4d35a51265d76705f12d9bc9e792715b722bacd4bc7723e3b7e540ebb2f7ef14

Analysis

max time kernel
143s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 08:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4d35a51265d76705f12d9bc9e792715b722bacd4bc7723e3b7e540ebb2f7ef14_NeikiAnalytics.exe
Size

148KB
MD5

eab5e3a24dbc75c9439d845e672819c0
SHA1

91e465362e1e6ba1fc1bd4c9efcf189f5bc1a431
SHA256

4d35a51265d76705f12d9bc9e792715b722bacd4bc7723e3b7e540ebb2f7ef14
SHA512

d8d14a61d0cfa5c7ff6c04ab9cc8101efd925e3295f9ac9ca7e71ecd02e525a654bf9e526867ff15d812a8e66717c2b932cfd5ac91d3c991debb48750c0e72f5
SSDEEP

3072:U6NfcojsHXHY5OdzOdjKtlDoNQQ9wlHOdj+UCRQKOdj+U:U6NUAs3HKOdzOdkOdezOd

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enkece32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ealnephf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdapak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebbgid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eajaoq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjdbnf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fejgko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmjaic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4d35a51265d76705f12d9bc9e792715b722bacd4bc7723e3b7e540ebb2f7ef14_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feeiob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efppoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjdbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Faagpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejbfhfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fejgko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ealnephf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebbgid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flmefm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4d35a51265d76705f12d9bc9e792715b722bacd4bc7723e3b7e540ebb2f7ef14_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Facdeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enkece32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eajaoq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faagpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eijcpoac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gicbeald.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdapak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicodd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgbebiao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjilieka.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpmjak32.exe

Executes dropped EXE 41 IoCs

pid	Process
1952	Eijcpoac.exe
2884	Ebbgid32.exe
2284	Epfhbign.exe
2684	Efppoc32.exe
2692	Enkece32.exe
2696	Eajaoq32.exe
2596	Ejbfhfaj.exe
2440	Ealnephf.exe
2984	Fjdbnf32.exe
2492	Fejgko32.exe
2232	Fjgoce32.exe
2600	Faagpp32.exe
2740	Fjilieka.exe
824	Facdeo32.exe
684	Fdapak32.exe
2304	Flmefm32.exe
2480	Feeiob32.exe
996	Fmlapp32.exe
2212	Gfefiemq.exe
692	Gicbeald.exe
1032	Gpmjak32.exe
556	Gldkfl32.exe
2448	Gdopkn32.exe
2356	Gkihhhnm.exe
1796	Gdamqndn.exe
1696	Gkkemh32.exe
3040	Gmjaic32.exe
2292	Hgbebiao.exe
2720	Hcifgjgc.exe
2736	Hkpnhgge.exe
2536	Hicodd32.exe
2868	Hggomh32.exe
3000	Hnagjbdf.exe
2340	Hcnpbi32.exe
2872	Hhjhkq32.exe
2988	Hodpgjha.exe
1736	Hhmepp32.exe
2164	Hkkalk32.exe
2760	Iaeiieeb.exe
2756	Iknnbklc.exe
584	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
3068	4d35a51265d76705f12d9bc9e792715b722bacd4bc7723e3b7e540ebb2f7ef14_NeikiAnalytics.exe
3068	4d35a51265d76705f12d9bc9e792715b722bacd4bc7723e3b7e540ebb2f7ef14_NeikiAnalytics.exe
1952	Eijcpoac.exe
1952	Eijcpoac.exe
2884	Ebbgid32.exe
2884	Ebbgid32.exe
2284	Epfhbign.exe
2284	Epfhbign.exe
2684	Efppoc32.exe
2684	Efppoc32.exe
2692	Enkece32.exe
2692	Enkece32.exe
2696	Eajaoq32.exe
2696	Eajaoq32.exe
2596	Ejbfhfaj.exe
2596	Ejbfhfaj.exe
2440	Ealnephf.exe
2440	Ealnephf.exe
2984	Fjdbnf32.exe
2984	Fjdbnf32.exe
2492	Fejgko32.exe
2492	Fejgko32.exe
2232	Fjgoce32.exe
2232	Fjgoce32.exe
2600	Faagpp32.exe
2600	Faagpp32.exe
2740	Fjilieka.exe
2740	Fjilieka.exe
824	Facdeo32.exe
824	Facdeo32.exe
684	Fdapak32.exe
684	Fdapak32.exe
2304	Flmefm32.exe
2304	Flmefm32.exe
2480	Feeiob32.exe
2480	Feeiob32.exe
996	Fmlapp32.exe
996	Fmlapp32.exe
2212	Gfefiemq.exe
2212	Gfefiemq.exe
692	Gicbeald.exe
692	Gicbeald.exe
1032	Gpmjak32.exe
1032	Gpmjak32.exe
556	Gldkfl32.exe
556	Gldkfl32.exe
2448	Gdopkn32.exe
2448	Gdopkn32.exe
2356	Gkihhhnm.exe
2356	Gkihhhnm.exe
1796	Gdamqndn.exe
1796	Gdamqndn.exe
1696	Gkkemh32.exe
1696	Gkkemh32.exe
3040	Gmjaic32.exe
3040	Gmjaic32.exe
2292	Hgbebiao.exe
2292	Hgbebiao.exe
2720	Hcifgjgc.exe
2720	Hcifgjgc.exe
2736	Hkpnhgge.exe
2736	Hkpnhgge.exe
2536	Hicodd32.exe
2536	Hicodd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Flmefm32.exe	Fdapak32.exe
File created	C:\Windows\SysWOW64\Jnmgmhmc.dll	Fdapak32.exe
File created	C:\Windows\SysWOW64\Feeiob32.exe	Flmefm32.exe
File created	C:\Windows\SysWOW64\Hmhfjo32.dll	Gicbeald.exe
File opened for modification	C:\Windows\SysWOW64\Iknnbklc.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Fjdbnf32.exe	Ealnephf.exe
File opened for modification	C:\Windows\SysWOW64\Fjilieka.exe	Faagpp32.exe
File opened for modification	C:\Windows\SysWOW64\Gkihhhnm.exe	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Gcmjhbal.dll	Ejbfhfaj.exe
File created	C:\Windows\SysWOW64\Kcaipkch.dll	Gdamqndn.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hggomh32.exe
File created	C:\Windows\SysWOW64\Enkece32.exe	Efppoc32.exe
File created	C:\Windows\SysWOW64\Ealnephf.exe	Ejbfhfaj.exe
File opened for modification	C:\Windows\SysWOW64\Gicbeald.exe	Gfefiemq.exe
File created	C:\Windows\SysWOW64\Hgbebiao.exe	Gmjaic32.exe
File opened for modification	C:\Windows\SysWOW64\Gfefiemq.exe	Fmlapp32.exe
File created	C:\Windows\SysWOW64\Gkihhhnm.exe	Gdopkn32.exe
File opened for modification	C:\Windows\SysWOW64\Hgbebiao.exe	Gmjaic32.exe
File created	C:\Windows\SysWOW64\Khejeajg.dll	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Chcphm32.dll	Ebbgid32.exe
File opened for modification	C:\Windows\SysWOW64\Hggomh32.exe	Hicodd32.exe
File created	C:\Windows\SysWOW64\Bhpdae32.dll	Hicodd32.exe
File created	C:\Windows\SysWOW64\Dchfknpg.dll	Ealnephf.exe
File opened for modification	C:\Windows\SysWOW64\Gldkfl32.exe	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Ahcocb32.dll	Gdopkn32.exe
File opened for modification	C:\Windows\SysWOW64\Gmjaic32.exe	Gkkemh32.exe
File opened for modification	C:\Windows\SysWOW64\Iaeiieeb.exe	Hkkalk32.exe
File opened for modification	C:\Windows\SysWOW64\Epfhbign.exe	Ebbgid32.exe
File created	C:\Windows\SysWOW64\Fejgko32.exe	Fjdbnf32.exe
File opened for modification	C:\Windows\SysWOW64\Fjgoce32.exe	Fejgko32.exe
File created	C:\Windows\SysWOW64\Jkamkfgh.dll	Fjilieka.exe
File created	C:\Windows\SysWOW64\Gicbeald.exe	Gfefiemq.exe
File created	C:\Windows\SysWOW64\Ebbgid32.exe	Eijcpoac.exe
File opened for modification	C:\Windows\SysWOW64\Gdamqndn.exe	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Jjcpjl32.dll	Gmjaic32.exe
File opened for modification	C:\Windows\SysWOW64\Ealnephf.exe	Ejbfhfaj.exe
File created	C:\Windows\SysWOW64\Jkoginch.dll	Fejgko32.exe
File created	C:\Windows\SysWOW64\Fjilieka.exe	Faagpp32.exe
File created	C:\Windows\SysWOW64\Fmlapp32.exe	Feeiob32.exe
File created	C:\Windows\SysWOW64\Kleiio32.dll	Gfefiemq.exe
File opened for modification	C:\Windows\SysWOW64\Gpmjak32.exe	Gicbeald.exe
File created	C:\Windows\SysWOW64\Epfhbign.exe	Ebbgid32.exe
File opened for modification	C:\Windows\SysWOW64\Fejgko32.exe	Fjdbnf32.exe
File opened for modification	C:\Windows\SysWOW64\Hkkalk32.exe	Hhmepp32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Eijcpoac.exe	4d35a51265d76705f12d9bc9e792715b722bacd4bc7723e3b7e540ebb2f7ef14_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Hicodd32.exe	Hkpnhgge.exe
File opened for modification	C:\Windows\SysWOW64\Hodpgjha.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Iknnbklc.exe
File opened for modification	C:\Windows\SysWOW64\Eijcpoac.exe	4d35a51265d76705f12d9bc9e792715b722bacd4bc7723e3b7e540ebb2f7ef14_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Hkpnhgge.exe	Hcifgjgc.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hggomh32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Gbolehjh.dll	Epfhbign.exe
File created	C:\Windows\SysWOW64\Lbidmekh.dll	Efppoc32.exe
File opened for modification	C:\Windows\SysWOW64\Flmefm32.exe	Fdapak32.exe
File created	C:\Windows\SysWOW64\Fealjk32.dll	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Ejdmpb32.dll	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Cgqjffca.dll	4d35a51265d76705f12d9bc9e792715b722bacd4bc7723e3b7e540ebb2f7ef14_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ejbfhfaj.exe	Eajaoq32.exe
File created	C:\Windows\SysWOW64\Bnkajj32.dll	Faagpp32.exe
File opened for modification	C:\Windows\SysWOW64\Facdeo32.exe	Fjilieka.exe
File created	C:\Windows\SysWOW64\Hkpnhgge.exe	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Hodpgjha.exe	Hhjhkq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1240	584	WerFault.exe	68

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4d35a51265d76705f12d9bc9e792715b722bacd4bc7723e3b7e540ebb2f7ef14_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chcphm32.dll"	Ebbgid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll"	Ealnephf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enkece32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondlhmp.dll"	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Faagpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkamkfgh.dll"	Fjilieka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamfqeie.dll"	Eijcpoac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahch32.dll"	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nopodm32.dll"	Facdeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll"	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebbgid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmjhbal.dll"	Ejbfhfaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbidmekh.dll"	Efppoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fejgko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll"	Gicbeald.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eajaoq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgqjffca.dll"	4d35a51265d76705f12d9bc9e792715b722bacd4bc7723e3b7e540ebb2f7ef14_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmeglp.dll"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnkajj32.dll"	Faagpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	4d35a51265d76705f12d9bc9e792715b722bacd4bc7723e3b7e540ebb2f7ef14_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epfhbign.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejbfhfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll"	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejbfhfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enkece32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eijcpoac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll"	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Faagpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifjcn32.dll"	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghmjpap.dll"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eajaoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdamqndn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkkemh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 1952	3068	4d35a51265d76705f12d9bc9e792715b722bacd4bc7723e3b7e540ebb2f7ef14_NeikiAnalytics.exe	28
PID 3068 wrote to memory of 1952	3068	4d35a51265d76705f12d9bc9e792715b722bacd4bc7723e3b7e540ebb2f7ef14_NeikiAnalytics.exe	28
PID 3068 wrote to memory of 1952	3068	4d35a51265d76705f12d9bc9e792715b722bacd4bc7723e3b7e540ebb2f7ef14_NeikiAnalytics.exe	28
PID 3068 wrote to memory of 1952	3068	4d35a51265d76705f12d9bc9e792715b722bacd4bc7723e3b7e540ebb2f7ef14_NeikiAnalytics.exe	28
PID 1952 wrote to memory of 2884	1952	Eijcpoac.exe	29
PID 1952 wrote to memory of 2884	1952	Eijcpoac.exe	29
PID 1952 wrote to memory of 2884	1952	Eijcpoac.exe	29
PID 1952 wrote to memory of 2884	1952	Eijcpoac.exe	29
PID 2884 wrote to memory of 2284	2884	Ebbgid32.exe	30
PID 2884 wrote to memory of 2284	2884	Ebbgid32.exe	30
PID 2884 wrote to memory of 2284	2884	Ebbgid32.exe	30
PID 2884 wrote to memory of 2284	2884	Ebbgid32.exe	30
PID 2284 wrote to memory of 2684	2284	Epfhbign.exe	31
PID 2284 wrote to memory of 2684	2284	Epfhbign.exe	31
PID 2284 wrote to memory of 2684	2284	Epfhbign.exe	31
PID 2284 wrote to memory of 2684	2284	Epfhbign.exe	31
PID 2684 wrote to memory of 2692	2684	Efppoc32.exe	32
PID 2684 wrote to memory of 2692	2684	Efppoc32.exe	32
PID 2684 wrote to memory of 2692	2684	Efppoc32.exe	32
PID 2684 wrote to memory of 2692	2684	Efppoc32.exe	32
PID 2692 wrote to memory of 2696	2692	Enkece32.exe	33
PID 2692 wrote to memory of 2696	2692	Enkece32.exe	33
PID 2692 wrote to memory of 2696	2692	Enkece32.exe	33
PID 2692 wrote to memory of 2696	2692	Enkece32.exe	33
PID 2696 wrote to memory of 2596	2696	Eajaoq32.exe	34
PID 2696 wrote to memory of 2596	2696	Eajaoq32.exe	34
PID 2696 wrote to memory of 2596	2696	Eajaoq32.exe	34
PID 2696 wrote to memory of 2596	2696	Eajaoq32.exe	34
PID 2596 wrote to memory of 2440	2596	Ejbfhfaj.exe	35
PID 2596 wrote to memory of 2440	2596	Ejbfhfaj.exe	35
PID 2596 wrote to memory of 2440	2596	Ejbfhfaj.exe	35
PID 2596 wrote to memory of 2440	2596	Ejbfhfaj.exe	35
PID 2440 wrote to memory of 2984	2440	Ealnephf.exe	36
PID 2440 wrote to memory of 2984	2440	Ealnephf.exe	36
PID 2440 wrote to memory of 2984	2440	Ealnephf.exe	36
PID 2440 wrote to memory of 2984	2440	Ealnephf.exe	36
PID 2984 wrote to memory of 2492	2984	Fjdbnf32.exe	37
PID 2984 wrote to memory of 2492	2984	Fjdbnf32.exe	37
PID 2984 wrote to memory of 2492	2984	Fjdbnf32.exe	37
PID 2984 wrote to memory of 2492	2984	Fjdbnf32.exe	37
PID 2492 wrote to memory of 2232	2492	Fejgko32.exe	38
PID 2492 wrote to memory of 2232	2492	Fejgko32.exe	38
PID 2492 wrote to memory of 2232	2492	Fejgko32.exe	38
PID 2492 wrote to memory of 2232	2492	Fejgko32.exe	38
PID 2232 wrote to memory of 2600	2232	Fjgoce32.exe	39
PID 2232 wrote to memory of 2600	2232	Fjgoce32.exe	39
PID 2232 wrote to memory of 2600	2232	Fjgoce32.exe	39
PID 2232 wrote to memory of 2600	2232	Fjgoce32.exe	39
PID 2600 wrote to memory of 2740	2600	Faagpp32.exe	40
PID 2600 wrote to memory of 2740	2600	Faagpp32.exe	40
PID 2600 wrote to memory of 2740	2600	Faagpp32.exe	40
PID 2600 wrote to memory of 2740	2600	Faagpp32.exe	40
PID 2740 wrote to memory of 824	2740	Fjilieka.exe	41
PID 2740 wrote to memory of 824	2740	Fjilieka.exe	41
PID 2740 wrote to memory of 824	2740	Fjilieka.exe	41
PID 2740 wrote to memory of 824	2740	Fjilieka.exe	41
PID 824 wrote to memory of 684	824	Facdeo32.exe	42
PID 824 wrote to memory of 684	824	Facdeo32.exe	42
PID 824 wrote to memory of 684	824	Facdeo32.exe	42
PID 824 wrote to memory of 684	824	Facdeo32.exe	42
PID 684 wrote to memory of 2304	684	Fdapak32.exe	43
PID 684 wrote to memory of 2304	684	Fdapak32.exe	43
PID 684 wrote to memory of 2304	684	Fdapak32.exe	43
PID 684 wrote to memory of 2304	684	Fdapak32.exe	43

C:\Users\Admin\AppData\Local\Temp\4d35a51265d76705f12d9bc9e792715b722bacd4bc7723e3b7e540ebb2f7ef14_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4d35a51265d76705f12d9bc9e792715b722bacd4bc7723e3b7e540ebb2f7ef14_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\Eijcpoac.exe
  C:\Windows\system32\Eijcpoac.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\Ebbgid32.exe
    C:\Windows\system32\Ebbgid32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\SysWOW64\Epfhbign.exe
      C:\Windows\system32\Epfhbign.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Windows\SysWOW64\Efppoc32.exe
        
        C:\Windows\system32\Efppoc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
      - C:\Windows\SysWOW64\Enkece32.exe
        
        C:\Windows\system32\Enkece32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Eajaoq32.exe
        
        C:\Windows\system32\Eajaoq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Ejbfhfaj.exe
        
        C:\Windows\system32\Ejbfhfaj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Ealnephf.exe
        
        C:\Windows\system32\Ealnephf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Fjdbnf32.exe
        
        C:\Windows\system32\Fjdbnf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Fejgko32.exe
        
        C:\Windows\system32\Fejgko32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Fjgoce32.exe
        
        C:\Windows\system32\Fjgoce32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Faagpp32.exe
        
        C:\Windows\system32\Faagpp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Fjilieka.exe
        
        C:\Windows\system32\Fjilieka.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Facdeo32.exe
        
        C:\Windows\system32\Facdeo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\SysWOW64\Fdapak32.exe
        
        C:\Windows\system32\Fdapak32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Windows\SysWOW64\Flmefm32.exe
        
        C:\Windows\system32\Flmefm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Feeiob32.exe
        
        C:\Windows\system32\Feeiob32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Fmlapp32.exe
        
        C:\Windows\system32\Fmlapp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Gfefiemq.exe
        
        C:\Windows\system32\Gfefiemq.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Gicbeald.exe
        
        C:\Windows\system32\Gicbeald.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Gpmjak32.exe
        
        C:\Windows\system32\Gpmjak32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Gldkfl32.exe
        
        C:\Windows\system32\Gldkfl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Gdopkn32.exe
        
        C:\Windows\system32\Gdopkn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Gkihhhnm.exe
        
        C:\Windows\system32\Gkihhhnm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Gdamqndn.exe
        
        C:\Windows\system32\Gdamqndn.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Gkkemh32.exe
        
        C:\Windows\system32\Gkkemh32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Gmjaic32.exe
        
        C:\Windows\system32\Gmjaic32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Hgbebiao.exe
        
        C:\Windows\system32\Hgbebiao.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Hcifgjgc.exe
        
        C:\Windows\system32\Hcifgjgc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Hkpnhgge.exe
        
        C:\Windows\system32\Hkpnhgge.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Hicodd32.exe
        
        C:\Windows\system32\Hicodd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\Hggomh32.exe
        
        C:\Windows\system32\Hggomh32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Hhjhkq32.exe
        
        C:\Windows\system32\Hhjhkq32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Hodpgjha.exe
        
        C:\Windows\system32\Hodpgjha.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Hkkalk32.exe
        
        C:\Windows\system32\Hkkalk32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Iaeiieeb.exe
        
        C:\Windows\system32\Iaeiieeb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\Iknnbklc.exe
        
        C:\Windows\system32\Iknnbklc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        42⤵
        Executes dropped EXE
        
        PID:584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 140
        43⤵
        Program crash
        
        PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Efppoc32.exe

Filesize
148KB

MD5
e22245ce3f0501145fe3f8a6a8497101

SHA1
e210030a06d9c404607af33f9c4763187c88d05c

SHA256
392f919ee687940227e106f52780e2a8bd9523186b281bc31f81b362a43f8fd1

SHA512
c1e1c416aec0146c6372f973e54005646a2be1a8b27c4a5c232fc58b679c42e420df88ed6d0145e7f269a1e027ef2256c4baf37aaaf5395d5922a42b29d84999

Download Submit
C:\Windows\SysWOW64\Feeiob32.exe

Filesize
148KB

MD5
0f5675e03f0e5f56a8b42c3617923988

SHA1
0d574b1f7c8f2016387d714b896f10f0bb595d8f

SHA256
e94a3ebd6eb932229de9e7d2acf8ed4600dff5057c2f3610d6932d11e0252b74

SHA512
c8de20b1335691cdc7418317d2455352805db74447697aeb13d441ab3b720afebb739accf33fce3417820f68ffcf25803e933324dfab6cb4c9983757421171ed

Download Submit
C:\Windows\SysWOW64\Fejgko32.exe

Filesize
148KB

MD5
873c2cf788bb95e4e12cff0c0de0cf2a

SHA1
dacf34c06556a0d47e6e01b100d6c1ea8376044c

SHA256
90bf135d5b9f11219a09b167dd0b7e6da7e9745c557f850f1c771072c8a1931c

SHA512
8a830436c26f537016b3e7e5923a69ae5b1b1663bec014001128bc81ad8a9e76197b75cbf0ae24ab83f4a2ce7f68dd732c167b8a821ee55dff7d1b4f1be9dd56

Download Submit
C:\Windows\SysWOW64\Flmefm32.exe

Filesize
148KB

MD5
6e4ef4bd819b6235420365e67dec05bb

SHA1
9622a2394a0cc6e01c6da1f5ad1d38c7d2aa6224

SHA256
d396e4a36c077d29312f27edf8e1e9b8a28c518596c799e3fece8e631414b92c

SHA512
25e2fbcbb4647ccf72430c7c3e53dbd957bbc57d2f56f9701556b94234344ab23e5690f08da79ccbbebd3bd6bfa09d6a534b8d5a283e623eb8fdefb47796fabf

Download Submit
C:\Windows\SysWOW64\Fmlapp32.exe

Filesize
148KB

MD5
9dbdfcfbe64d315132f2143dfeeac23f

SHA1
aaf37843a0244e03c5dd5f5cd475577e8f42b45b

SHA256
75e691e678beba65fbb567c3d9b3d72f1f0df1db57e16d365dacdb2d7bf8bafc

SHA512
82fbd65dd4440894a1e16413e3ceeb535e4b1d49fb03f49d723d2addb17c79f7793487f585f94d1a5aaaf94c677aa9d96ff54670a15c7eede2b3e9b795820687

Download Submit
C:\Windows\SysWOW64\Gdamqndn.exe

Filesize
148KB

MD5
c3e76a92b731002e6def66f015c69f71

SHA1
f66f00684d50e3785be9f4ab33fa0ace5107389a

SHA256
d154008248951a6d7ac52cc66fce121db550def4b9eff10c32ad4996e70ba4f8

SHA512
6d0ebf33146c34a8c42489efe301ed052713085264ca69065063ee0abf2f941abd11e0b46cc23440d46107591b950d78e7c5f169dff2ea610ba7d40ae28b5731

Download Submit
C:\Windows\SysWOW64\Gdopkn32.exe

Filesize
148KB

MD5
91245f1af909a225bb825cfda4b46b58

SHA1
a87f4c4a11f99485b57aebdb3eb2e1d66d22c451

SHA256
a558502cea18237aad13d4070934a54d0ca51161ce5d8cd54d3754f9ef0b2cc5

SHA512
5813e596ce45c28e8eefee600f29c5682494d5cc1c07d553868f28756797839fd36e837c6281a00815d219df3911b4adcea443444b793b18c8615005c221d551

Download Submit
C:\Windows\SysWOW64\Gfefiemq.exe

Filesize
148KB

MD5
672ffe1c7faaf8865514ada3a24cd912

SHA1
d6a9e5b6d01cb3c975547cddf8607ded909e5f34

SHA256
d77d6e747e88e8ae3ad8e02e1ebb45d288251df00f6a57b47840bd902055cbcb

SHA512
a68f83fbd4a2971c59c3b56c0aec88ec4f4413a8cabb4e6fa558ca7408e20d767e6db2c3707fdccdcc5744f9aa352cd2903b983e5642d1f573eea885e4af7dae

Download Submit
C:\Windows\SysWOW64\Gicbeald.exe

Filesize
148KB

MD5
6b8d8b030dc4421b3715099724ae19e8

SHA1
d8e735674fabf8ac266d87f6ac0f54d37e797fc1

SHA256
ba14f4a56dd0d1afab58242e4d524167ecfdeb32fdbde78a44680309328f9265

SHA512
730561d2201ad8103ab03264af0a8fe6ac20485820a1d425cbf1336a172e4bbf83b98603e58367a70dc4fe012fccdbaafbd475df14a34aa7a10194660c6174ef

Download Submit
C:\Windows\SysWOW64\Gkihhhnm.exe

Filesize
148KB

MD5
3f450640b181de7eac68d8ee21d0f840

SHA1
3fbc0ae9d7d4df735c5e364ba9726ca31de70541

SHA256
df8ee2aae6c3363dc69a13c9013a7892872a2e54ac016ac062657135743f188f

SHA512
f2fbb24fd0a5f1ed35adff0b57f5b28bea49aa2f5d18f96e912e9d095a5a63136ce20d951baa44db3ad00652ed7853ddbfd8b3af441360d3ef367bf251dfd07a

Download Submit
C:\Windows\SysWOW64\Gkkemh32.exe

Filesize
148KB

MD5
d3a8c2671203728c1d0ce985fa68c4e3

SHA1
e064bbcd80b20cad6573a403daa05f1319b1a645

SHA256
5cfd06a61bef2c952e4c106e157258ba2a1e46f367d9898c80d6441e2c63a23d

SHA512
ad93c3f6700982196120e9c11547f50b002781eaa340e20c197b213ef0945d4f79dfe0070d6366a51182d6641dbe8e5ebe00f4911f919668c84e61c74de570ec

Download Submit
C:\Windows\SysWOW64\Gldkfl32.exe

Filesize
148KB

MD5
5cfed0e643e291f1671d97f68cea5507

SHA1
b9f3d6e3b66b93e7a9df109150b34fb2e956022f

SHA256
99a484360f88e02617438bb43df9962343fa0f51b5dc1634c3da37e999e69cdd

SHA512
06aa33c7fe9acd0ae93ba601523fce1460764be10a9573bb93ebd79377b0fc6b8477e655c8690196f0687ed0411449cecaa8cdbde1f6f0db594341b9f9ec49d7

Download Submit
C:\Windows\SysWOW64\Gmjaic32.exe

Filesize
148KB

MD5
ec624578ef0b5103084916445488b9f5

SHA1
02ae457b0aab5e964592ecc4c3693757547b3790

SHA256
24c20f081d6739f306b712af5f0cac5d151d4470e863014bb23956d42d080c28

SHA512
8329f62f598f2d53d0654b63f8062c283d88b362c952e25bde3c3831c4375fcab588ad8945eec6af7fd25e1114917c52499605bbcc3f2133b7536cd392a5687b

Download Submit
C:\Windows\SysWOW64\Gpmjak32.exe

Filesize
148KB

MD5
66f8079752ff46b96a75454c93ad431b

SHA1
0a96f05cfe7ff2683287fe9e4f122c35c77fab5c

SHA256
61e56516b752de6b77bb1094bf5d74630582602081bc5f51b696d0e9ce6f7758

SHA512
981513498c485552eb14bfb46c6cae92d7ec9be619eec5241deb386e6693228e7dede3703f5caf439cc28eab374144331bf5455c5b984822ee6346be8ffc560d

Download Submit
C:\Windows\SysWOW64\Hcifgjgc.exe

Filesize
148KB

MD5
c970e6797109ff40fabe3b6b41a3f01e

SHA1
fb364b108e08ec256f373b8277afbaf18a237ae1

SHA256
38150131f4396ec89f029a6c4be75d547e4e7fa3ea39e1bb6e9287f371d9ba78

SHA512
d10ed9d5661899af1cfe70e2e225a4749d6f54a150968432e81abe4ef62a140511511b29edd4b82bda18842e13763b58eb6bc0f37fa53a84268d05e5e41d9a0b

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe

Filesize
148KB

MD5
508f2b2005c9c45ccb9cf63d3ebe4a81

SHA1
4b435cfdf28cbc3fdc4aefffa80a05b1d9179bd5

SHA256
2382ba7d0ffad28d524bbd8b2734ed4289b73fec4feb43ba09b83956bbd3f929

SHA512
617cd6773d005070c6c142b36eb284e26a21f9825360a22812bfb9ca8bb08acb534ca46be7368b066829747d5e2b9dae79d142f2c2820e367f049f5eaf7c604e

Download Submit
C:\Windows\SysWOW64\Hgbebiao.exe

Filesize
148KB

MD5
50b22ba201af2b8161e3b2942bc6f7ba

SHA1
afaf5d038a6b9844f22df606deefd02b592f113c

SHA256
13561f7334d23ea55c14d4f6bfce2607f82b624964db62ee4053941f86ab7cb0

SHA512
629fcc21bcb8e2744338ffec2f3a14bca2d143f10c40f4514456d53de0d4439883ec6c276039aaa6fd3529d1eadc2686084fb6b214d6765f6b785acd7b65e78f

Download Submit
C:\Windows\SysWOW64\Hggomh32.exe

Filesize
148KB

MD5
df96d6d515ca4f9288596fb50468b4f6

SHA1
f0f9c0464b8a8bf12749c453b5c4d67f9190fae9

SHA256
50df25ca4f8d9cc205826008f1461ec082c7bc7447e367bdcfbc0acdc3c2de5c

SHA512
9d27afc1d3ef664b62ca61419776fc39628691ba0eb91d7c03b06d6dd3b7952b01e2e68efaafd5d3cd0d66a2dc2c3827c8d494e679a77847cda2fe684b9d0ba9

Download Submit
C:\Windows\SysWOW64\Hhjhkq32.exe

Filesize
148KB

MD5
2ab87c45d21d0b362971d700a8d6ce44

SHA1
43bd25eee0ca2979090963ecfa3cd481a2cb7d08

SHA256
4b01ad441040b8170c81b0d3d40e5578170787a59a95ba60fc5980cc29db4d84

SHA512
9df62f468c5189725593d08c52cc6345769201d97607e457a2754b3ac0634430857818e9cc3046f0393f8c9ebb410890a98b0f9b21815f03f375b3001b2eb3c4

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
148KB

MD5
a9b2eb3b648969043ee50f73e75c89a2

SHA1
a00cf0e8854f737ecfb704ed89709096f9c00ee4

SHA256
7dae6b13332a24c787f34e5fcde9f52f3492a86d6b4149ceb6e95b1dafa749ca

SHA512
2c8dc572a99f3f6e8ba24edcad40887f6685ca73addc766e8a2269ed43c8cbce46b5ed307718bef39e8831fa75563a6cfa4da5ec6d7c8cabd3e2027d3e6f5816

Download Submit
C:\Windows\SysWOW64\Hicodd32.exe

Filesize
148KB

MD5
eee12324586a8e1f854e9e16b4204f74

SHA1
34fd64e111013433722774e212689a24b50f1c1c

SHA256
30bc53c4152395aaad23924fb50aacbc42747f70ff57d2a92768f401f6466406

SHA512
f5a6a2ebbf3a7518287078f258fa360a64654ae0841e8fa8ba272f329f6b06ccc0d0f4d3c3015393c545f9b8d13d09ccdea9694df0a15f29e9293286cd114a80

Download Submit
C:\Windows\SysWOW64\Hkkalk32.exe

Filesize
148KB

MD5
843ec79a787590f31df48c8de192afd2

SHA1
b20879f3e0379955996ed0725502019f3fd9d199

SHA256
217e2ba43247d98c9e3ac3d967572f808d5b2ba82d0c8bba48e0ff031e87a9cb

SHA512
d986e990e3e6049fd3d9012e85fb35f1774be4b855d713b4800f42ce3c8f84716d4c0d20ed2a08790f9931b8c6521c47eb600093e374386078442ebdb20f0840

Download Submit
C:\Windows\SysWOW64\Hkpnhgge.exe

Filesize
148KB

MD5
3232cc986fe6179ebf615f862de33520

SHA1
d8bfb0a6efc9f008a69f47a7f94314e0d65582e0

SHA256
92d0a16dbbc76548396c7f7be81bb4a1ac5225e5a9861fa86f787c9338424c91

SHA512
07ad2351938131a50f1fefa11d94f806a6ff20c8ad002f015513a8ceebea69199cfc754cb244a5441565168d4e5454ff969e2adc779bdd0fc436817d546429e1

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
148KB

MD5
05f9ead85a5f202026c368a0550841c8

SHA1
bb180bfa9f3ec50e1c31bdb75bfdc9af78917d41

SHA256
2172a834111924876c41a48c4369833e1f0872d110df9c9e3032b0bbdebb6b69

SHA512
a9620a7156d79305815ef0844b67a9aade2bb8ea91b7d733b96bc4694ba11ce7930ba325ed1db76c0d6c081957fb4df8feac544ebdd51e4602b31e7d6e95e05d

Download Submit
C:\Windows\SysWOW64\Hodpgjha.exe

Filesize
148KB

MD5
fa0190949d6fde3a0d97fb80da0c8b59

SHA1
c6409f2dfd926b3bbef618ef70d34ca73107ddea

SHA256
3826fa02d16862f4cc38ad27188cbb36131675089cda5cd1d870c73d1cea4878

SHA512
b709ac5f158515874cf4926d4f952feaeb1bcc5955e9c7c03ac85bb4fdfbcf45cb386e8b221a6419715808fdb3d1847dba309bd93277980643780d17d5fcdce9

Download Submit
C:\Windows\SysWOW64\Iaeiieeb.exe

Filesize
148KB

MD5
59c41e3c896117e5df940c171cae9e97

SHA1
b01299249db977ae4dd8c6112066564da0c61bad

SHA256
78b8edd95ed3f8cd6fd9b3e1f16b6284bec6f158709f725fb2b468e85ae66bf6

SHA512
e378efc75777f3a233c5466a4f6968f97de2662a6d839422a3e3187592dd40da0d777abd8e534dcf67158d8f8e5f38fd6f45db30cc24692246585269682bd05f

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
148KB

MD5
ffeb6e1e8846aa4bfa144ddd8a2bea2c

SHA1
fe1673e9c47cdf78181ac79ba16fde74202ddf5c

SHA256
958d22647dd9bacef5f774bc3eed6e2d5b8fc82f0e91e74bac5c66bba2ec19d6

SHA512
31962dbd25c4dce1352ade7176fdbc2919f5d14f37077afdede485b7ee543ff6179a4e7e7679453383352a01b22bd4dc31d9bfabe4df41194c315ad070f2674d

Download Submit
C:\Windows\SysWOW64\Iknnbklc.exe

Filesize
148KB

MD5
25afa109eb04f65ab539871c4d66af25

SHA1
e5af46b0c1c018bfad20fe329244852a57dc5bf3

SHA256
f31c6558fd055601cb43454311e15e33da8f9e02ee9f8f28a2f727548cb23d35

SHA512
c64bbc054c770d0a003e567f9f5d345b97c1537e958bac7b079b471662cb905c58ba01ec1fce62a93888e009c3c983f1e32a8d991bbddab016ad16ea301a8f89

Download Submit
\Windows\SysWOW64\Eajaoq32.exe

Filesize
148KB

MD5
68e3e9b7807e51d85692942c9b5d65f9

SHA1
8d5ff94815ba058f368df47bdede15a5f4dd4139

SHA256
24b8531a4ca482814a105fad3a90eb556a0052eb3696728fab2f32d18ba66686

SHA512
621b1805b68bd390b5c0bcd3cfa1ff2dda8a3ee92dd717136afd46cdccb3999e90d5d3aed78c732d33d93f1876c090b83c622f455dce5a70cfe11d883989c4e1

Download Submit
\Windows\SysWOW64\Ealnephf.exe

Filesize
148KB

MD5
20018eebea83c0a3a4436e96818de6fb

SHA1
435055b7cb7b065f9c71f631cf425ffe9fa0f3cc

SHA256
b4086335e49102c747da638fa209b0525b762bec19fff5a6a7a5c10cb7ac782f

SHA512
6feecb28cb8975b72a7a88242a75eaa017cebb8c1217a2db53fc03a56fc09c7ac5fcd5fae6e3cf39a3a6cc9eb5fef8dd27068c30224d54cb4956efa6feddc3d2

Download Submit
\Windows\SysWOW64\Ebbgid32.exe

Filesize
148KB

MD5
020853e531abee9247b97040e17fcb06

SHA1
eb1ea613f7de9f73d31e62213fadd61e2e862447

SHA256
e8f20ddd7ecb690ff9237338afa824fe58c2790654c8204d19cfd5058873584d

SHA512
095523dfe5a6ed329ed705511960f6c231492e499dcbf73d56ac6abce5566fc426a92371e98578d4e245a15a7aea68aed85ee68e39e40e2527a6f1c4c7e8d20e

Download Submit
\Windows\SysWOW64\Eijcpoac.exe

Filesize
148KB

MD5
2529c6eead7317277675289468f30b1f

SHA1
22f04c3d8224f045dfe59e57d7d2d96838cedff6

SHA256
2e74befa60c720002a68e7e0ab3f9fe6ec0f9b61605a85235b7cdeb445427444

SHA512
068c34cab54b39d9dba5be31ceafcabeb19399dd19de9889e238b2ed02576242002c1c8313ebb0abfbe029fbe80cef68dfa81bfe9fb49522b96258e4f5401f19

Download Submit
\Windows\SysWOW64\Ejbfhfaj.exe

Filesize
148KB

MD5
348ecd766d700a8cb87c7781ce9a3d87

SHA1
88a993dd43ab9e26b70d6e8ab81a81026683d912

SHA256
e9ead1f779861ca666a8140a1a3c198ab892804a9dc3c401856921ee90539eb3

SHA512
d0602fe3e961f0425e4623ad135d25537c5c62108be3c8add6c76492d8314bbec44eeb77e9d12811f1d6d14ee834b740f1ff6ff2e57fcb831d314bf0cd5f011a

Download Submit
\Windows\SysWOW64\Enkece32.exe

Filesize
148KB

MD5
b08a47ae1ad86fcac0b2f84fa33a107b

SHA1
e3408541ae709c9adfabab0c20e9b7f54c0eab0d

SHA256
496f6a54192f6ed5509bee37bf10a9d86d369210d5cc74af1aa5cc8f2f4dc901

SHA512
cf73cbfd97ed97637b9d47f8e5cdc8770c995116d827aede64f526800156e2c400a02a8da667697578b31e947100b1d52eefd50138306a6268ae89b158eb188b

Download Submit
\Windows\SysWOW64\Epfhbign.exe

Filesize
148KB

MD5
ecb586c5f26f1f4b2273e16c7f9f13ad

SHA1
b0ea3c513cdb4580850dd00a6c3a75d31ea68c51

SHA256
d49e6d06fa524b7a4c61232613a55184a8b3c927ddfb9451f08f8bec012f766a

SHA512
5bb58cd9b1689e443360c14f4742f6b2cbee1ebba018be99c80795f390b07a74085ac6c8855b96044751ff6b9b18e60af86ef79eeff92be2dce0f478646ea642

Download Submit
\Windows\SysWOW64\Faagpp32.exe

Filesize
148KB

MD5
571b942641ee3a7f107a87d882892c58

SHA1
80ab1f4743a0f7594d6349930a1d8d95ccb0d24b

SHA256
954223634cb22a2f0bc2b1e7da1845cf2d4d3a5eb3f5628a070eb7faaf65e2e0

SHA512
3ccfb6ff218b30ecbad6a27c4b36664610cf7f899b1b742dbd40abae435ffe0f6aca5b4d3302c5608fb560731f6d693eaa73cd1cdbc5dbfe67049a82ea342bec

Download Submit
\Windows\SysWOW64\Facdeo32.exe

Filesize
148KB

MD5
c892a83df773390d4e8979afacfdfea1

SHA1
d5977f3d76dc1570114fed1e9cfe9802a78c2ab5

SHA256
82b6a8541b9a6dcd135bb141b29e5e912a6ab450512ef47a1d6c386a98fcf007

SHA512
d36ea98e20318dd6369a055489fd89a2e77dcd1752e333f2af267efd6973d85d9a52608fc75724b265d580a20184069b21ccf81cde074c3152ff098e78b71336

Download Submit
\Windows\SysWOW64\Fdapak32.exe

Filesize
148KB

MD5
43cfd74cfb87565f5546824d5b5f7f5e

SHA1
79cb54cdfde202e9a75ee2871747142175175de8

SHA256
d30b27f67b5a163a3cfd9e8070b136717bf80836e55c415fe221880d920dd563

SHA512
64b1fc4d60836bb980579b6459d895cc473e4fefdb4a330b9497b6fe9dde40db7c03495799fe38cae0eb1bbc17cf91a56b123bfdfee4ccac96ad841d8f90bc31

Download Submit
\Windows\SysWOW64\Fjdbnf32.exe

Filesize
148KB

MD5
8f39c86f9f3a0b6cb829ef36e6fa82f8

SHA1
4a185bcbcb2bfd13b13a9e51dd7a2747d219861b

SHA256
c051d57f40919e8b0af3c8e3fb51e221c5bd15dd736011d064c3cb8101c9e3ba

SHA512
3a9d6c5ffa0532bec28df177319ccabcbf8905e4e70054acfec97bf3311f305b86c15dcd8709da3682e643c56ce5da73c9566315f99780ab03dfcea1fe63c77d

Download Submit
\Windows\SysWOW64\Fjgoce32.exe

Filesize
148KB

MD5
9ffe87ea6178c172ee9ed996d0b74502

SHA1
8d68f95cbf8cca613085d78987550032c2000266

SHA256
e2ccd0a2f45485e531600330e079e2a470e92140a1e8c6268d19ba904df20c87

SHA512
3b88aae086a9856e0a4fdd37dd2a3c7e0d623cb75b46f562fcfa8eb89804592fa1225cdd64cf85c815ef474e0d17ac9a49e7b5875f62869a63acca596e8c0f1e

Download Submit
\Windows\SysWOW64\Fjilieka.exe

Filesize
148KB

MD5
896b7ecf27c6ffb9346c55f5830192f1

SHA1
bd77e67551c7b9bd40784d453710d2994af93d8a

SHA256
013b196ac561bdf41540e6803785e29ccb1c9c1fc285e74b9bb47a32117e95f7

SHA512
60a9ad54702e0e2efaaf9254bbdb1bc103652af658bdac0c00f865f7f515f2d547b14f1b016c3068d7000ae70117404765338d735db30270272396fb833db3ca

Download Submit
memory/556-278-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/556-288-0x0000000000250000-0x00000000002A0000-memory.dmp

Filesize
320KB

Download
memory/556-287-0x0000000000250000-0x00000000002A0000-memory.dmp

Filesize
320KB

Download
memory/584-482-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/684-209-0x0000000000300000-0x0000000000350000-memory.dmp

Filesize
320KB

Download
memory/684-196-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/684-208-0x0000000000300000-0x0000000000350000-memory.dmp

Filesize
320KB

Download
memory/692-256-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/692-266-0x00000000002D0000-0x0000000000320000-memory.dmp

Filesize
320KB

Download
memory/692-265-0x00000000002D0000-0x0000000000320000-memory.dmp

Filesize
320KB

Download
memory/824-184-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/996-234-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/996-240-0x00000000002D0000-0x0000000000320000-memory.dmp

Filesize
320KB

Download
memory/996-252-0x00000000002D0000-0x0000000000320000-memory.dmp

Filesize
320KB

Download
memory/1032-277-0x00000000002D0000-0x0000000000320000-memory.dmp

Filesize
320KB

Download
memory/1032-267-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1032-276-0x00000000002D0000-0x0000000000320000-memory.dmp

Filesize
320KB

Download
memory/1696-331-0x0000000000450000-0x00000000004A0000-memory.dmp

Filesize
320KB

Download
memory/1696-322-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1696-332-0x0000000000450000-0x00000000004A0000-memory.dmp

Filesize
320KB

Download
memory/1736-443-0x0000000000270000-0x00000000002C0000-memory.dmp

Filesize
320KB

Download
memory/1736-447-0x0000000000270000-0x00000000002C0000-memory.dmp

Filesize
320KB

Download
memory/1736-442-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1796-311-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1796-320-0x00000000002E0000-0x0000000000330000-memory.dmp

Filesize
320KB

Download
memory/1796-321-0x00000000002E0000-0x0000000000330000-memory.dmp

Filesize
320KB

Download
memory/1952-550-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1952-13-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1952-21-0x0000000000260000-0x00000000002B0000-memory.dmp

Filesize
320KB

Download
memory/2164-458-0x0000000000450000-0x00000000004A0000-memory.dmp

Filesize
320KB

Download
memory/2164-448-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2164-457-0x0000000000450000-0x00000000004A0000-memory.dmp

Filesize
320KB

Download
memory/2212-255-0x00000000002D0000-0x0000000000320000-memory.dmp

Filesize
320KB

Download
memory/2212-254-0x00000000002D0000-0x0000000000320000-memory.dmp

Filesize
320KB

Download
memory/2212-253-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2232-154-0x0000000000250000-0x00000000002A0000-memory.dmp

Filesize
320KB

Download
memory/2232-151-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2284-43-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2284-571-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2292-358-0x00000000003B0000-0x0000000000400000-memory.dmp

Filesize
320KB

Download
memory/2292-353-0x00000000003B0000-0x0000000000400000-memory.dmp

Filesize
320KB

Download
memory/2292-344-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2304-223-0x0000000000250000-0x00000000002A0000-memory.dmp

Filesize
320KB

Download
memory/2304-221-0x0000000000250000-0x00000000002A0000-memory.dmp

Filesize
320KB

Download
memory/2304-211-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2340-407-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2340-424-0x00000000002D0000-0x0000000000320000-memory.dmp

Filesize
320KB

Download
memory/2356-300-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2356-306-0x00000000002F0000-0x0000000000340000-memory.dmp

Filesize
320KB

Download
memory/2356-310-0x00000000002F0000-0x0000000000340000-memory.dmp

Filesize
320KB

Download
memory/2440-105-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2440-113-0x0000000000250000-0x00000000002A0000-memory.dmp

Filesize
320KB

Download
memory/2448-299-0x0000000000270000-0x00000000002C0000-memory.dmp

Filesize
320KB

Download
memory/2448-298-0x0000000000270000-0x00000000002C0000-memory.dmp

Filesize
320KB

Download
memory/2448-289-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2480-233-0x0000000000300000-0x0000000000350000-memory.dmp

Filesize
320KB

Download
memory/2480-229-0x0000000000300000-0x0000000000350000-memory.dmp

Filesize
320KB

Download
memory/2480-222-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2492-131-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2536-385-0x0000000000450000-0x00000000004A0000-memory.dmp

Filesize
320KB

Download
memory/2536-381-0x0000000000450000-0x00000000004A0000-memory.dmp

Filesize
320KB

Download
memory/2596-92-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2684-575-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2684-53-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2692-66-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2696-79-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2720-360-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2720-364-0x0000000000300000-0x0000000000350000-memory.dmp

Filesize
320KB

Download
memory/2736-374-0x0000000000250000-0x00000000002A0000-memory.dmp

Filesize
320KB

Download
memory/2736-369-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2736-375-0x0000000000250000-0x00000000002A0000-memory.dmp

Filesize
320KB

Download
memory/2740-170-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2756-479-0x0000000000250000-0x00000000002A0000-memory.dmp

Filesize
320KB

Download
memory/2756-480-0x0000000000250000-0x00000000002A0000-memory.dmp

Filesize
320KB

Download
memory/2756-474-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2760-459-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2760-469-0x00000000002D0000-0x0000000000320000-memory.dmp

Filesize
320KB

Download
memory/2760-473-0x00000000002D0000-0x0000000000320000-memory.dmp

Filesize
320KB

Download
memory/2868-395-0x00000000005E0000-0x0000000000630000-memory.dmp

Filesize
320KB

Download
memory/2868-396-0x00000000005E0000-0x0000000000630000-memory.dmp

Filesize
320KB

Download
memory/2868-386-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2872-425-0x0000000000250000-0x00000000002A0000-memory.dmp

Filesize
320KB

Download
memory/2884-565-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2884-27-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2988-439-0x0000000000250000-0x00000000002A0000-memory.dmp

Filesize
320KB

Download
memory/2988-435-0x0000000000250000-0x00000000002A0000-memory.dmp

Filesize
320KB

Download
memory/2988-426-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3000-406-0x0000000000250000-0x00000000002A0000-memory.dmp

Filesize
320KB

Download
memory/3000-397-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3040-343-0x0000000000450000-0x00000000004A0000-memory.dmp

Filesize
320KB

Download
memory/3040-342-0x0000000000450000-0x00000000004A0000-memory.dmp

Filesize
320KB

Download
memory/3040-333-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3068-6-0x0000000000350000-0x00000000003A0000-memory.dmp

Filesize
320KB

Download
memory/3068-548-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3068-481-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3068-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads