1b6b818f423a9498668563d4ffd1863eadd458b0033113e21d67

Download Submit
\Windows\SysWOW64\Fdapak32.exe
Filesize
669KB

MD5
6485eba47168e6496ee5b83c87b28c67

SHA1
2d2d7c0554aba7829ecd9f435350427c501f7308

SHA256
f9f068f5b278d8a4c9af43a940005db8a113ddf265059b5abf20c02954f17f49

SHA512
fa1832ba6230ead6654a3e9988edb346a475f0e6f4cc1711ce29b0fefae6d6d830d882547c7f51bbbd16d6e60c9d76d702a68d16f063a42227c72de0cb2c3949

Download Submit
\Windows\SysWOW64\Fjlhneio.exe
Filesize
669KB

MD5
b29852f4f1585eb6b74c1ab05e16f8b5

SHA1
26006c46b3ddee3c6dbb58705800563d195fed21

SHA256
4172712abb014bd41c81eb02ca911014c1f289efba031c183fa88a63bdf7edc5

SHA512
08a5ec7e261795e0dc4a8d6e32e23cc446e6a992bca6f01a77cdb9d8ea3a8dfc81f53498adbe3a7adf813fe8567b6bae71ad131f76184f5b943662fff1df67e4

Download Submit
\Windows\SysWOW64\Gkkemh32.exe
Filesize
669KB

MD5
84a668ddf51286e3f0d86cb4a599a6fe

SHA1
ff9f4b8a86411e0a129579f53df0d93858256ad7

SHA256
d5237fe5dc011ddf3dca72f13173a449bb8d03a3716f60e9e8619605d955a9d3

SHA512
5c4e2f2b6fcb2615ab3d0573548a0e293bf93c21ef61774167d002e7e088ce3a1686ab0ddd47ad8ea71af209e0cb8477f362a55447ef1b806767df58ea223501

Download Submit
\Windows\SysWOW64\Gpmjak32.exe
Filesize
669KB

MD5
909c017351501f04c8a846f3ebd63c30

SHA1
4d275d30f7832bed6ab1530e75cb43a482e87f84

SHA256
98a301b075a6db5de76d3f86884e76c290b203ad8e77db1c80c2afa5ac69073c

SHA512
182427057aca9570f0b468ef1a25c796334e63aba01b6a0c5e2429154d5b7ffc529ab8bad567610f368187851b342c0ed1717e53bb82ad53fc2749eb08e302ff

Download Submit
memory/1056-232-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/1056-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-178-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1728-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-225-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1948-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-219-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1948-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-254-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1992-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-27-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2196-26-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2196-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-85-0x0000000000350000-0x0000000000384000-memory.dmp

Filesize
208KB

Download
memory/2292-84-0x0000000000350000-0x0000000000384000-memory.dmp

Filesize
208KB

Download
memory/2336-136-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2336-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-244-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2368-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-36-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2756-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-150-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2776-54-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2776-55-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2776-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-113-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2820-114-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2820-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-170-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/2824-169-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/2916-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-13-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2952-6-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2960-64-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2960-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-86-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-93-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads